After Two Years, MalwareTech Is a Free Man
If you’ve been following my Twitter account, you already know the Happy Ending: Marcus Hutchins just walked out of Milwaukee’s Federal Courthouse a free man. While he might have faced up to fourteen months in prison, Judge JP Stadtmueller sentenced Hutchins to time served and a year of probation.
The legal battle, by Brian Klein and Marcia Hofmann, was won in sealed sentencing motions and a short exchange at the beginning of the hearing, significantly an exchange persuading the judge there should be no sentencing enhancement for the damage done. In spite of the fact that the government’s sentencing memo confirmed what had been clear all along: virtually all the identified victims were overseas, especially in Hutchins’ home in the UK, which made it pretty crazy the US was prosecuting him and Britain was not. Nevertheless, the government tried to substantiate a claim of $47 to $60,000 by scraping one of the dark web sites where malware based on the code he wrote had been sold. “The loss exists but it’s very difficult to pin down,” prosecutor Ben Proctor admitted.
Hofmann insisted it’s the government’s burden to substantiate loss, and what they had done in an attempt to do so was too speculative.
Stadtmueller agreed. But his views on loss focused more on comparing the government’s uncertain numbers with the known damage of WannaCry, which Hutchins had managed to tame by creating a sinkhole for it. “When it comes to matter of loss or gain,” Judge Stadtmeuller said, “the most striking is comparison between you passing Kronos and WannaCry, if one looks at loss & numbers of infections, over 8B throughout world w/WannaCry, and >120M in UK.”
And that decision made Hutchins eligible for probation. In any case, Stadtmeuller noted in a comparison from the single other CFAA charged he presided over in his 30+ year career as a judge, sentencing guidelines are no longer mandatory.
When Stadtmueller noted that had this case been tried closer to the time when Hutchins stopped WannaCry, he’d have gotten cooperation credit for that act, and when he noted that this case shouldn’t have proceeded for 17 months, it became clear (as had the single order he had submitted in the case before today) he was really struggling to understand why the hell the government had decided to prosecute the guy who had shut down WannaCry.
Stadtmueller, a 77-year old senior judge, several times described how insecure everything digital is, how the protocols for security cyberspace are woefully inadequate. Stadtmueller repeatedly noted that everyone agreed that Hutchins had given up criminal hacking well before these charges. That helped Stadtmueller to ignore the government’s claims about needing a deterrent. The judge described the community of people who love and support Hutchins — not just his family but also the cybersecurity community (some of whom submitted letters in support describing what a great person he is and the import of his actions on WannaCry). He noted how many of those people also, like Hutchins, worked to secure the Internet.
Hutchins gave a statement that went roughly like this:
Your honor when I was a teenager I made series of bad decisions. I deeply regret the conduct and the harm which resulted. I eventually discontinued but wish I could go back. I now work in cybersecurity stopping same kinds of malware. [Comment about creating training videos] I do this in hopes i can steer people away from my mistakes. Future reinforces that I have no plan to go back, I’d like to dedicate more time to teaching next generation of security experts. I’d like to apologize to victims, those who learned of my past, my family.
After a half-hearted attempt from Proctor to emphasize the theft enabled by Hutchins’ malware, Stadtmueller then started a long speech, one that started by noting that of the 2,200 defendants whose sentencing he had overseen in 32 years, Hutchins’ was unique because, “one might view ignoble conduct against backdrop as work a hero, a true hero. That is, at the end of the day, what gives this case it’s uniqueness.” He emphasized we need people like Hutchins to help secure the Internet. “It’s going to take individuals like yourself who have skillset to come up with solutions, bc that is the only way we’re going to eliminate this subject of woefully inadequate security protocols for entire panoply of infotech systems.”
The judge them emphasized that, on top of everything else, Hutchins had been away from home for two years.
That’s when what every lawyer watching in the courtroom I spoke with called unprecedented. The Judge suggested Hutchins should get a pardon, which would enable him to come back to the US to work. “While court has no pardon power, matter reserved to the executive. Truly left for another day.”
He then imposed Hutchins’ sentence. “We reach a point in balancing these considerations, court left to make final call. Final call is a sentence of time served with one year of supervised release.” He went on to make it clear that, once Hutchins finishes packing up his life in LA, he wanted to be sure that Immigration doesn’t get custody. “Nothing in this judgement requires he stay in the United States. I’m seeking to avoid him being taken into custody by Immigration and Customs. We don’t need any more publicity or another statistic.”
“Thank you your honor,” said as the rest of the bureaucratic details of probation were discussed.
This case should never have been prosecuted in the first place. And when Hutchins tried to challenge the details of the case — most notably the one largely ceded today, that the government really doesn’t have evidence that 10 computers were damaged by anything Hutchins did — the government doubled down and issued a superseding indictment that, because of the false statements charge, posed a real risk of conviction.
Thankfully, one judge saw exercised justice the way it’s supposed to work, even if it took two years to get here.
Update: I made a very significant error in this when I was writing it on a bus, saying that sentencing guidelines were mandatory rather than not mandatory. I’ve fixed that.