The presiding judge in the case, JP Stadmueller, said he took into account Hutchins’ age at the time of the offences and gave him credit for “turning a corner” in his life before charges were brought. The sentence is likely to bar Hutchins, who is a British citizen, from re-entering the United States.
Stadtmueller described Hutchins, 25, as a “talented” but “youthful offender” in remarks in federal court in Milwaukee Friday. “It’s going to take people like [Hutchins] with your skills to come up with solutions because that’s the only way we’re going to eliminate this entire subject of the woefully inadequate security protocols,” said Stadmueller, noting that Hutchins’ time had been served.
Hutchins, who goes by the online handle @MalwareTech, was arrested in Las Vegas by federal marshals in August 2017 while boarding a flight back to the UK following the Def Con security conference. The government alleged in an indictment that he developed Kronos, a malware that steals banking credentials from the browsers of infected computers, as well as of developing another malware known as the UPAS Kit. Hutchins was released on bail on a $30,000 bond. He initially denied creating the malware, but later pleaded guilty, saying he regretted his actions and accepted “full responsibility for my mistakes.”
Hutchins’ indictment came four months after he was hailed as a “WannaCry hero” for registering a domain name that stopped the spread of the WannaCry cyberattack back in 2017, which knocked tens of thousands of computers offline with ransomware in a few hours. Hutchins, who at the time of the attack worked for Los Angeles-based Kryptos Logic from his home in the south of England, registered the domain in an effort to understand why the ransomware was spreading, later using the domain as a “kill switch” to stop the virus.