WannaCry hero Marcus Hutchins could face 40 years in US prison

Cara McGoogan ; Matthew Field and Victoria Ward 4 August 2017 • 6:57pm

Marcus Hutchins is reportedly being held in Nevada Credit: AP

The young computer expert who stopped the WannaCry global cyber attack could face decades in a US prison following accusations that he helped create and sell a malicious software that targeted bank accounts.

Marcus Hutchins, who saved the NHS from cyber criminals, could face a maximum sentence of 40 years in prison in the US if he is found guilty of the charges.

Hutchins, who was at a hacking conference in Las Vegas when he was arrested by the FBI, faces six counts of helping to create, spread and maintain the banking Trojan Kronos between 2014 and 2015.

According to the US Department of Justice indictment, the alleged offences took place between July 2014 and July 2015.

Hutchins was jointly charged with another individual who was not named.

The indictment alleged that Hutchins "created the Kronos malware" and the other person later sold it for $2,000 (£1,500) online.

"The maximum statutory sentence he could face is decades, roughly 40 years," said Tor Ekeland, a US lawyer who specialises in defending alleged cyber criminals. "Would he get that? I doubt it, it would be a bizarre outcome. Is it possible? It sure is."

Hutchins is due to appear in court later on Friday, when he could plead guilty or not guilty. If he pleads guilty he could be sentenced to a short prison sentence or supervised release. If he pleads not guilty, he will be moved to Wisconsin, where the charges have been brought, to face trial, which could start any time between three months and three years, Ekeland said.

"The main thing to do now is enter a not guilty plea as soon as you can, get him out on bail, and then you've got some breathing room," said Ekeland.

But he added it is "highly likely" Hutchins will be refused bail, because he is a foreign national in the US and could be deemed a flight risk.

Ekeland described the allegations against Hutchins as "very thin". "There's not a single allegation that he made any money or anybody came to any harm from it," he said. "The indictment is very thin. It's legally bizarre and there's little detail."

Hutchins was arrested at an airport in Las Vegas on Wednesday shortly before he was due to fly back to the UK.

Priority boarding so you can add to the time you're sat on a plane that is nowhere near ready to fly 😕
— MalwareTech (@MalwareTechBlog) 2 August 2017

The Kronos malware was spread through emails with malicious attachments and allowed users steal money using credentials such as internet banking passwords. It was allegedly sold on the dark web marketplace AlphaBay, which the US Government shut down at the end of July.

The allegations are unrelated to the WannaCry attack he was credited with halting, according to a US official.

The security expert, from Devon, was hailed a hero in May when he discovered a "kill switch" for the WannaCry ransomware, which spread to hundreds of thousands of computers across 150 countries. Among the victims were dozens of NHS Trusts, which were forced to delay operations and turn people away.

Hutchins, who stopped the attack from his bedroom under the pseudonym MalwareTech, has reportedly helped GCHQ's National Cyber Security Centre since the incident.

A a source said the organisation collaborated with many private individuals and was "very much embedded in the community," of which Hutchins is a part.

On his arrest, an NCSC spokesman said: "We are aware of the situation. This is a law enforcement matter and it would be inappropriate to comment further."

Janet Hutchins, his mother, told the Telegraph she was trying to find out exactly what had happened to her son but said she had not yet managed to get anything confirmed.

"I think I'm going to be rather busy tonight," she added.

A security expert who was staying with Hutchins at the DefCon hacking conference in Nevada said he had been arrested at Las Vagas's McCarran International Airport on Wednesday afternoon.

The friend, who also works in the cyber security industry, said: "He was detained at McCarran airport yesterday. He checked into his flight and I think he was sitting in the Virgin upper class lounge.

"He was escorted out of the airport and never made his flight."

Around 20 hours after he went missing, Hutchins' parents told the friend he had been arrested.

After his arrest, Hutchins was taken to Henderson Detention Center in Nevada before being moved to the Las Vegas FBI field office.

"I had been trying to get in contact with him for the past 20 hours," the friend told the Telegraph. "I finally located him this morning but they moved him before visiting hours. Now he's in the wind again."

A spokesman for the Foreign and Commonwealth Office said: "We are in touch with local authorities in Las Vegas following reports of a British man being arrested."

The UK's National Crime Agency said: "We are aware a UK national has been arrested but it's a matter for the authorities in the US."

I can confirm @MalwareTechBlog was detained yesterday and FBI/US Marshalls won't tell me where he is. https://t.co/lV5SxZjsRi
— Andrew Mabbitt (@MabbsSec) August 3, 2017

Hutchins stopped the spread of the WannaCry ransomware when he accidentally discovered a "kill switch". Working on his own from his small bedroom in his parent's home, Hutchins has been lauded for his computer skills in the wake of the attack.

The WannaCry attack spread to more than 230,000 computers in scores of countries, affecting major organisations including the NHS, Renault and O2. Using a vulnerability in Microsoft's Windows operating system discovered by US security agencies, WannaCry locked victims' computers and demanded a $300 ransom.

Hutchins found a way to stop the virus from rapidly spreading. He was given a $10,000 (£7,600) reward for the effort, which he donated to charity.

The ethical hacker, who is largely self-taught and did not go to university, was in the US for the world's largest annual conventions for security experts, BlackHat and DefCon.

His arrest comes as more than £100,000 of digital currency bitcoin that was paid by victims of the WannaCry attack was withdrawn from the hackers' online wallets.

There is no indication that the two events are connected.

Victims were asked to pay around £230 in Bitcoins to get back control of their systems and monitoring websites showed the wallets holding the payments had been emptied on Thursday.

No one has claimed responsibility for the attack but experts have connected it to Lazarus, a group also linked to the 2014 Sony Pictures hack.

Experts warned the incident will send a "really bad message" to the cyber security community.

"There are major implications for cyber security," said Ekeland, the US lawyer. "By doing this they've made the internet less safe because nobody in their right mind is likely to help the US Government stop attacks now.

"They've sent a really bad message that even if you help the US Government stop a worldwide major malware attack and save people millions of dollars and potentially saved lives, you could be arrested because someone you supposedly associated with supposedly sold malware for $2,000."

Ekeland added that creating and distributing malicious software is different to using it to commit crimes. "They're messing with a multi-billion dollar market," he said. "If I was a certain type of software manufacturer, I would be very concerned about my work right now. I don't understand why this type of software isn't legal."