Either it’s justice, or hacker’s trial will make you WannaCry
The 22-year-old hero did what the world’s top cyber experts couldn’t, and ended up in the FBI’s sights
In 2017, one of the worst cyber attacks in history raged.
It was a Friday morning when computers around the world froze and outdated Windows home screens were replaced with WannaCry’s ransom note demanding $300 in return for access.
Before long, 300,000 computers in 150 countries from Colombia to China were locked, causing millions in damage.
England’s National Health Service declared a “major incident” with 34 trusts and 595 GP practices hit. Ambulances had to be rerouted and 7,000 appointments were cancelled.
It was remarkable no one died; the bill came to £73m.
The world’s top cyber experts raced to halt the virus, but were left confounded.
Then, at 7pm, 22-year-old security researcher Marcus Hutchins did what they couldn’t and stopped the attack from his bedroom at his parents’ home in Ilfracombe, Devon.
He registered a domain connected to the malicious software that activated a “kill switch”. The world exhaled.
Yet, two years later, the “WannaCry hero” is unable to breathe easily – Hutchins, now 24, is on bail in the US, waiting to be sentenced on July 26 for computer crimes he allegedly committed as a teenager.
The FBI arrested him, three months after the WannaCry attack, at Las Vegas McCarran Airport, as he travelled home from Def Con, the world’s largest hacker convention.
He was accused of writing the malicious software Kronos, designed to steal money from banks, and selling it to a fraudster for a few thousand pounds when he was 17 – though there is no accusation that he used it to steal money himself.
Cybercriminals are now one of the biggest threats to the British public.
In 2018, hackers stole an average of £190,000 a day, and there were 1.1 million cyber crime incidents, according to Action Fraud and the Office for National Statistics.
GCHQ’s National Cyber Security Centre has dealt with 1,500 major incidents since 2016, and is now preparing for a “category one” attack (WannaCry was “category two”), which could involve a threat to human life.
“People like Marcus are valuable in the fight against cyber attacks,” says Peter Heaton-Jones, Hutchins’s MP for North Devon.
“He deserves our thanks for the work he has done. Let’s hope he’s very soon able to continue.”
Hutchins’s journey from WannaCry hero to FBI’s most wanted started at the age of 12, when he taught himself to code.
In 2013, he launched a blog called MalwareTech – also his online pseudonym – and by the time he was 18, US security company Kryptos Logic had offered him a job working remotely for a six-figure salary.
But he lived a quiet life in Devon, at home with his parents, until WannaCry thrust him on to the front pages.
He decided to celebrate at Def Con, renting a lavish Airbnb and a Lamborghini. He knew the tabloids were watching him – he didn’t know the FBI was, too.
“I liked the connections and the power,” Hutchins has said previously. “Now, I’m not sure it was worth it ... The FBI took everything: my job, my girlfriend, my bitcoin.”
On April 19, more than 18 months after his arrest, Hutchins accepted “full responsibility for my mistakes” and pleaded guilty in a Wisconsin court to two of 10 charges, related to writing Kronos.
Each count carries a maximum sentence of five years and a $250,000 fine – although his lawyer, Brian Klein, hopes he will avoid jail.
“What Marcus did to stop WannaCry was truly heroic and the judge will undoubtedly consider that,” says Klein.
“It is undisputed, including by the prosecutors, that Marcus has only been using his immense talents for good for many years now.”
The past two years have been an emotional rollercoaster for Hutchins and his parents, Janet and Des, who have made a number of trips to the US.
Hutchins is currently living in LA, renting an apartment using his savings and documenting his life on Twitter, interspersing security research with updates that belie a sense of unease.
He has posted about being unable to sleep, feeling stressed and having depression.
He has spent more than $100,000 on fighting his case. He has also had support from crowdfunding – one stranger posted his $30,000 bail.
After I messaged him to ask how he had been passing the time, he wrote on Twitter: “A journalist asked me about what I’ve done since WannaCry, and I realised literally nothing of value ... Went from stopping 3+ major cyber attacks in a year to spending all my time pretending I’m fine and that becoming a drug addict or alcoholic isn’t inevitable.”
Daniel Miessler, a cybersecurity expert, replied: “Inaccurate. You stream tutorials and games, which either teach or entertain ... If that’s all you did going forward it would be more than enough.”
Jake Williams, founder of US security company Rendition Infosec, says Hutchins is “uniquely talented”.
He adds: “[The attacks he prevented] were a ridiculously bigger threat than what he allegedly created ... If he made mistakes when he was 17, the work he’s been doing since more than makes up for the past. He’s not a bad guy.”
The case has drawn criticism from lawyers and campaigners, who have described it as “aggressive”.
The foreign office has done little to contend Hutchins’s detention in the US, which levies higher punishments for computer crimes, even though he was in England at the time of the alleged incident.
When asked for comment, it said staff were “providing advice and support to [Hutchins’s] family”.
Tor Ekeland, a US criminal lawyer who supported British hacker Lauri Love’s fight against extradition, says the charges are akin to “holding a gun manufacturer liable for murder”.
He adds: “It’s reprehensible that Marcus’s reward for stopping WannaCry is a prison sentence. I would counsel anyone not to help with something like WannaCry, because they could end up in jail.”
Hutchins’s case has had a “chilling effect” on the relationship between experts and the authorities, at a time when the UK is scrambling to catch up with hackers (the Government recently launched local cybercrime units in all police forces, which use YouTube to research hacking techniques).
British “white hat” (or ethical) hackers are opting not to tell the police and security services their findings.
Before his arrest, Hutchins would share information with GCHQ. Reports say GCHQ knew the FBI was going to arrest Hutchins, but didn't alert him.
“There’s been a chilling effect among researchers who felt the UK government turned its back on Marcus,” says Williams.
“They are concerned about sharing information. I have a strong feeling that if Marcus hadn’t been on the front page after WannaCry, this charge might not have been brought.”
Many in the security world believe reformed criminal hackers are vital in preventing attacks.
Mustafa Al-Bassam is one example: he was given a 20-month suspended sentence and 500 hours of community service in 2013 for hacking Sony, Fox and the FBI.
Now, he is finishing a PhD at UCL and has sold a blockchain company to Facebook. “If you’ve been on the wrong side in the past and are now on the good, that's a great thing and should be encouraged,” says Al-Bassam.It’s not that crimes should go unpunished, he adds, but that they should be dealt with proportionately.A few days after Hutchins entered his guilty plea, he was contemplating his future.“I kept my blog all these years because it acts as a place for people to learn about malware and hacking, away from shady forums of criminals,” he wrote.“Once I’ve done my time ... I can focus more on teaching for free.”– © Telegraph Media Group Limited (2019)