The young computer expert who stopped the WannaCry global cyber attack could face decades in a US prison following accusations that he helped create and sell a malicious software that targeted bank accounts.
Marcus Hutchins, who saved the NHS from cyber criminals, could face a maximum sentence of 40 years in prison in the US if he is found guilty of the charges.
Hutchins, who was at a hacking conference in Las Vegas when he was arrested by the FBI, faces six counts of helping to create, spread and maintain the banking Trojan Kronos between 2014 and 2015.
According to the US Department of Justice indictment, the alleged offences took place between July 2014 and July 2015.
Hutchins was jointly charged with another individual who was not named.
The indictment alleged that Hutchins “created the Kronos malware” and the other person later sold it for $2,000 (£1,500) online.
“The maximum statutory sentence he could face is decades, roughly 40 years,” said Tor Ekeland, a US lawyer who specialises in defending alleged cyber criminals. “Would he get that? I doubt it, it would be a bizarre outcome. Is it possible? It sure is.”
Hutchins is due to appear in court later on Friday, when he could plead guilty or not guilty. If he pleads guilty he could be sentenced to a short prison sentence or supervised release. If he pleads not guilty, he will be moved to Wisconsin, where the charges have been brought, to face trial, which could start any time between three months and three years, Ekeland said.
“The main thing to do now is enter a not guilty plea as soon as you can, get him out on bail, and then you’ve got some breathing room,” said Ekeland.
But he added it is “highly likely” Hutchins will be refused bail, because he is a foreign national in the US and could be deemed a flight risk.
Ekeland described the allegations against Hutchins as “very thin”. “There’s not a single allegation that he made any money or anybody came to any harm from it,” he said. “The indictment is very thin. It’s legally bizarre and there’s little detail.”
Hutchins was arrested at an airport in Las Vegas on Wednesday shortly before he was due to fly back to the UK.
Priority boarding so you can add to the time you’re sat on a plane that is nowhere near ready to fly ��
— MalwareTech (@MalwareTechBlog) 2 August 2017
The Kronos malware was spread through emails with malicious attachments and allowed users steal money using credentials such as internet banking passwords. It was allegedly…