I think the FBI was trying to make an example of Marcus. But I think they bit off more than they could chew. So, we’re just going to go through the entire thing? If you don’t mind. F***! The WannaCry events became apparent within minutes of me pitching up for work on that day. I went into the office to make a coffee and put my bag down and people at their computers showed me a screen, we were talking about it, everything had gone down. Within minutes we realized by talking to people and listening to the news that this was more than a local problem, it was something that was affecting a big part of the NHS. 39 hospital trusts and GPs in Scotland and across England have had to cancel routine operations, send patients home and divert ambulances. All the computers have been stopped. They’re not sure whether the doctors can see you. There’s no appointments apart from emergency appointments. I first heard about it actually when I was in the middle of my clinic, and at that point, that was about 4:00 pm I think 16 organizations had been affected. By 11:00 am, I think we got some screenshots from the affected machines, the famous red screen shots. This ransomware takes over computers and demands $300 in Bitcoin for people to get access to their files again. Well the 12th of May 2017, we were actually in the middle of a general election in the United Kingdom, but coincidentally, I had actually been trying to contact my own GP to make an appointment for one of my children and they were saying “Well, we can’t access the systems at the moment” and then I just thought they’ve got problem locally and I didn’t really — I didn’t realize till later how serious this had been. I’ve just chaired Cobra to ensure that we have a cross-government response to this virus attack. This has been an international attack, it’s impacted a hundred countries. It looked at first like an attack just on hospitals in the UK, but it’s now becoming clear that this malicious software has run riot around the world. We woke up on the East Coast trying to scramble and understand what was going on; we didn’t really know what was happening. WannaCry’s ability to spread itself is why it is so problematic. Unlike most malware, it doesn’t need you to click on an infected email, it spreads using a vulnerability in outdated versions of Windows. It just seemed like one day in May the Internet is suddenly on fire and there’s this unstoppable worm infecting hundreds of thousands of computers and growing indiscriminately, spreading from continent to continent with no signs of stopping, getting worse by the hour. In that moment it was like “Oh crap what are we going to do?” I was working from my parents’ home at the time, in my bedroom and I checked some messages boards and seen all of this news about something targeting the NHS. So, obviously I was like, “hmm that sounds interesting”, because usually ransomware hits like one or two major targets, but this was just hitting NHS hospitals all around the UK and it was so consistent that I thought like, this could be a worm. So, I decided to jump into kind of looking into it. The Internet had seen massive rapidly spreading worms before, but not for years. So, I asked a friend if I could have a sample of the WannaCry worm. I noticed it made a web request to an unregistered website, so I registered it. And as time went on, we noticed the infection count was steadily declining. After a few hours of that, we noticed a tweet by someone suggesting that the URL in fact, was a kill switch that just disabled the malware. So, the ransomware itself WannaCry had this kill switch. It was a domain name. which when you registered that domain name, it would kill the ransomware dead in its tracks. Usually these kill switches or these mechanisms are built for the authors itself to make sure that they don’t infect themselves. I think that it was designed as a safeguard, so they can stop the spreading of WannaCry if the need arises. So, I kind of went in and I looked for myself and sure enough this domain simply responding was enough to disable the malware itself. It was the biggest hack attack the world has ever seen, but attempts to stop the virus spreading appear to be working. And then suddenly it was over. With no warning, with no explanation. So, I believe I woke up on I think, Sunday morning to see my face across a two-page spread in the Daily Mail which is the biggest newspaper in the UK and after that things kind of just went off the rails. No one really knew who he was or what his name was. He went by this online handle @MalwareTech and he would publish vulnerability research and reverse engineering blog posts and everyone knew his work, but it was only after the ransomware attack happened when the media essentially doxxed him and they published his name and photos and even his home address, online for anyone to find. After that things kind of just went off the rails, I had journalists turning up at my house to interview me. I had all kinds of media queries in every inbox I had. Yeah so I’ve had people sort of inundating me with messages thanking me, saying that I’m a hero. I mean I sort of just registered this domain for tracking and I didn’t intend for it to like sort of blow up and me to be all over the media. I was just sort of doing my job and I don’t really think that I’m a hero at all. A lot of people in the security community are private. And so his personal life, everything about him, was exposed in that moment. So, while it was great, and he was the hero of the day, I don’t think he wanted that. So, yeah we’re just pretty much business as usual, except I have not had any sleep in 3 days. So, long as the domain isn’t revoked this particular strain will no longer cause harm, but patch your systems ASAP as they will try again. Although we’d actually stopped the malware, there was a lot of other things that needed to be done, we needed to like, notify people that their networks were infected. So, I was working all week and I just kind of asked my mum to politely tell anyone who turns up at the door to go away. Still seeing more than a hundred thousand unique IPS per day connecting to our sinkhole. Even after Marcus registered this domain his work wasn’t really over. For weeks afterwards, all manner of hackers were attacking the domain with distributed denial-of-service attacks that try to flood it with junk traffic and knock it offline, who knows why? So, he had an active role in protecting that and that put him in a hard situation, so there was a lot of pressure. If any of them had succeeded with one of these cyberattacks and that domain had gone offline, then WannaCry could have restarted and begun infecting machines all over again. It was so important to keep this domain active, even to this day. The moment that the domain name goes down, another outbreak will just happen again. We are very pleased to welcome our illustrious team of witnesses here this afternoon. How can you be sure that the virus has been eliminated from all the NHS systems? Well, I don’t think we can guarantee that the threat has gone away. We were very concerned to learn partly during the WannaCry incident and afterwards, when we were looking at it, that the NHS was really woefully underprepared. None of the NHS organizations that were inspected had met the standards set by NHS digital. That was dismaying, to say the least. Can we guarantee future security? No we can’t. Just like every other organization, cyberattacks and cybercrime are the fact of life. I think that WannaCry could have been so much worse. We got away with it relatively lightly, compared with how serious it could have been had it not been for an individual who was able to switch it off by, you know, good luck, good skill and good fortune. I just like to go about my work, I’m kind of a lone wolf when it comes to research. So the fame really just added to stuff I didn’t need. I just felt like I would have preferred that the whole WannaCry fame never happened. Now that you are internationally celebrated security researcher, what’s your what’s your reception been like? It’s been very positive, I’m not really used to the sort of like, the spotlight, I’ve always been anonymous, so it’s very different, but everyone has been very accommodating, very nice, I’ve enjoyed it a little bit. After WannaCry blew over I went on vacation in Vegas for a hacker conference. DEF CON is basically one big week-long hacker party with some talks in between. We had to spend a lot of time just out and around Vegas partying, we rented some sports cars, we went to some shooting ranges. Also, a few of my friends had figured out that if we pulled all our money together, we could get an entire mansion with 30 bedrooms and the biggest pool in Vegas. Towards the end of my week in Vegas, as I was waiting for my flight home, someone in CBP uniform approached me and asked me my name. They led me to an interrogation room built into the airport. And it turned out that the guy was actually an FBI agent. At this point like, I’m completely exhausted, I have no idea what’s going on anymore. I’ve been drinking for days solid. Most of the interrogation, it seemed like they were looking to leverage me to get to someone else, something which I was not able or wanted to do. They asked me a huge bunch of questions, but it wasn’t until about an hour into the interrogation that they actually told me what it was about, and showed me an arrest warrant. People weren’t immediately quite sure why he had been arrested. Initially we thought that he got arrested because he registered the WannaCry domain. It had caught me so off guard, I still didn’t really know what was happening or why. I was just sat there in this haze. It transpired that it was because of his work, very much prior to WannaCry. They didn’t have the cell for me so they handcuffed me to a chair. So, I spent most of that night trying to doze off and then getting woken up by the alarm that goes off every 20 minutes. This call is subject to recording and monitoring. Hey, Marcus, can you hear me? Hey, I’m in jail. Okay, so they detained you? Yeah, I used to write malware and they picked me up on some old shit. Have you talked to them at all? Have you got a lawyer yet? No, I don’t have a lawyer. They have some chat logs of me with some other guy. I don’t know how they got them. Look, I’m going to work on it, you’ll have a lawyer tomorrow, and you’ll speak with the lawyer. Alright see you man. I’ll talk to you soon. Bye. There was a moment of fuck, I’m really actually in jail. But after that, I came to the conclusion that this is how my life is now, I’m in jail, I might as well get used to it. It didn’t take long for an indictment to drop and he was accused of creating the Kronos malware. That was very much a holy shit moment. So, the charges turned out to relate to something that I believe started around kind of the age of 17
till maybe like 19 or 20, in relation to writing a piece of malware called Kronos. Kronos malware is banking malware. It essentially infects your computer and hooks into your web browser and tries to figure out your usernames and passwords for your banking login. I don’t think he’s ever been behind the keyboard trying to steal credentials or tried to extract money out of bank accounts himself. He was that person enabling somebody else through tools. So, it’s a very kind of scientific kind of hobby interest kind of exploration. I never had actually intended to write banking malware, I had written malicious code in the past which I had not actually sold or given away. But there came a point when I made the mistake of selling the code to someone. This code was then incorporated with banking malware code that someone else had written to make banking Trojan. And kind of it was at that moment where I realized, like,
there is no going back. This is going to catch up with me at some point. So, the hearing today was to determine whether or not Marcus would be detained as a result of the charges and the indictment. And the judge agreed with me in saying that he is going to be released pending certain conditions that he has attached to the bond, and that he has to post a $30,000 cash bond. I started to look about how I would actually go about paying the bail. But before I could get to that, I found out that someone from the community had actually paid it for me. I thought that like, this was it. I was going to be stuck in some prison for the foreseeable future. And I had no idea all of these great people had to come together to support me. I had mixed feelings about the case. Most of the issue I had personally, is why now? Like why bring up this stuff from years in the past? I think the FBI was trying to make an example of Marcus. But I think they bit off more than they could chew. I was born in the UK and I spent all of my life living there. And other than a couple of conferences, I had never really even been abroad. Lived in England, got arrested while on vacation in Vegas, was later moved to Milwaukee, then to LA. At this point, I don’t actually feel like anywhere is home. That 18-month period where Marcus was in this immigration black hole, he wasn’t able to leave the United States, he wasn’t able to work. Being stuck in the US, not legally allowed to work for money has made me realize I’m one of those weird people who just enjoys working regardless. Don’t want to be rich, just want an apartment, food, clothes and some travel. I was based in the Venice area and I’d begun to love this area of LA. I wasn’t living with my parents; I had my own place now. I feel like it’s more of a new life it didn’t feel like at all like my old one. The security community very much rallied around Marcus. A lot of people weren’t sure whether he had done the crimes that the government was alleging and some people were adamant that he was innocent. And at that point, he pleaded not guilty. Me and my team of three lawyers we were going to fight a lot of the charges because most of them I did not agree with. So, I wanted to actually go to trial and fight all of the charges. Marcus Hutchins is a brilliant young man and a hero. He is going to vigorously defend himself against these charges. And when the evidence comes to light, we’re confident that he will be fully vindicated. There’s been voices in the community, for him, and let’s say and against him, but I think if we’re honest then our whole community is made up of people, on the good side of things, and on the gray side of things, and sometimes also on the bad side of things. I started out very young learning about the security and hacking aspect of technology. And back then there wasn’t a lot of the kind of good side around. As with any skill, being able to practice for thousands of hours on a certain thing can make you the best at what you do. And so if you’re a security researcher, you’re going to have to practice and practice and practice before you’re good enough to play in the big league. I learned how to understand malware by making my own versions, which at the time I wasn’t actually using or releasing. And there came a point where I got involved with a crowd of malware developers and other kinds of criminal hackers. And that kind of led me down a path that ended up with me selling malicious code at one point. It was when my code was added to the Kronos banking malware, I realised this is not what I want to be doing. After I was arrested, I got quite a lot of people privately reaching out to me to tell me like, “Yeah, I did the same kind of things you did in your past, but it never caught up to me”. So, I got the impression that there was a good percentage of people in the industry who had had like a less than white past. Monday is the two year anniversary of WannaCry. A journalist asked me about what I’ve done since WannaCry and I realized literally nothing of value. I had had a lot of anxiety from the stress, I had been not really sleeping at all for the the years I’d been in the US. At this point, I was already considering giving up. My first lawyer, I gave me an estimate about $1 to $1.5 million for the entire case. I knew I could not fund that kind of legal defense. And I just figured, then I’m going to just have to fault. Two months before trial, I decided to take a plea deal. It was really just too much uncertainty for me and I decided that it just was not worth the risk. Did not expect that, did not expect that. I genuinely thought he was not guilty. Legitimately terrified, but also looking forward to all this being over at some point. He’s going to be sentenced today for creating and selling the Kronos banking malware. Seeing him sent away to prison, when he’s got so much to offer, is going to be quite a sad day. Heading into court now, no matter what happens, I love y’all. I appreciate the fact that one might view the ignoble conduct that underlies this case, as against the backdrop of what some have described as the work of a hero. It was a very tense situation in that courtroom, I think there wasn’t a single person in there who thought for a second that he was going to be able to walk out of there. You could be 140 IQ and have all the requisite talent to do great things, but commensurate with all of the ability to do those great things, is the ability to acquire the most important of traits. And that is the exercise of good judgment. I was shaking, I think I sweat through my T shirt and through my blazer. Yeah, I did not know how to feel, it just felt like kind of everything was coming to an end, but not in, not in a good way. There have been millions of individuals whose credit ratings have been affected as a result of hacking of systems. And it’s going to take individuals like yourself to come up with solutions. The judge understood every nuance of this case. The judge took a very kind of broad view of the entire circumstances, rather than just the case at hand. He weighed up my past work helping security. Marcus Hutchins turned the corner with regard to any further conduct that would be remotely connected to what led to the charges in this case ever occurring again. We are thrilled that the judge today recognize Marcus’ very important contributions to keeping the world safe and let him go home a free man today. So, Marcus was sentenced to time served. He’s been released, he’s a free man. What’s your reaction, how do you feel? Just thank you to everyone who supported me and the judge for his leniency. You’re here with your parents? I am. Maybe if Marcus hadn’t found the WannaCry, kill switch, he never would have come to the attention of the FBI, he never would have been arrested, he never would have faced this long legal ordeal about his past, essentially cybercriminal, acts. But on the other hand, saving the world from WannaCry is what allowed him to walk away free in the end, thanks to one judge who understood these series of events and the kind of ultimate equation that put him on top in terms of the good he’d done versus the harm. He not only saved the world from WannaCry, but he saved himself, in a way. I think today I share absolutely nothing in common with the me back then. It feels almost like a completely different person. It’s only that once you grow older, you realize what actually is right and wrong.