Marcus 'MalwareTech' Hutchins gets no prison time, one year supervised release

US legal case against security researcher who helped stop WannaCry ransomware outbreak comes to an end.

ap17215670099306-marcus-hutchins.jpg

Marcus Hutchins, also known as @MalwareTechBlog. (Image: file photo)

Frank Augstein, AP

Marcus 'MalwareTech' Hutchins, the security researcher who helped stop the WannaCry ransomware outbreak, was sentenced today in the US to time served and one year of supervised release.

The UK-born malware analyst avoids prison time in a case that the judge described as having "too many positives on other side of ledger" -- referring to Hutchins' role in the WannaCry ransomware outbreak and his work as a malware analyst.

Judge J. P. Stadmueller had a difficult decision on his hand, and would have considered a pardon. However, courts have no such power, and deferred to the executive branch. After the sentencing hearing, Hutchins' laywers said they would explore it.

In court, Hutchins apologized, again, to victims, family, and friends. The judge waived any fines.

Hutchins will be allowed to return to the UK. US authorities will now decide if he's barred from returning to the US due to his criminal record.

MalwareTech pleaded guilty in April

The sentence comes after Hutchins pleaded guilty this April on two charges of entering a conspiracy to create and distribute malware, and in aiding and abetting its distribution.

US authorities arrested Hutchins at the Las Vegas international airport in August 2017, when the researcher was trying to return home to the UK after participating at the Black Hat and DEF CON security conferences.

He was subsequently charged with developing the Kronos banking trojan. Additional charges were added later for developing the UPAS KIT trojan as well.

Hutchins was only accused of writing the source code for these two malware strains, which a yet-to-be-identified co-conspirator identified in court documents only as VinnyK later advertised and sold online.

A very controversial case

According to court documents, this happened between July 2012 and September 2015, and before Hutchins built a career as a security researcher. He is considered one of today's most talented cyber-security professionals.

Hutchins' case has been a controversial one. He argued that he was detained and interrogated while sleep-deprived and intoxicated, and that FBI agents misled him about the true intentions of the interrogation.

His lawyers also argued that Hutchins' actions happened while he was still a minor, and outside the standard five-year statute of limitations.

The prosecution responded by piling new charges, including for lying to the FBI, which many legal experts deemed ludicrous, at the time.

Support from the cyber-security community

The prosecution's sentencing memorandum doesn't include a sentencing recommendation, which has been submitted as a separate document, and sealed.

Hutchins' sentencing memorandum, the argument made by his lawyers for a lighter sentence, is also under seal. The document includes sensitive details that are pertinent to other investigations, due to Hutchins' latter years of chasing cyber-criminals.

Many in the cyber-security community have come to Hutchins' support, arguing that the court should go easy on him due to his years of work with authorities.

Related malware and cybercrime coverage: