author photo
By Bruce Sussman
Thu | Apr 25, 2019 | 3:04 AM PDT

Marcus Hutchins was declared a cybersecurity hero by many after he  discovered the "kill switch" for WannaCry ransomware in 2017.

That high was followed by an incredible low that shocked many of @MalwareTechBlog's 145,000 Twitter followers.

Just months after his WannaCry discovery, U.S. officials arrested Hutchins on 10 cybercrime related charges. Hutchins, from the UK, was headed back to the UK after a security conference in Las Vegas at the time of his arrest.

He pleaded not guilty, and since that time, those following the case have been waiting for an update. Now, there is more news.

MalwareTech pleads guilty to malware charges

Just before the Easter 2019 weekend, Hutchins entered a guilty plea and posted a four-sentence update that has everyone talking:

"As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."

Most were not aware of his decision, or the decision by prosecutors to drop eight of the 10 charges in exchange for Hutchins' guilty plea. 

What did Marcus Hutchins plead guilty to doing?

Hutchins pleaded guilty to charges that he created two types of malware, UPAS and Kronos, in a scheme to make money. Specifically, the following:

"UPAS and Kronos are similar types of malware that utilize, among other things, form grabbers, key loggers, and web injects to intercept communications and collect personal information, including usernames, passwords, email addresses, and financial data, from any number of victim computers. The information from the infected victim computers would then be relayed to the person running the control panel for the malware program. The malware concealed itself in legitimate programs already running on a victim computer, and the malware was configured to avoid anti-virus programs. The malware was designed to target banking information and to work on many types of web browsers, including Internet Explorer, Firefox, and Chrome."

How MalwareTech's fans reacted on Twitter

There were some angry tweets, some tweets of disappointment, and some tweets questioning his sincerity. 

However, the vast majority of the hundreds of comments he received were in support. Here are some examples:




Each of the two counts carry a penalty of up to six years in prison, up to a $250,000 fine, and up to one year of supervised release.

[RELATED: Marcus Hutchins / MalwareTech plea agreement]

If you were the judge, would you show Marcus Hutchins leniency?

Is he a cyber hero who has learned from his mistakes?

Or should he pay the price for his past crimes regardless of the good cybersecurity research he is doing now?