The ‘Accidental Hero’ Who Saved the Internet from WannaCry

Marcus Hutchins (R) the British cyber security expert accused of creating and selling malware that steals banking passwords arrives with his lawyers Marcia Homann (L) and Brian Klein (R) at US Federal Courthouse on August 14, 2017 in Milwaukee, Wisconsin. / AFP PHOTO / Joshua Lott via Getty Images)

Marcus Hutchins was only 22 years old when he discovered the Achilles heel of WannaCry, a piece of ransomware that caused $8 billion in damage in 2017 by taking down Windows computers around the world — including in banks and hospitals — and encrypting their contents for a $300 ransom. As Andy Greenberg reports in this epic piece for Wired, Hutchins learned to reverse engineer botnets in part by creating and selling his own malware as a youth in England. Hutchins’ darkhat hacking was not without its innocent victims, and the FBI eventually caught up to him. But did he deserve leniency in sentencing, considering the good work he’d done stopping WannaCry in its tracks, saving lives in the process? You be the judge.

Cybersecurity researchers named the worm WannaCry, after the .wncry extension it added to file names after encrypting them. As it paralyzed machines and demanded its bitcoin ransom, WannaCry was jumping from one machine to the next using a powerful piece of code called EternalBlue, which had been stolen from the National Security Agency by a group of hackers known as the Shadow Brokers and leaked onto the open internet a month earlier. It instantly allowed a hacker to penetrate and run hostile code on any unpatched Windows computer—a set of potential targets that likely numbered in the millions. And now that the NSA’s highly sophisticated spy tool had been weaponized, it seemed bound to create a global ransomware pandemic within hours.

Hutchins hadn’t found the malware’s command-and-control address. He’d found its kill switch.

Hutchins says he still hasn’t been able to shake the lingering feelings of guilt and impending punishment that have hung over his life for years. It still pains him to think of his debt to all the unwitting people who helped him, who donated to his legal fund and defended him, when all he wanted to do was confess.

I point out that perhaps this, now, is that confession. That he’s cataloged his deeds and misdeeds over more than 12 hours of interviews; when the results are published—and people reach the end of this article—that account will finally be out in the open. Hutchins’ fans and critics alike will see his life laid bare and, like Stadtmueller in his courtroom, they will come to a verdict. Maybe they too will judge him worthy of redemption. And maybe it will give him some closure.

Read the story