Helping Hackers Do Right - ThreatWire Crosspost (Patreon)

by Shannon Morse, ThreatWire 

Marcus Hutchins has received his get out of jail free card. Hutchins, AKA MalwareTech, hit notoriety after stopping the WannaCry ransomware outbreak that occurred in 2017. This ransomware brought down networks in companies found in over 150 countries, so his activation of a kill switch invariably disabled much of the ransomware from spreading. While MalwareTech stayed anonymous during much of the WannaCry news, he ended up being doxxed by reporters who matched his handle to his actual identity.  

Months later Hutchins was arrested by the FBI while attending DEFCON in Las Vegas, where he had traveled to from the UK. The FBI alleged he created and distributed the Kronos banking malware around 2014 to 2015, which he indeed pleaded guilty to as of April of this year. This carries a maximum of 10 years in prison and $250k in fines, plus a year of supervised release. 

Hutchins lawyers Brian Klein, Marcia Hoffmann, and Daniel Stiller provided services pro bono and helped come to a final verdict during court on July 26. The prosecutor in this case failed to show how much damage was caused by the Kronos malware, so that, plus Hutchins recent years of work as a white hat hacker, plus plenty of character letters sent by those that knew him, allowed him to be sentenced to time served plus one year of supervised release. Since he has been stuck in the US without the ability to go home to the UK, this does finally bring his two year long case to a close. Hutchins will likely not be able to return to the US under visa due to being indicted as a felon. He plans, based on court reporting, to dedicate time to teaching young security experts.

I bring this court case up, no matter how you feel about MalwareTech, because of a recent test being performed by European authorities. If you’re a young, first time offender who committed some kind of cyber crime, you may end up in a legal intervention campaign instead of handcuffs.  It’s called Hack_Right, and this campaign is for 12 to 23 year olds who may be experimenting with their abilities online but unaware of the consequences. With 400 interactions with young hackers already processed, UK and Netherlands law enforcement officials hope Hack_Right will help them to learn about properly using their information security abilities to do good. Hack_Right positions officials to solve what they believe is a societal problem, not a law enforcement problem by putting young hackers in computer clubs instead of jail.  Hackers found responsible for a security incident are pushed to be in 10 to 20 hours of ethical computer training and are put in touch with professionals who can help explain career paths or best educational assets.

Given this current campaign in the UK and the Netherlands to help motivate inspired young hackers who may have crossed a line instead of simply throwing them in jail makes me wonder if similar could have happened with Hutchins. Had he been found guilty of this crime in the UK, his homeland, rather than here in the US, maybe he would have had a quicker turnaround, given it was his first offense and he was within that age range when it happened. While this program is available, a suspect must confess to the crime and not have a long criminal history. They must also be down to change their behavior and work with officials rather than against them.

ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire  

https://thehackernews.com/2019/07/marcus-hutchins-sentenced.html

https://www.vice.com/en_us/article/9kxewv/malwaretech-wannacry-ransomware-sentencing

https://www.cyberscoop.com/marcus-hutchins-sentenced-kronos-wannacry/

https://twitter.com/emptywheel/status/1154789624843329536

https://twitter.com/MalwareTechBlog/status/1154787474486517762

https://www.cyberscoop.com/teenage-hackers-police-britain-netherlands/

https://www.politie.nl/themas/hack_right.html?sid=8f4296ab-ea98-4a08-ab28-81ef1fcf8b7c