The allegations are unrelated to the WannaCry attack he was credited with halting. The young computer expert, Marcus Hutchins, who stopped the WannaCry global cyber attack early this year could face decades in a US prison following accusations that he helped create and sell a malicious software that targeted bank accounts.
Marcus Hutchins, who saved the NHS from cyber criminals, could face a maximum sentence of 40 years in prison in the US if he is found guilty of the charges.
Hutchins, who was at a hacking conference in Las Vegas when he was arrested by the FBI, faces six counts of helping to create, spread and maintain the banking Trojan Kronos between 2014 and 2015.
According to the US Department of Justice indictment, the alleged offences took place between July 2014 and July 2015.
Hutchins was jointly charged with another individual who was not named.
The indictment alleged that Hutchins “created the Kronos malware” and the other person later sold it for $2,000 (£1,500) online.
Tor Ekeland, a US lawyer who specializes in defending alleged cyber criminals.
“The maximum statutory sentence he could face is decades, roughly 40 years. Would he get that? I doubt it, it would be a bizarre outcome. Is it possible? It sure is.”
Hutchins is due to appear in court later on Friday, when he could plead guilty or not guilty. If he pleads guilty he could be sentenced to a short prison sentence or supervised release. If he pleads not guilty, he will be moved to Wisconsin, where the charges have been brought, to face trial, which could start any time between three months and three years, Ekeland said.
“The main thing to do now is enter a not guilty plea as soon as you can, get him out on bail, and then you’ve got some breathing room.”
But he added it is “highly likely” Hutchins will be refused bail, because he is a foreign national in the US and could be deemed a flight risk.
Ekeland described the allegations against Hutchins as “very thin”.
There’s not a single allegation that he made any money or anybody came to any harm from it. Indictment is very thin. It’s legally bizarre and there’s little detail.
Hutchins was arrested at an airport in Las Vegas on Wednesday shortly before he was due to fly back to the UK.
The Kronos malware was spread through emails with malicious attachments and allowed users steal money using credentials such as internet banking passwords. It was allegedly sold on the dark web marketplace AlphaBay, which the US Government shut down at the end of July.
The security expert, from Devon, was hailed a hero in May when he discovered a “kill switch” for the WannaCry ransomware, which spread to hundreds of thousands of computers across 150 countries. Among the victims were dozens of NHS Trusts, which were forced to delay operations and turn people away.
Hutchins stopped the spread of the WannaCry ransomware when he accidentally discovered a “kill switch”. Working on his own from his small bedroom in his parent’s home, Hutchins has been lauded for his computer skills in the wake of the attack.
The WannaCry attack spread to more than 230,000 computers in scores of countries, affecting major organisations including the NHS, Renault and O2. Using a vulnerability in Microsoft’s Windows operating system discovered by US security agencies, WannaCry locked victims’ computers and demanded a $300 ransom.
Hutchins found a way to stop the virus from rapidly spreading. He was given a $10,000 (£7,600) reward for the effort, which he donated to charity.
The ethical hacker, who is largely self-taught and did not go to university, was in the US for the world’s largest annual conventions for security experts, BlackHat and DefCon.
His arrest comes as more than £100,000 of digital currency bitcoin that was paid by victims of the WannaCry attack was withdrawn from the hackers’ online wallets.
There is no indication that the two events are connected.
Victims were asked to pay around £230 in Bitcoins to get back control of their systems and monitoring websites showed the wallets holding the payments had been emptied on Thursday.
No one has claimed responsibility for the attack but experts have connected it to Lazarus, a group also linked to the 2014 Sony Pictures hack.
Experts warned the incident will send a “really bad message” to the cyber security community.
There are major implications for cyber security. By doing this they’ve made the internet less safe because nobody in their right mind is likely to help the US Government stop attacks now.
They’ve sent a really bad message that even if you help the US Government stop a worldwide major malware attack and save people millions of dollars and potentially saved lives, you could be arrested because someone you supposedly associated with supposedly sold malware for $2,000.
My understanding is that creating and distributing malicious software is different to using it to commit crimes. They’re messing with a multi-billion dollar market. If I was a certain type of software manufacturer, I would be very concerned about my work right now. I don’t understand why this type of software isn’t legal.
The post Marcus Hutchins WannaCry Hero Incarcerated, Faces 40 Years in US Prison appeared first on Innovation Village.