In May, 2017, a young man from the U.K. became known as an “accidental hero” for saving the world from the further spread of WannaCry ransomware. But months later, this same hero, Marcus Hutchins, known online as @MalwareTech, was arrested in the U.S. as he tried to fly home after attending the Black Hat and Def Con conferences. Hutchins was charged with two counts relating to banking malware that he allegedly coded and conspired to sell with another person. Both charges related to activities he allegedly engaged in between 2012-2015.
Hutchin’s arrest angered a lot of people in the infosec community who value Hutchins as a researcher who shares his expertise and is willing to help. But instead of the charges eventually being dismissed, the grand jury filed a superseding indictment, charging Hutchins with additional counts related to the coding and distribution of a second strain of malware known as UPAS Kit.
Last week, Hutchins pleaded guilty to two of what were now ten counts. The plea agreement can be found here (thanks to Catalin Cimpanu and ZDNet for uploading it). The charges to which he pled guilty – one three-part conspiracy charge involving 18 USC 1030 and one wiretapping charge involving 18 USC 2511 – each carry potential sentences of 5 years in prison and, a $250,000 fine, and one year of supervised release. The plea agreement also specifies that the court may also impose restitution.
Hutchins issued a brief statement after the plea:
As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.
Hutchins’ lawyers did not issue any immediate statements, and I was left confused by the plea deal. I wasn’t sure I even really understood the charges. Hutchins had not been charged with infecting anyone’s computer with malware. What actual crime was he pleading guilty to? Was he really engaged in any conspiracy to harm computers? Did he have any intent to harm computers, or was his only intent to make money from selling his code?
Looking at the docket and the superseding indictment, it appeared that the defense had mounted a vigorous defense but pretty much every defense motion had been denied. Was the court out to make an example of Hutchins? Was the prosecutor looking for big headlines by trying to throw the kitchen sink at him? I had no clue, but I was still at a loss as to what crime Hutchins had actually committed.
Yesterday, attorney Tor Ekeland generously spent some of his time helping me understand some aspects of the case. First and foremost, Tor was clear that he was not criticizing or second-guessing Hutchins’s lawyers at all, as there is often a lot of background information that does not get recorded in a plea deal. For example, and as he pointed out to me, the plea deal makes no statement as to any specific financial losses suffered by victims. I expected that a felony case involving the federal hacking statute would have to demonstrate more than $5,000 in losses or that 10 or more computers had been damaged, resulting in losses, but the plea deal was silent on losses. Why? Were there no losses or couldn’t the parties agree on the losses to incorporate them in any deal? Or was there some other reason there was no mention of losses as part of the evidence that the prosecution would have been able to prove beyond reasonable doubt?
And how did a federal wiretapping statute get applied to this case?
Let’s start with a simple allegation that Hutchins coded something that could be used to do something bad and that he collaborated with someone to sell that code to others.
So what if he did? Where is the crime?
As law professor Orin Kerr wrote shortly after Hutchins’ arrest:
This raises an interesting legal question: Is it a crime to create and sell malware?
We still don’t have an answer.
I suspect that a lot of us may have assumed that writing malware and selling it would be crimes, but after talking with Tor for a while, I realized that the government’s case was actually pretty weak in important respects. There was no evidence that Hutchins himself intended to harm computers. There was no evidence that he was trying to steal personal information or misuse it. There was some conspiracy, perhaps related to selling the code, but if code in and of itself isn’t illegal then can a conspiracy to sell something that’s not illegal be a crime in and of itself?
My head was spinning, but by the end of the conversation, I had come to the conclusion that Hutchins’ guilty plea, while likely a good deal for him, may encourage other prosecutions down the road that stretch federal statutes waaaay beyond the legislature’s intent. Even though there was no opinion that would be precedential, other prosecutors may decide that charging coders with conspiracy is a useful and winnable strategy or that misapplying wiretap laws to code that captures banking details is an appropriate application of wiretap law.
I asked Tor to try to pull this all together for us, based on his experience as a defense attorney in CFAA cases. Tor responded:
The Hutchins plea may be good for the defendant but not necessarily good for computer law. It leaves unsettled the theory underlying the prosecution – whether writing certain types of code is illegal. Because Hutchins is taking a plea, this theory will never be tested by the adversarial process at trial, or on appeal.
And it’s an important question, because of the government’s novel application of the federal wiretap laws to writing computer code. The government’s vision may implicate a lot of legitimate code. But because the issues won’t be litigated, this increases the risk of criminal prosecution for certain types of coders.
Anyone writing information security software should be be concerned. It’s unclear how the malware at issue here, Kronos, is legally different than other legal software that has similar functionality and recognized legal uses. Numerous Fortune 500 companies use pen-testing and key logging and the like. So does the public in general and infosec professionals in particular. This disposition of the case muddies the waters, and will encourage similar prosecutions.
And that is a scary thought.