Marcus Hutchins -- The Guy Who Stopped Wannacry -- Pleads Guilty To Conspiracy Charges
from the enjoy-your-hollow-victory,-DOJ dept
Almost two years after Marcus Hutchins, a.k.a. MalwareTech, was detained by the FBI at the airport as he left a security conference in Las Vegas, the government finally has finally gotten its man.
Charges were stacked and restacked over the past couple of years, as the government brought pressure to bear on Hutchins, who maintained his innocence right up to the point he signed the plea agreement [PDF]. Faced with possibility of spending several years in jail -- and evidence of his past, somewhat shadier exploits continuing to surface -- the man who saved the world from the Wannacry ransomware has pleaded guilty to two conspiracy charges. This means the government will be dropping the other eight charges against Hutchins, which will hopefully keep the researcher from spending several years in jail.
The defendant voluntarily agrees to plead guilty to Counts One and Two of the superseding indictment.
The defendant acknowledges, understands, and agrees that he is, in fact, guilty of the offenses described in paragraph 4. The parties acknowledge and understand that if this case were to proceed to trial, the government would be able to prove the facts in Attachment A, as well as the facts set forth in Counts One and Two of the superseding indictment, beyond a reasonable doubt. The defendant admits that these facts are true and correct and establish his guilt beyond a reasonable doubt. The information in Attachment A is provided for the purpose of setting forth a factual basis for the plea of guilty. It is not a full recitation of the defendant's knowledge of, or participation in, the offenses.
The agreement says both counts carry a possible five-year sentence each, but it seems unlikely it will ask the judge to depart upward from the guidelines. Marcy Wheeler's back-of-the-envelope math puts this at about six months per charge, given Hutchins' lack of criminal history. It may end up being more than that if the DOJ pitches something longer as some twisted form of payback for Hutchins exercising his right to defend himself against criminal charges. That's not exactly unheard of.
Hutchins has also posted a short message at his personal website, admitting guilt and apologizing for the damage he may have caused.
As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.
Hutchins' plea brings an end to a dubious DOJ prosecution -- one that makes the unproven assertion that creating and selling malware is a criminal act, whether or not Hutchins himself engaged in illegal acts using this malware. And it only further blurs the lines security researchers operate in, increasing the chance that research -- which often includes the creation and deployment of malware -- will be treated as criminal activity.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: conspiracy, doj, fbi, guilty plea, malware, malwaretech, marcu hutchins, wannacry
Reader Comments
The First Word
“Actually, the line's been drawn and clear for decades: many legitimate security outfits won't hire someone who has distributed malware, no matter who to, or why.
Creating Proof of Concept code that performs no malicious action is significantly different from producing software that has the express intent to harm, and distributing it to others.
Deploying malware on systems you don't fully control is also highly frowned upon.
Show me a "security researcher" who knowingly distributes malicious software, and I'll show you someone who is likely a criminal, whether they would call themselves one or not.
Subscribe: RSS
View by: Time | Thread
What about the programmers who wrote WannaCry
Shouldn't the government to prosecute itself for creating malware? I mean, they just prosecuted this guy for creating malware even though it was never proven that he actually used it. Just because the malware was used by other people to cause damage, he's guilty of felonies.
Seems to me, since the government wrote wanna cry, and some bad actors used it to cause significant harm to many businesses and people within the United States, that the government should prosecuted self for conspiracy.
[ link to this | view in thread ]
No good deed goes unpunished.
[ link to this | view in thread ]
note to self...
Although I've never done anything remotely of interest to the DOJ, remember to steer clear of the USA. Just in case.
[ link to this | view in thread ]
Actually, the line's been drawn and clear for decades: many legitimate security outfits won't hire someone who has distributed malware, no matter who to, or why.
Creating Proof of Concept code that performs no malicious action is significantly different from producing software that has the express intent to harm, and distributing it to others.
Deploying malware on systems you don't fully control is also highly frowned upon.
Show me a "security researcher" who knowingly distributes malicious software, and I'll show you someone who is likely a criminal, whether they would call themselves one or not.
[ link to this | view in thread ]
Re:
[edit] creates and distributes / deploys -- obviously all sorts of people share malware samples that are already in the wild, for the purpose of testing them.
[ link to this | view in thread ]
As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret [taking guilty pleas] and accept full responsibility for my mistakes...
That's how I read it.
[ link to this | view in thread ]
Re: note to self...
Given the Library of Congress put up an FAQ in 2012 saying the number of laws in force in the US of A are uncountable don't sell yourself short. There is a law you've broken for the good AG to present to the Grand Jury.
[ link to this | view in thread ]
Re:
He was sorrta screwed - when the male FBI agent met him in Vegas he was dressed up wearing border patrol gear. Then Judge Stadtmuler stated the FBI agent was not out of uniform. The 5 different times written and crossed out on the paperwork was also not problematic as far as the Judge was concerned.
Based on tweets - Marcus blew through $100k to get him to this point and was broke. No way he had money to take it to trial with Federal trials costing over $300k and the appeal which might have costed $1 million.
With the superseding indictment claiming "lying to the FBI" he'd have that to deal with.
[ link to this | view in thread ]
Re:
The security community may have drawn that line, but why on earth would you expect the DOJ to respect it?
[ link to this | view in thread ]
Medieval justice
Confess, or we'll make you suffer for what will feel like an eternity.
You'll burn anyway but confessions are what we show to the world to justify our onslaught on justice.
[ link to this | view in thread ]
Re:
Nah, the government just doesn't like it when their backroom activities are exposed.
[ link to this | view in thread ]
Re: Re:
It is viewed as a bad thing by the government coverup people, but is viewed as a good thing by everyone else.
[ link to this | view in thread ]
Re:
"Creating Proof of Concept code that performs no malicious action is significantly different from producing software that has the express intent to harm, and distributing it to others."
This has been done and they were treated poorly anyway. Some simply inform the owner of compromised host are met with accusations.
One would think the best response would be to quietly fix your stuff.
[ link to this | view in thread ]
The "War On Redemption" is proceeding apace
"Distributes" is present tense. What better fits your assertion is:
A likely scenario is Hutchins made bad choices years ago and then followed that up with years of ethical behavior, indicating he had reformed himself.
Someone tell me. What is the actual damn point of anyone, anywhere reforming their bad behavior and becoming a benefit to society if society is going to effectively ignore their reformation and treat them as if their bad behavior is still happening today?
Years after this legal fiasco is over, Hutchins will continue to be punished (via background records) for the rest of his life. This system of Lifetime Punishment For Every Possible Transgression is an ideal incentive - if the goal is to create as many criminals as possible. Indications are this exactly what the goal is.
[ link to this | view in thread ]
The Corruption will continue until the Corruption is complete
[ link to this | view in thread ]
Just goes to show. Once again, the best thing to do is when you find a vulnerability. Don't inform anyone and if possible just protect yourself from it. Did he actually even write the Kronos Malware though? And if so, was the US even affected by the Kronos Malware.
[ link to this | view in thread ]
Re: The "War On Redemption" is proceeding apace
He will be punished less by not staying in America. The job-market for felons in the US is worse than in other nations.
[ link to this | view in thread ]
Re:
Some of the paperwork makes the claim he had the source code for Kronos and makes it sound like that code was modified upas.
If he'd not been the wannacry shutdown domain name guy it is possible he'd not gotten the urge to get to DefCon. The government's position sure seems to be he was the author of Kronos and like bitcoin-beard-guy Gal Vallerius Marcus might have gotten invites in some other way to get him to the US of A once the UK wasn't that willing to ship him over.
Lessons:
1) Don't talk to the FBI. Or anyone in authority in the US of A.
2) Coming to the US of A is a gamble. The conspiracy charges could show up in your life via giving someone a rainbow table the way the laws are written.
[ link to this | view in thread ]
Re: What about the programmers who wrote WannaCry
Agree'd.
And what is the Time frame for it to be beyond Punishment..
There was a Tax on Phones from the LATE 1800's that lasted until recently which added a $1-2 charge to the service and you could only go back 2 years to get it credited..
Its also the idea of Who is responsible, the GUN MAKER or the GUN USER.. Or the doctor that didnt report the mental condition of the person WITH the gun.. even tho he Stole it and shot up the School for the actions of his teachers 20 years before..That retired 5 days before he did anything.
then the odds are he will be released after his incarceration from the last 2 years...(where is this persons Lawyer??)
where is the Judge in this for NOT bringing this to court earlier? The FBI/CIa is taking its time to find NEW information, NOT based on the original complaint. Which I think is against the law.
They are detaining him from any recourse and release.
And they have ruined his life from this point on, UNLESS they want to hire him for the NEXT hacking job..
[ link to this | view in thread ]
Re: note to self...
As Assange/Dotcom can attest, even that may not be enough....
[ link to this | view in thread ]
Corporate treatment of white-hats
Yeah, and corporations sue white-hats for successful penetration testing and reporting it.
When we create a market environment that is hostile to white-hats, those hats or going to start darkening.
Not that said corporations (such as banks and online resellers) really care all that much when someone steals their (unencrypted) client data and trades it on the black market.
Hackers are the new witches, and yet it's a good era to be one.
[ link to this | view in thread ]
That tenacious reminder
We are all criminals.
You are a convicted criminal as soon as someone important decides that you're in their way.
Oh and incidentally the whole playpen thing depended on malicious software and was decided by the courts that the police can do whatever depravity they want so long as the target is despicable enough.
[ link to this | view in thread ]
Lifetime punishment
That's how resistance, terror groups and organized criminal syndicates get recruits...or form in the first place.
[ link to this | view in thread ]
Yet another example of how threatening to lock someone up for decades will produce confessions to what would otherwise be an amazingly lenient sentence if the original charges were an accurate reflection of the facts. It works even better if the person is from another country.
Would anyone here not agree to a sentence of a year or so in another country or even here, if the alternative was going to trial with a possible sentence of decades in spite of knowing you haven't done anything wrong? The DOJ has a 95%+ conviction rate for reasons other than all of the defendants' guilt.
[ link to this | view in thread ]
Re: That tenacious reminder
You can not expect an honest trial or the Judge to follow the law as written.
Given the cost to defend yourself in the Fed - how can a person who is dancing near the edge of the law as knowable going to be able to afford a defense if they happen to think they are right?
[ link to this | view in thread ]
Re:
"Creating Proof of Concept code that performs no malicious action is significantly different from producing software that has the express intent to harm, and distributing it to others."
And what happens when you make a proof of concept that does nothing malicious but is very adept at hiding in systems and evading detection, and someone somehow acquires/steals the code and makes it malicious? Are you then responsible for it?
[ link to this | view in thread ]
Re: The "War On Redemption" is proceeding apace
**"A likely scenario is Hutchins made bad choices years ago and then followed that up with years of ethical behavior, indicating he had reformed himself.
Someone tell me. What is the actual damn point of anyone, anywhere reforming their bad behavior and becoming a benefit to society if society is going to effectively ignore their reformation and treat them as if their bad behavior is still happening today?"**
There is absolutely no point. The problem here is the US justice and penal systems do not care about whether or not a person can be reformed or rehabilitated and does not care to try. All they care about is revenge; exacting retribution, even if to do so would inflict more harm than it is worth, such as preventing someone who is contributing meaningfully to society from doing so.
It's not to say bad people who have reformed themselves should not be punished if their crimes come to light, but the US justice system does not accurately weigh how best those people will serve their society and what punishment would be the best in the interest of society. Sentencing guidelines are never decided based on the best interests of society but rather are about inflicting maximum damage in the form of vengeance.
[ link to this | view in thread ]
Re: Re:
And as this case didn't make it to the appeal process - their will be no guidance on that.
Perhaps someone who has deep pockets or a high tolerance for risk will allow such a determination to be made.
[ link to this | view in thread ]
All [the state] cares about is revenge
Which is diametrically contrary to the point of having a state justice system, which is to appoint blame with clarity and precision, and address social conflicts with a utilitarian intervention.
Hammurabi's code (such as An eye for an eye) was to denote the upper limit of retaliation. Before this, the people were happy to shank each other dead for trivial slights and let such reprisals escalate to family feuds spanning over many generations.
...and with the state justice system subverted, evidently they still are.
[ link to this | view in thread ]
Re: Re: The "War On Redemption" is proceeding apace
preventing someone who is contributing meaningfully to society from doing so.
Marcus screwed up on this. He could have been spending time from 2017 doing the education thing he re-started in late 2018 VS the self-pity gaming thing he was doing up until he ran outta cash. Would have helped on pitching to the Judge that he was not the same person the case claims he was. Tweets to him made the 'put your head down and work the education/research' pitch back in 2017.
[ link to this | view in thread ]
Re:
The federal government claims a less than 90% rate. Others claim 99.7% conviction rate.
Who's got the actual numbers and methods being used?
[ link to this | view in thread ]
Re: Re: The "War On Redemption" is proceeding apace
AC - I couldn't help noticing that you put double asterisks before and after the text you quoted. Unfortunately, that doesn't work if there's more than one paragraph. You have to put them at the start and end of every paragraph, or they'll just show up in the text.
[ link to this | view in thread ]
Justa Felony I Thunk
10 Format c: /y
There. I've written malware. You'll never get me, coppers!
[ link to this | view in thread ]
Re:
how about
All are punished for 1 good deed..
[ link to this | view in thread ]