
Malware researcher Marcus Hutchins, known as ’MalwareTech’, pleads guilty - whyleyc
https://techcrunch.com/2019/04/19/malwaretech-legal-case-over/
======
chx
This doesn't make the fundamental problem here go away: they arrested someone
who was not in the United States when allegedly violated a law of the USA. The
USA does not have jurisdiction over the entire world. If they thought they had
a case, the right way to do this is to issue an arrest warrant and ask the UK
to arrest and extradite him. If this was a thing, international travel would
halt because you would need to countercheck everything you've ever done online
with the laws of the country you are flying to.

Consider this fictionary tale: you fly to Budapest for a fun trip. You are
jailed for posting the Soviet hammer and sickle on your Facebook two years ago
-- it's a crime under Hungarian law to use that symbol. Do you think this is
right?

Here's the law:

Any person who: a) distributes, b) uses before the public at large, or c)
publicly exhibits, the swastika, the insignia of the SS, the arrow cross, the
sickle and hammer, the five-pointed red star or any symbol depicting the above
so as to breach public peace - especially in a way to offend the dignity of
victims of totalitarian regimes and their right to sanctity - is guilty of a
misdemeanor punishable by custodial arrest, insofar as the did not result in a
more serious criminal offense.

~~~
jlarocco
I'm okay with how the US handled this. The crime he pleaded guilty to caused
innocent people real financial harm, and it's not like the US sent FBI agents
over to the UK to pick him up. He flew here on his own, knowing (presumably)
that he had committed a crime that could get him arrested here.

Kinda stupid to commit crimes against people in a country and then travel to
that country before the statute of limitations has expired.

I might have a different opinion for victimless crimes, but it's irrelevant to
this discussion.

~~~
ryanlopl
FWIW his crimes didn't target any country specifically, so he could've faced
trouble anywhere in the world.

There's not necessarily anything wrong with prosecuting him in the US, but
presumably the US authorities could've just as well spared themselves the work
and referred this to the UK authorities in whose jurisdiction the crimes were
committed.

~~~
chx
And that is fine, again, the so called Dread Pirate Roberts 2 was arrested and
convincted in the UK mostly based on info the US handed to the UK. The problem
is the US arresting someone who was. not. in. the. USA. when committing the
crime (if he did).

~~~
Barrin92
>The problem is the US arresting someone who was. not. in. the. USA. when
committing the crime (if he did).

How is this a problem? if you cause material damages to Americans and you then
go to the US the country is going to come after you.

Why would the US not protect its citizens to the best of its ability and
prosecute people who harmed them, even if they harmed them from a place that
wasn't the US. We're talking about global financial crimes, they don't know
any borders to begin with.

If you kill someone outside of the US, and then you travel to the US, I'd be
concerned if you wouldn't get arrested

~~~
ryanlopl
As far as I'm aware it is not alleged that Marcus Hutchins caused material
damages to Americans, it is alleged that he sold his malware to Americans.

I could be wrong, but I don't think the federal government has ever claimed
that any Americans were infected with Kronos.

~~~
celticninja
Not even that, he sold his malware, not to Americans specifically, or targeted
at Americans at all, but he sold malware that someone subsequently used
against US citizens.

It's a stretch.

------
mmaunder
Plea bargained. That's how its done in the USA folks. At least in over 90% of
cases. The concept of having a fair trial and your day in court is a thing of
the past. Amazing it took so long.

~~~
wrinkl3
I've been following Marcus on Twitter for the last couple of years, and he's
been sounding increasingly desperate lately. Regardless of whether he actually
authored Kronos, I could easily see him taking the plea bargain as a way out.

I strongly feel that a malware researcher who stopped WannaCry and spends his
free time making reverse engineering tutorials shouldn't go to prison because
of a trojan he wrote as a teenager (assuming he really did write it).

~~~
meowface
He not only wrote the malware but personally sold it for $7000 per copy to
botnet operators and other kinds of cybercriminals to facilitate bank account
theft and fraud. He's changed now and is trying to be a force for good, but he
definitely made mistakes in his past.

------
jlgaddis
A few friends and myself chipped in some money for his legal defense, taking
hin at his word when he said he was innocent.

Lesson learned, I suppose.

~~~
mchannon
I wouldn't hold it against him that he pled guilty. The government has
unlimited resources, and he didn't. Innocent people plead guilty every day.

~~~
Waterluvian
The government absolutely does not have anything near unlimited resources.
I've been listening to the Ken White podcast All the President's Lawyers and
something he repeatedly says is just how shockingly few criminals, especially
white collar criminals, actually get prosecuted because there's simply no
budget to go after them.

~~~
mchannon
With respect to Ken White, that’s a load of crap. Between AUSA’s, FBI, CJA’s,
FD’s, and judge’s office, at least $0.3M in my case and counting.

~~~
Waterluvian
That's kind of the point. When they go after someone they're going to spend
the money. No point spreading resources so thinly that they can't prosecute
anyone properly.

~~~
mchannon
That’s the opposite of your first point. When they have no trouble spending
the money, they have no trouble spending the money.

~~~
tptacek
He said exactly that: it's shocking how few criminals _get prosecuted_. Like,
at all.

------
dsr12
Statement from Markus: [https://www.malwaretech.com/public-
statement](https://www.malwaretech.com/public-statement)

------
jaclaz
There is something I don't understand.

From the contents of the "attachment A" it seems like the FBI (or whatever
other US agency) "sat" on the code they indirectly purchased for 2-3 years
(the UPAS) and for several months (the KRONOS), observing the behaviour of
Hutchins and "Vinny" and collecting evidence against them.

Shouldn't they have _somehow_ acted to prevent the spreading of the malwares?

------
ccnafr
Duplicate:
[https://news.ycombinator.com/item?id=19702872](https://news.ycombinator.com/item?id=19702872)

------
lachlan-sneff
This is too bad, Malwaretech does really good work; his blog is excellent.
We've all done stupid things when we were young, myself included.

~~~
420codebro
Yeah I fucked around with random internet-accessible systems (late 90s, early
2000s). However, I never wrote malware to steal credentials or the like. That
strikes me as fairly targeted.

------
rubyfan
What law did he break? Was he actually breaking into computers which is
against the law? Or is there some other law that makes the tech illegal?

------
s3arch
>He also agreed to plead guilty to a second count of conspiracy.

Can someone elaborate what that conspiracy is?

------
AndrewKemendo
I wouldn't automatically take this at face value.

Hutchins took a plea deal. It's well known that there is rampant abuse of the
plea deal in the US justice system [1].

That's not to say he's totally innocent of everything but that him pleading
guilty to this single count may not be as straight forward as the article
would make it seem.

[1]
[https://www.theatlantic.com/magazine/archive/2017/09/innocen...](https://www.theatlantic.com/magazine/archive/2017/09/innocence-
is-irrelevant/534171/)

~~~
loeg
We don't know his actual sentence yet, do we? The article says "up to 10
years" but the actual duration will be suggested by the prosecution based on
the plea, no?

~~~
tptacek
His defense and the prosecutors have stipulated to two counts, each of which
has a _maximum_ sentence of 5 years. The norm is for like crimes to be
sentenced concurrently, so "up to 10 years" does not seem accurate.

The plea agreement itself stipulates to the sentencing level. Assuming all
charges group, the maximum proposed sentencing level is 13, with the caveat
that the agreement allows prosecutors to argue for an adjustment of as many as
8 sentencing levels. With no previous criminal history, a level 13 offense is
12-18 months.

 _Late edit_

I missed that he also loses 3 levels for accepting responsibility. At level
10, his guideline range would be 6-12 months.

For more detail on how this works, Google [popehat whale sushi].

~~~
loeg
Right; the probable sentence is much lower, but how much lower is to a large
extent up to prosecutorial discretion (8 levels), no? Levels 2-8 (taking 2-8
levels off 10), with no priors, would be guideline 0-6 months, if I'm reading
this table correctly.

(I also read Popehat.)

