[Derek_MK]

TLDR/Background:

* Hutchins (MalwareTech on social media) used to be a black hat, and developed/sold a banking trojan that would become Kronos.

* Since then, he's given up black hat activity and began reverse-engineering malware and providing educational material along the same lines.

* He came into the spotlight when he realized that the Wannacry ransomware was attempting to contact a particular web domain that was unregistered. He registered it to see what they were trying to send and why, and found out that it was a global killswitch, fully shutting down the initial strain of the malware.

* After Def Con 2017, he was arrested at the airport when attempting to leave the US. He was being charged with devleoping Kronos, and prosecutors were effectively adding new charges in retaliation every time he refused to plead guilty.

* He eventually caved and plead guilty, and today was sentenced to a year of supervised release, with no jail time (Though he likely won't be able to enter the US again). The judge strongly indicated that the lenient sentence was due to the fact that he stopped breaking the law of his own volition, and started using his skills to better the world.

* This article doesn't mention it, but the judge also suggested that he and his legal counsel seek a pardon, which could potentially allow him to enter the US again. They are planning to go forward with that path.

[lawnchair_larry]

That wasn’t quite how it went.

He initially told everyone that he was peripherally involved in writing some code as a teenager that, unbenknownst to him, ended up in some malware.

The feds unraveled his lies and showed beyond a doubt that not only did he work on that into his 20s, but he and his partner were actively involved in the business of selling a purpose-built banking trojan. They had logs of a “business dispute” between him and his parter from only 2 years prior to his arrest.

He had bad opsec, and many folks online exposed a lot of this. The feds had chat logs showing he was directly involved. It’s all in the court documents. He had no choice but to plea guilty.

https://www.courtlistener.com/recap/gov.uscourts.wied.77855/...

[sq_]

In my mind, it does count for something that he seems to have turned everything around from being a black hat towards doing proper security research and generally trying to work towards the common good.

[lawnchair_larry]

Maybe. I don’t know if I think he should be punished further or not and don’t have strong feelings on this outcome one way or another. I generally think hacking crimes are treated disproportionately harsh.

All that aside, I do not appreciate that he rallied support from the security community and raised legal defense money by convincing sympathetic folks that it was all untrue and he was being set up, when he was actually guilty the whole time.

Manipulate the legal system all you want for all I care, but manipulating good natured people in the community who put their own reputation and money on the line is not exactly a class act. I didn’t give him money, but I did fall for his original story.