Marcus Hutchins, the security researcher best known for helping to stop the widespread WannaCry ransomware attack, has pleaded guilty to charges related to malware unconnected to the 2017 attack.
“As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” Hutchins said in a statement on his website. “I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes.”
According to a plea agreement filed with the Eastern District of Wisconsin, the British researcher agreed to plead guilty to two of 10 counts, while the other eight were dropped. Each count carries up to five years in prison and up to $250,000 in fines, though the plea agreement states that an “acceptance of responsibility” could contribute to a lighter sentence.
Hutchins was charged with developing and, in partnership with another individual identified in court documents as “Vinny,” disseminating UPAS-Kit and Kronos malware, the latter of which has for years been used to steal banking information. This activity occurred between July 2012 and September 2015, per court records, years prior to when Hutchins was credited with discovering WannaCry’s kill switch.
The researcher was arrested by the FBI in 2017, just months after helping to stop the destructive malware attack, on charges of creating Kronos. Last year, after being hit with a superseding indictment introducing new charges related to UPAS-Kit, Hutchins—now a prominent and respected security researcher—called the charges “bullshit.”
According to ZDNet, Hutchins has been out on bail and based in Los Angeles ahead of a trial that was scheduled for later this year. Hutchins said in his statement this week that he’ll “continue to devote [his] time to keeping people safe from malware attacks.”