Last May 23-year-old Marcus Hutchins shut down the spread of the WannaCry cyberattack, which in just a few hours had caused about US $1 billion in losses across 150 countries. It had infected the computer systems of more than a dozen hospitals in England as well as a telecom company in Spain and police departments in India. But the damage could have been worse—tens of billions of dollars—if Hutchins didn’t intervene, according to an article in New York magazine.
Hutchins, a British cybersecurity researcher who worked for Kryptos Logic of Los Angeles from his home in London, became an instant celebrity. Hutchins had no social media presence and used pseudonyms on online forums, but his feat drew media attention. Parties were held to celebrate his accomplishment. All of the attention, however, brought to light that he had a murky past.
Three years earlier, he coded a piece of malware, Kronos, that could be used to steal customers’ online banking information, and he attempted to sell it to hackers, according to charges brought by U.S. authorities. The FBI arrested him while he was at the Las Vegas airport, after attending the hacker conference DefCon.
If proven guilty, he could serve up to 40 years in prison.
Hutchins, who is considered a hero by many for shutting down the cyberattack, learned to code when he was 12. His school’s administrators blamed him for an attack that took down its servers.
Like Hutchins, many of the world’s best cybersecurity experts got good at what they do by first playing with fire.
The New York article points to Kevin Mitnick, who was in prison from 1995 to 2000 for committing cybercrimes. He now runs a security company that consults for the FBI. Amit Serper helped stop a major Russian cyberattack last year that had frozen computer systems of major U.S. companies including pharmaceutical giant Merck. He is now principal security researcher at Cybereason. He has admitted that some of the activities he did online when he was a teenager “could be counted as illegal.”
Kryptos Logic CEO Salim Neino hired Hutchins without an interview for his “raw talent.” He told New York the best cybersecurity researchers hang out in underground forums on the Dark Web, befriend cybercriminals, and expose themselves to real cyberthreats.
Hutchins claims there are possibly five other people in the world who have his level of expertise. Nevertheless, he worries the damage has been done and he is unemployable regardless of the outcome of the trial. A date has yet to be set.
His prosecution threatens to “fray the already fragile connection between hackers and the government at a moment when the Internet could use all the help it can get,” the article’s author, Reeves Wiedeman, wrote.
“The world,” Wiedeman concludes, “has never been more dependent on people like Hutchins.”
Should cybersecurity specialists like Hutchins, who now use their skills for good, be forgiven for a dark past?