Hero in WannaCry cybersecurity attack pleads not guilty to unleashing a different virus

A British cybersecurity researcher credited with helping curb the recent WannaCry ransomware attack pleaded not guilty Monday to federal charges accusing him of creating malicious software to steal banking information three years ago.

Marcus Hutchins entered his plea in Wisconsin federal court, where prosecutors charged him and an unnamed co-defendant with conspiring to commit computer fraud in the state and elsewhere. Authorities arrested the 23-year-old man Aug. 2 at McCarran International Airport in Las Vegas, where he was going to board a flight to his home in Ilfracombe, England. He had been in Las Vegas for a cybersecurity convention.

Hutchins’ attorney, Marcia Hofmann, said after Monday’s brief hearing that Hutchins will fight the charges and that “when the evidence comes to light, we are confident he will be fully vindicated.”

“Marcus Hutchins is a brilliant young man and a hero,” Hofmann said.

Hutchins left afterward in a white SUV with tinted windows and did not talk to reporters. During the hearing, he spoke only to say “I do,” when Magistrate Judge William E. Duffin asked him if he understood his rights.

Hutchins is free on $30,000 bail, but with strict conditions. His bond has been modified so he can stay in Los Angeles near his attorney and travel anywhere in the U.S., but he cannot leave the country. He was also granted access to use a computer for work, a change from an earlier judge’s order barring him from using any device with access to the Internet.

Hutchins has been working for Los Angeles security firm Kryptos Logic, and prosecutors did not oppose allowing him access to a computer for work.

Hutchins is required to wear a GPS monitor, but Duffin said the court will consider removing that requirement once Hutchins has found a home in Los Angeles and is complying with the terms of his bond.

The next hearing in the case was set for Oct. 17, with an Oct. 23 trial date, though the latter is expected to change due to the case’s complexity.

The legal troubles Hutchins faces are a dramatic turnaround from the status of cybercrime-fighting hero he enjoyed four months ago when he found a “kill switch” to slow the outbreak of the WannaCry virus. WannaCry crippled computers worldwide, encrypting files and making them inaccessible unless people paid a ransom ranging from $300 to $600.

Prosecutors allege that before Hutchins won acclaim he created and distributed a malicious software called Kronos to steal banking passwords from unsuspecting computer users. In addition to computer fraud, the indictment lists five other charges, including attempting to intercept electronic communications and trying to access a computer without authorization.

The indictment says the crimes happened between July 2014 and July 2015, but the court document doesn’t offer any details about the number of victims. Prosecutors have not said why the case was filed in Wisconsin. The name of Hutchins’ co-defendant is redacted from the indictment.

Hutchins faces decades in prison if convicted on all the charges.

Kronos — often distributed through document attachments in phishing emails — monitors consumers’ online browsing and leads them to fraudulent websites designed to look like legitimate banking services. The program then harvests usernames, passwords and other information from unsuspecting consumers. Sellers described Kronos as capable of evading antivirus software and snooping on the latest versions of Chrome, Firefox and Internet Explorer.

The allegations from a two-year FBI investigation point to one of the cybersecurity sector’s most distinctive traits: the revolving door between those trying to stop attacks and those launching them.

People often transition between hacking with malicious intent and working as well-meaning investigators. The mischievous work of the past can be an asset to companies and law enforcement agencies looking to get an edge on new waves of criminals. But it also can mar the reputation of the burgeoning industry.

Times staff writer Paresh Dave contributed to this report.

UPDATES:

10:30 a.m.: This article was updated throughout with additional details.

This article was originally published at 9:40 a.m.