Last week, 24-year-old British hacker Marcus Hutchins took a plea deal in which he admitted to helping develop and sell malware designed to steal people’s banking credentials. Despite his admission of guilt and the clearly malicious program he wrote, the resolution of his case feels, in many ways, more like a loss than a victory for cybercrime policing. Hutchins writes the MalwareTech blog and gained considerable attention in May 2017 when he was able to slow the spread of the massively destructive WannaCry ransomware by reverse-engineering it and then purchasing a domain that he found hard-coded into the malware. The then–22-year-old Hutchins told the Guardian, “I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental. So I can only add ‘accidentally stopped an international cyber-attack’ to my resume.”
Months later, in August 2017, Hutchins came to Las Vegas for the annual Def Con security conference and was arrested by the FBI on charges of helping develop and sell the Kronos banking Trojan in 2014 and 2015. Of course, one good deed—even one as far-reaching as stemming the spread of WannaCry—does not automatically undo the damage of providing people with tools to conduct financial fraud and theft. But it’s hard not to feel some regret here.
Hutchins didn’t just do one good thing amid an ongoing series of bad ones. So far as anyone can tell, by the time WannaCry happened, he had already put his malware-selling days behind him and turned his attention to reverse-engineering and documenting examples of malware on his blog. Soon after Hutchins’ arrest, security journalist Brian Krebs did a thorough investigation of Hutchins’ ties to illegal online activity and concluded that “Hutchins began developing and selling malware in his mid-teens—only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror.”
Hutchins himself, in a post on his blog about the plea deal, wrote, “As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.” of course, any arrested hacker could claim to have put their black-hat days behind them and turned over a new leaf. But in Hutchins’ case there’s actually evidence to back that up. Not just his remarkable contribution to fighting WannaCry but also his years of blog posts detailing his analysis of how different types of malware work. That work provides a genuine public service, helping people recognize and understand vulnerabilities that are exploited by malware and how to protect against them. His skills at reverse-engineering malware are rare, and valuable. And while youth is not an excuse for criminal activity, it seems significant that Hutchins’ most malicious activity seems to have occurred in his late teens, with a clear change of course as he entered his 20s.
Hutchins has not yet been sentenced, but the two charges he pleaded guilty to each come with a maximum penalty of up to five years in prison, a $250,000 fine, and one year of supervised release. With luck, the sentencing will be lenient, in recognition of both the service Hutchins has provided to the security community since his days of selling malware and the potential for him—and other people like him—to provide similar contributions to cybersecurity in the future.
We need to create a path for people like Hutchins to use their talents for good. Not everyone will want or be able to do that, and not every hacker who is offered a second chance manages to stick to the right side of the law. (Albert Gonzalez, for instance, famously pulled off the huge 2005 TJX data breach while working as a paid informant for the Secret Service.) Not every cybercriminal necessarily deserves a second chance, either—if Hutchins had been running a large-scale financial cybercrime ring for years à la Evgeniy Bogachev, then it would be absurd to even imagine he would try to reform himself, or be worth letting him off the hook for his crimes.
But what Hutchins did was relatively small-scale and seems to be squarely in his past at this point. Undoubtedly, it was also dumb and wrong and quite possibly illegal. (Orin Kerr has written a good analysis in the Washington Post of the legal issues surrounding the case.) And Hutchins’ malware may well have cost innocent people money, though security reporter Thomas Brewster wrote in Forbes in 2017 that Kronos “was largely a failure amongst serious cybercriminals” and that “while [it] may have claimed some victims, it never became anything close to a serious criminal operation.” The fact that Hutchins wrote relatively unsuccessful malware does not excuse what he did, but there are too few people with Hutchins’ talents—and those talents are too often forged in shady or outright illegal dealings—to refuse to offer him and others like him a chance at redemption and an opportunity to make amends by keeping us all a little bit safer.