HOME

TheInfoList



OR:

Marcus Hutchins (born 1994), also known online as MalwareTech, is a British
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
researcher known for stopping the
WannaCry ransomware attack The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitco ...
. He is employed by cybersecurity firm Kryptos Logic. Hutchins is from
Ilfracombe Ilfracombe ( ) is a seaside resort and civil parish on the North Devon coast, England, with a small harbour surrounded by cliffs. The parish stretches along the coast from the 'Coastguard Cottages' in Hele Bay toward the east and along the ...
in
Devon Devon ( , historically known as Devonshire , ) is a ceremonial and non-metropolitan county in South West England. The most populous settlement in Devon is the city of Plymouth, followed by Devon's county town, the city of Exeter. Devon is ...
.


Early life

Hutchins is the elder son of Janet Hutchins, a Scottish nurse, and Desmond Hutchins, a Jamaican social worker. Around 2003, when Hutchins was nine years old, the parents moved the family from urban
Bracknell Bracknell () is a large town and civil parish in Berkshire, England, the westernmost area within the Greater London Built-up Area, Greater London Urban Area and the administrative centre of the Bracknell Forest, Borough of Bracknell Forest. It l ...
, near London, to rural
Devon Devon ( , historically known as Devonshire , ) is a ceremonial and non-metropolitan county in South West England. The most populous settlement in Devon is the city of Plymouth, followed by Devon's county town, the city of Exeter. Devon is ...
. Hutchins had shown early aptitude with computers and learned simple hacking skills early on such as bypassing security on school computers to install video game software. In addition, he spent time learning to be a surf lifeguard. He became involved with an online forum that promoted
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
development, more as a means to show off their skills to each other rather than for nefarious purposes. When he was about 14 years old, he created his own contribution, a password stealer based on
Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...
's AutoFill feature, which was met with approval by the forum. He spent much of his time with this community to the extent his school work began to fail. When the school's systems were compromised, the school authorities claimed Hutchins was the culprit. Though he denied any involvement, school authorities permanently suspended him from using the computers at school, which further pushed Hutchins to skip school more often and spend more time in the malware forums.


Career


UPAS Kit and Kronos

At around this time, the original malware forums had been closed, and Hutchins transferred to another hacker community, HackForums. In this new forum, members were expected to show more skill by demonstrating possession of a
botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
. Hutchins, 15 years old at the time, successfully created an 8,000-computer botnet for HackForums by tricking BitTorrent users into running his fake files to take control of their machines. From this exploit, Hutchins saw financial opportunities for his hacking skills, though at the time he did not feel these were tied to any type of
cybercrime A cybercrime is a crime that involves a computer or a computer network.Moore, R. (2005) "Cyber crime: Investigating High-Technology Computer Crime," Cleveland, Mississippi: Anderson Publishing. The computer may have been used in committing the ...
, as he stated in a 2020 interview. These activities included setting up "ghosted" web hosting for others on the HackForums for "all illegal sites" except child porn, and created custom malware, often based on evaluating how others'
rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...
s operated. According to Hutchins in later interviews and in his plea agreement, when he was around 16, having gained a reputation in hacking circles for his custom malware, he was approached by an online entity he knew only as "Vinny", who asked him to write a well-maintained, multifaceted rootkit that could be sold on multiple hacker marketplaces, with Hutchins to be paid half of the profits of each sale. Hutchins agreed, and by mid-2012, had completed writing UPAS Kit, named after the poisonous
upas tree ''Antiaris toxicaria'' is a tree in the mulberry and fig family, Moraceae. It is the only species currently recognized in the genus ''Antiaris''. The genus ''Antiaris'' was at one time considered to consist of several species, but is now regarded ...
. During this period, Hutchins had once complained in his conversations with Vinny about the lack of good
weed A weed is a plant considered undesirable in a particular situation, "a plant in the wrong place", or a plant growing where it is not wanted.Harlan, J. R., & deWet, J. M. (1965). Some thoughts about weeds. ''Economic botany'', ''19''(1), 16-24. ...
in the country. Vinny asked for his address, which Hutchins gave, and later on his 17th birthday, he received a package full of various recreational drugs. Sales of UPAS Kit earned Hutchins thousands of dollars through
bitcoin Bitcoin ( abbreviation: BTC; sign: ₿) is a decentralized digital currency that can be transferred on the peer-to-peer bitcoin network. Bitcoin transactions are verified by network nodes through cryptography and recorded in a public distr ...
, allowing him to drop out of school and live a comfortable life, though he kept the nature of his work secret from his family. Vinny shortly came back to Hutchins to ask him to write UPAS Kit 2.0, specifically adding
keylogging Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
and web inject for browser form pages. At this point, Hutchins recognized these features were likely for targeting financial transactions on bank websites, and thus he would be enabling cybercrime if he wrote the update. Hutchins told Vinny that he refused to write such code, but Vinny held him over the fact he knew his date of birth and address from his prior gift of recreational drugs and was willing to give that to the
FBI The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and its principal Federal law enforcement in the United States, federal law enforcement age ...
if Hutchins did not cooperate. Hutchins reached an agreement to add in the keylogging to UPAS Kit 2.0 but left out anything to do with web inject, which took another nine months to complete. After this, Vinny told him that he'd had hired another programmer to update UPAS Kit with the web injects, and now wanted Hutchins and this programmer to work together to combine the code to a single package. Though he was ethically torn on the decision, Hutchins opted to continue working with Vinny to at least make sure he got paid for the work that he did already do, though procrastinated as much as he could. The new code was completed by June 2014, and as Vinny started selling it to the
dark web The dark web is the World Wide Web content that exists on ''darknets'': overlay networks that use the Internet but require specific software, configurations, or authorization to access. Through the dark web, private computer networks can communi ...
he renamed UPAS Kit 2.0 to Kronos, based on the mythological Greek Titan.


MalwareTech and Kryptos Logic

Hutchins had entered
community college A community college is a type of educational institution. The term can have different meanings in different countries: many community colleges have an "open enrollment" for students who have graduated from high school (also known as senior sec ...
and was struggling between completing his last year of work and the fixes to Kronos demanded by Vinny, further complicated with a
drug addiction Addiction is a neuropsychological disorder characterized by a persistent and intense urge to engage in certain behaviors, one of which is the usage of a drug, despite substantial harm and other negative consequences. Repetitive drug use of ...
he gained while working on Kronos. During this time, he met a person he knew as "Randy" online through hacking forums. Randy, who was based in Los Angeles, had sought a banking rootkit like Kronos, which Hutchins did not mention, but led to longer talks to learn that Randy had more philanthropic goals. To help Randy, Hutchins offered to help him with trading bitcoin. However, a power failure one night caused Hutchins to lose more than of Randy's bitcoin, and in exchange, Hutchins revealed his connection to Kronos and offered a free copy to Randy. After they had completed that deal, Hutchins realized the mistake he had made in revealing this to a stranger, and started to fear he would be approached by law enforcement. Hutchins graduated from community college in 2015 and dropped his drug addiction
cold turkey "Cold turkey" refers to the abrupt cessation of a substance dependence and the resulting unpleasant experience, as opposed to gradually easing the process through reduction over time or by using replacement medication. Sudden withdrawal from dru ...
. He put off requests from Vinny for updates to Kronos claiming he was busy with schoolwork, until soon the requests stopped as well as any further payments from Vinny. After several months of dread, he decided to start an anonymously written
blog A blog (a truncation of "weblog") is a discussion or informational website published on the World Wide Web consisting of discrete, often informal diary-style text entries (posts). Posts are typically displayed in reverse chronological order ...
on deep analysis of hacks that he called MalwareTech, based on what he had learned evaluating others' rootkits and his own work on UPAS Kit and Kronos, though he spoke nothing of his connection to these rootkits. As new rootkits appeared, Hutchins began reverse engineering those and writing the details on MalwareTech, such as the Kelihos and
Necurs botnet The Necurs botnet is a distributor of many pieces of malware, most notably Locky. Reports Around June 1, 2016, the botnet went offline, perhaps due to a glitch in the command and control server running Necurs. However, three weeks later, Jon Fre ...
, and wrote his own botnet tracking service that could join the botnet and monitor what operations the controllers of the botnets were doing. His writings drew the interest of Kryptos Logic's CEO Salim Neino, who offered the writer a job. Hutchins accepted; while still working from Ilfracombe, he would reverse engineer new botnets and provide the detailed information to Kryptos Logic while writing on the high-level functionality he had discovered to MalwareTech, while Kryptos Logic would monitor the botnets for ongoing cybersecurity threats. Through this relationship, Hutchins' reputation via his MalwareTech identity grew, being called a "reversing savant" by a former
NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
hacker, though only a few associates at Kryptos knew of his true identity. Hutchins and Kryptos Logic were instrumental in stopping one offshoot of the Mirai botnet/
distributed denial of service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...
(DDoS) attack in 2016 that had hit
Lloyds Bank Lloyds Bank plc is a British retail banking, retail and commercial bank with branches across England and Wales. It has traditionally been considered one of the "Big Four (banking), Big Four" clearing house (finance), clearing banks. Lloyds B ...
, as Hutchins had been able to plead to the hacker behind it, once he had tracked him down, with his own experiences to convince him to stop the botnet.


WannaCry

The
WannaCry The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bi ...
ransomware Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, ...
attack had started around 12 May 2017; using an exploit in
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
'
Server Message Block Server Message Block (SMB) is a communication protocol originally developed in 1983 by Barry A. Feigenbaum at IBM and intended to provide shared access to files and printers across nodes on a network of systems running IBM's OS/2. It also provides ...
, it quickly spread from its initial point of injection believed to be in North Korea to over 230,000 computers in 150 countries within the day. Computers infected were seemingly locked out from use and could be unlocked only if the user sent a quantity of
Bitcoin Bitcoin ( abbreviation: BTC; sign: ₿) is a decentralized digital currency that can be transferred on the peer-to-peer bitcoin network. Bitcoin transactions are verified by network nodes through cryptography and recorded in a public distr ...
to a given account. Hutchins had become aware of WannaCry the afternoon of 12 May, and though he had been on vacation, he began reverse engineering the code from his bedroom. He discovered that the malware was tied to an odd-looking
domain name A domain name is a string that identifies a realm of administrative autonomy, authority or control within the Internet. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. As ...
, suggesting the malware would be part of a command-and-control structure common to botnets, but to his surprise, the domain name was not registered. He quickly registered the domain and set up servers at Kryptos Logic within it to act as honeypots, allowing them to track the infected computers. While the WannaCry worm continued to spread over the next few hours, security researchers found that because Hutchins had registered the domain name when he did, WannaCry would not execute further, effectively becoming the worm's killswitch. Hutchins and Kryptos, along with the UK's National Cyber Security Centre, spent the next several days maintaining the honeypot servers from additional DDoS attacks, some restarted by ongoing Mirai botnets as to make sure the killswitch remained active while Microsoft and other security workers rushed to patch the exploit in the Server Message Block and issue it to end users. A separate effort from French cybersecurity researchers found a method to unlock and decrypt affected computers without having to pay the ransom. Hutchins' work, as MalwareTech, to stop WannaCry, was highly praised, but this led to the press figuring out Hutchins' identity behind MalwareTech in the days that followed. Hutchins tried to avoid the press including the more-invasive tabloids who had published his name and address tied to the MalwareTech name, though did agree to a single
Associated Press The Associated Press (AP) is an American non-profit news agency headquartered in New York City. Founded in 1846, it operates as a cooperative, unincorporated association. It produces news reports that are distributed to its members, U.S. newspa ...
interview under his real name, trying to defuse the "hero" perception he had been given. In this coverage, he kept his past history quiet, simply stating that he got his job with Kryptos Logic based on his software skills and MalwareTech blog hobbies he developed during school. He gained a type of a celebrity status within the cybersecurity world for his actions against WannaCry, and plans were made for him to attend the 2017
DEF CON DEF CON (also written as DEFCON, Defcon or DC) is a hacker convention held annually in Las Vegas, Nevada. The first DEF CON took place in June 1993 and today many attendees at DEF CON include computer security professionals, journalists, lawyer ...
cybersecurity conference in
Las Vegas Las Vegas (; Spanish for "The Meadows"), often known simply as Vegas, is the 25th-most populous city in the United States, the most populous city in the state of Nevada, and the county seat of Clark County. The city anchors the Las Vegas ...
that August.


Arrest

On 3 August 2017, Hutchins was arrested by the FBI as he was preparing to return to England from DEF CON on six hacking-related federal charges in the
U.S. District Court for the Eastern District of Wisconsin The United States District Court for the Eastern District of Wisconsin (in case citations, E.D. Wis.) is a federal trial court of limited jurisdiction. The court is under the auspices of the United States Court of Appeals for the Seventh Circuit, ...
for creating and spreading Kronos in 2014 and 2015. Based on documents obtained by ''
Vice A vice is a practice, behaviour, or habit generally considered immoral, sinful, criminal, rude, taboo, depraved, degrading, deviant or perverted in the associated society. In more minor usage, vice can refer to a fault, a negative character tra ...
'' through
Freedom of Information Act Freedom of Information Act may refer to the following legislations in different jurisdictions which mandate the national government to disclose certain data to the general public upon request: * Freedom of Information Act 1982, the Australian act * ...
requests, the FBI had tied Hutchins to Kronos after they had seized the assets of
AlphaBay AlphaBay is a darknet market operating both as an onion service on the Tor network and as an I2P node on I2P. After it was shut down in July 2017 following law enforcement action in the United States, Canada, and Thailand as part of Operation ...
in July 2017, where they found evidence of at least one sale of Kronos. The FBI had obtained copies of his conversations with Randy from another dark web server seizure prior to AlphaBay to prove his connection to the software, which he confessed to while questioned. Hutchins was kept in a
Las Vegas Las Vegas (; Spanish for "The Meadows"), often known simply as Vegas, is the 25th-most populous city in the United States, the most populous city in the state of Nevada, and the county seat of Clark County. The city anchors the Las Vegas ...
jail overnight after calling Neino about his plight. Neino alerted his own associates, which set off a chain of alerts across the cybersecurity community about Hutchins' situation, though many mistakenly believed that the arrest was due to the WannaCry attacks. A large number of cybersecurity workers and hackers rallied to his aid to help make Hutchins' bail, though as some of the contributions included stolen credit cards and bitcoin, it raised further suspicions on Hutchins' activities; ultimately,
Tarah Wheeler Tarah Marie Wheeler (born February 12, 1979) is an American technology and cybersecurity author, public speaker, entrepreneur and executive. She is currently CEO of Red Queen Dynamics and Senior Fellow of Global Cyber Policy at the Council on Fo ...
and her husband Deviant Ollam were able to front the bail money and help find Hutchins a place in Los Angeles to live as he was barred from leaving the country. At his arraignment, he pleaded not guilty to the charges, and was put under house arrest in Los Angeles, initially with strict curfew limits and
GPS monitoring The Global Positioning System (GPS), originally Navstar GPS, is a satellite-based radionavigation system owned by the United States government and operated by the United States Space Force. It is one of the global navigation satellite sys ...
, but these were lifted after a few months. Hutchins had intended his "not guilty" to be used as part of a plea bargain with the FBI, rather than to deny any involvement with Kronos, though some in the hacker community took this as his denial, and vocally fought for Hutchins' release on this claim. In early 2018, the FBI began to negotiate with Hutchins as they desired information he had on Vinny and several other hackers that he knew, offering to reduce his sentence to a zero-prison term. Hutchins could not provide any significant information about Vinny, and did not want to reveal information on the other hackers, refusing the offer. The FBI added four charges to his indictment by June 2018, which Hutchins was told by his lawyers was in response to refusing their offer. On 19 April 2019 Hutchins pleaded guilty to two of the ten charges, conspiring to commit wire fraud, as well as distributing, selling, promoting, and advertising a device used to intercept electronic communications. His statement included the quote "I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes." Hutchins faced up to five years in prison and $250,000 in fines for the two charges. On 26 July 2019, Judge Joseph Peter Stadtmueller sentenced Hutchins to time served and one year of supervised release, recognizing that Hutchins had "turned the corner" from using his skills for criminal purpose into beneficial uses well before he had faced justice. According to a 2020 ''
Wired ''Wired'' (stylized as ''WIRED'') is a monthly American magazine, published in print and online editions, that focuses on how emerging technologies affect culture, the economy, and politics. Owned by Condé Nast, it is headquartered in San Fra ...
'' profile, Hutchins stated that while he preferred to stay in Los Angeles, he expected following the year of supervised release he would be deported back to the United Kingdom, as he had long overstayed his
travel visa A visa (from the Latin ''charta visa'', meaning "paper that has been seen") is a conditional authorization granted by a polity to a foreigner that allows them to enter, remain within, or leave its territory. Visas typically include limits on t ...
.


Notes


References

{{DEFAULTSORT:Hutchins, Marcus British computer criminals British people of Scottish descent British people of Jamaican descent Hackers English computer programmers Living people People from Ilfracombe 1994 births InfoSec Twitter