CRIME

Celebrity British cybersecurity expert to plead guilty in Milwaukee to creating banking malware Kronos

Bruce Vielmetti
Milwaukee Journal Sentinel

A celebrity British cybersecurity expert has agreed to plead guilty in Milwaukee to charges that he created and sold malware aimed at banks — before he became famous for thwarting the WannaCry virus.

Marcus Hutchins, 24, was arrested in Las Vegas in 2017 as he was departing a major cybersecurity conference. He was charged in a six-count indictment in Milwaukee with creating a piece of malware called Kronos designed to sneak onto computers then find and divert owners' bank account information.

Marcus Hutchins (right), the British cybersecurity expert accused of creating and selling malware that steals banking passwords, arrives at the Federal Courthouse on August 14, 2017, in Milwaukee.

His arrest came three months after he became suddenly famous for stopping the WannaCry ransomware attack that had crippled companies worldwide and shut down England's hospital system.

He and another person, whose identity has been redacted from the indictment, are accused of conspiring to sell Kronos to cybercriminals.

RELATED:British cyber security expert appears in Milwaukee federal court, pleads not guilty to fraud

RELATED:Celebrity hacker MalwareTech awaits Milwaukee trial on a California beach

In 2018, prosecutors added four counts, including making false statements to the FBI, and includes aliases of his alleged co-conspirator: Vinny; VinnyK; Gone with the Wind; Cocaine; Jack of all Trades; and Aurora123.

The new indictment charged that Hutchins developed Kronos and that Vinny sold it to someone in eastern Wisconsin for $1,500 in 2012 and the two continued to promote its sale through 2014. The indictment says that in 2015 Hutchins distributed Kronos to someone in California he knew was involved in cybercrime.

After months of litigating various motions to suppress evidence, Hutchins' legal team reached a plea deal with prosecutors and filed a plea agreement on Friday.  Hutchins agreed to plead guilty to two counts of the latest indictment, conspiracy to defraud the U.S. and marketing the malware. Prosecutors would dismiss the remaining charges.

On his own website, he wrote: "As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes.

"Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."

Hutchins faces a theoretical 20 years in prison but will likely receive far less time or probation. As of Monday, no date had been set for Hutchins to enter the guilty pleas or for his sentencing.

Editor's note: This story has been updated to clarify that Hutchins has agreed to plead guilty; no date has yet been set to enter the plea.

Contact Bruce Vielmetti at (414) 224-2187 or bvielmetti@jrn.com. Follow him on Twitter at @ProofHearsay.