Darknet Diaries - 158: MalwareTech
Episode Date: May 6, 2025MalwareTech was an anonymous security researcher, until he accidentally stopped WannaCry, one of the largest ransomware attacks in history. That single act of heroism shattered his anonymity ...and pulled him into a world he never expected.https://malwaretech.comSponsorsSupport for the show comes from Black Hills Information Security. Black Hills has a variety of penetration assessment and security auditing services they provide customers to help keep improve the security of a company. If you need a penetration test check out www.blackhillsinfosec.com/darknet.Support for this show comes from Arctic Wolf. Arctic Wolf is the industry leader in security operations solutions, delivering 24x7 monitoring, assessment, and response through our patented Concierge Security model. They work with your existing tools and become an extension of your existing IT team. Visit arcticwolf.com/darknet to learn more.Support for this show comes from Cloaked, a digital privacy tool. Cloaked offers private email, phone numbers, and virtual credit card numbers. So you can be anonymous online. They also will remove your personal information from the internet. Like home address, SSN, and phone numbers. Listeners get 20% off a Cloaked subscription when they visit https://cloaked.com/darknet. Calling 1-855-752-5625 for a free scan to check if your personal information is exposed!
Transcript
Discussion (0)
Oh my gosh, oh my gosh, oh my gosh, I'm squealing over here.
After years and years of trying to get today's guest on the show, he finally said yes.
I'm so excited for this one.
I've been sliding into his DMs for years.
Hey, can I interview you?
And I swear he always has the same answer every time.
He's like, who are you?
And I say something like, oh, I'm a podcaster and I really want to hear your story
And he's like, no, thank you and fair answer
I wouldn't want to talk to me either if I was in his position
And then I saw him at a party at DEFCON and when I when I first approached him in person
He was hiding behind a sign trying not to be seen so I stand out in a crowd
So I've learned that like signs are my best friend.
We can hide behind the lamp post, we can hide behind the tree, we can hide behind the sign.
But if I stand in the middle of the room, it's going to draw a lot more attention than
I necessarily maybe want.
Although I've got to the point now where I think I can just handle it.
But I do remember our first interactions.
I think part of the awkwardness was I'm very bad at recognizing faces and you were wearing
a mask the first time you saw me.
It's true.
I had a disguise on and yeah, I asked to interview him and he had no idea who I was.
He's just like, who are you?
In my defense, there is no photos of you online and I have checked.
So there is no way of you online and I have checked.
There is no way I could have known.
It's true.
I tried real hard not to have any photos of me on the internet.
I'm a very private person.
But I swear every time I asked him for an interview, he just kept asking me the same
thing.
Who are you?
No, thank you.
So I remember we had like quite a long conversation and then you went away and you came back without the mask and then you came back and you sort of went to re-engage the conversation and
I had no idea who you were.
I was like, who is this random guy?
Okay, fair point.
I wear a lot of disguises.
So you're right.
Some of this is on me, but I'm happy to announce that today, finally, I am interviewing MalwareTech.
I'm MalwareTech and I'm an anonymous security researcher.
These are true stories from the dark side of the internet.
I'm Jack Reisider.
This is Darknet Diaries.
This episode is sponsored by Threatlocker. Ransomware, supply chain attacks, and zero-day
exploits can strike without warning, leaving your business' sensitive data and digital
assets vulnerable. But imagine a world where your cybersecurity strategy could prevent
these threats. That's the power of ThreatLocker's Zero Trust Endpoint Protection Platform.
Robust cybersecurity is a non-negotiable to safeguard organizations from cyber attacks.
ThreatLocker implements a proactive, deny-by-default approach to cybersecurity, blocking every
action, process, and user unless specifically authorized by your team.
This least-privileged strategy mitigates the exploitation of trusted applications and ensures
24-7-365 protection of your organization.
The core of ThreatLocker is its Protect Suite,
including application allow listing,
ring fencing, and network control.
Additional tools like the ThreatLocker
detect EDR, storage control, elevation control,
and configuration manager,
enhance your cybersecurity posture,
and streamline internal IT and security operations.
To learn more about how ThreatLocker
can help mitigate unknown threats in your digital environments and align your organization
with respected compliance frameworks, visit threatlocker.com. That's
threatlocker.com.
This episode is sponsored by Drauda. Let's face it, if you're leading GRC at
your organization, chances are you're drowning
in a sea of spreadsheets every day, balancing security, risk, and compliance in an ever-changing
landscape of threats and regulatory frameworks that can feel like running a never-ending
marathon.
Enter Draada, the modern GRC solution designed for leaders like you.
Draada automates the tedious tasks, security questionnaire responses,
continuous evidence collection, and much more, saving you hundreds of hours.
But it's more than just a time saver.
It's a scalable platform that adapts to your organization's needs.
Whether you're a startup or a global enterprise, DRADA gives you one
centralized platform to manage your risk and compliance program.
DRADA empowers you with a holistic view of your GRC program and real-time reporting capabilities.
With Draada, you also get access to their powerful Trust Center, a live customizable
tool that supports you in expediting your never-ending security review questions in
the deal process.
It's perfect for sharing your security posture with stakeholders or potential customers.
Ready to modernize your GRC program and take back your time, visit drada.com forward slash dark night diaries.
That's drada spelled D R A T A drada.com slash dark night diaries.
We're going to start this story in early 2017.
As he said, his name is malwareTech and he's an anonymous security researcher.
He would research malware and then publish his findings
anonymously under the name MalwareTech.
He never posts his picture on the internet.
His Twitter profile is just a picture of a cat wearing glasses.
Nobody knew who he was or what he looked like.
So, I've been a cybersecurity analyst since about 2016.
I mostly specialized in a combination of malware, reverse engineering and cyber threat intelligence.
So my job was basically to reverse engineer botnet malware and then find ways to monitor
their C2 infrastructure in a way that we could actually see who was being infected.
So our goal was to sort of do external threat intelligence.
So rather than being on someone's network and saying, hey, look, there's a sign that
you're infected with malware, our goal was to be on the bad guy's network and be able
to see all the victims of the malware and then alert them to the fact that they're infected.
Where were you living? Was it Cornwall at the time?
So I was Devon, so just north of Cornwall, pretty close to the border actually.
What is that?
I think I watched a show, like there's TV shows based out of Cornwall and I think it
was Dr. Martin was it?
Yeah, that was the one.
I think that there were some episodes in Devon, but I remember my parents were very excited.
They called me one time and they were like, there's some famous people filming in our
town and like we live in the middle of nowhere.
So there's no famous people there.
Any kind of filming is like a huge deal.
So there's, you've probably seen it on the TV like once or twice.
Yeah, I have.
It's a very picturesque place.
It's beautiful.
Yeah.
So where I live, which is in North Devon, we have this massive long, I think it's like
three, four mile long beach, beautiful golden sand.
It picks up a nice Atlantic swell that I think comes from the hurricanes down in the Gulf.
They'll occasionally swing north towards the southwest coast of England.
So we actually get some really really big surf
down there. So living so near the sea I was like well what do I do for hobbies because
we had moved from inland so I'm like I need new hobbies what do people here do and the
obvious answer was surfing. So I took up surfing, turned out it's a really really fun sport
but a lot of people don't associate it with England. They think England is like rock beaches, pebbles, usually they're thinking of places like Blackpool, but there are some
really, really good surf spots on the southwest coast and I just happen to live right next
to one.
Basically, I wake up one day and it's all over the news that this ransomware is infecting
lots and lots of British hospitals.
And we start with breaking news this hour.
A number of procedures have been cancelled or redirected to other NHS providers,
following a cyber attack on some of London's major hospitals.
The ransomware would soon be called WannaCry,
and it was hitting tons of hospitals around the UK.
Their computers would get infected and then completely encrypt it.
You couldn't use it at all.
And you had to pay Bitcoin to get it unlocked again.
This infection forced hospitals to turn away patients and cancel procedures.
It was awful.
So I think the consensus is that it was someone working on behalf of the North Korean government.
It's very interesting how this came about too. We believe it was the NSA that developed the exploit
which they called Eternal Blue, which by the way the NSA found this exploit in Windows,
Microsoft Windows, an American company, but didn't tell Microsoft that they have this really bad
vulnerability in Windows.
And it absolutely flabbergasts me that NSA discovers vulnerabilities in US companies
and then not tell those companies that their product is vulnerable to attack.
But it gets worse.
Then the NSA somehow lost control of this exploit and it ended up in the hands of someone
calling themselves the Shadow Brokers.
And just the set of circumstances that led to WannaCry were so insane.
Because of course you have the Shadow Brokers leak and the Shadow Brokers isn't, they haven't
been attributed yet but it's widely believed to be Russian intelligence.
So Russian intelligence hacks the NSA, steals one of their most prized vulnerabilities, leaks it onto the open
internet at which point North Korea pick it up and decide to make ransomware
with it and we're not even to this day sure whether WannaCry was supposed to
be released yet. There are a lot of just signs in the code that it might
have been a work in progress that accidentally leaked a little earlier
than they had intended it to.
We think the North Koreans unleashed ransomware on the world just to try to make some money, which is wild.
Other nation states are not doing cyber-thug activity like this, trying to make some money through ransomware.
But North Korea does it.
But one reason we think the exploit got released too soon was because it was discovered pretty
early on that there's no way to track who paid the ransom.
Usually ransomware would generate a unique Bitcoin address for every single victim and
then they can tell if that victim paid by telling if there is a payment in that Bitcoin
wallet.
But there was a bug with the code where it only generated something like three Bitcoin
wallets.
So all of the payments are going to these 3 bitcoin wallets.
They have no way to trace who paid and who didn't.
So while I think it was intended to be ransomware or intended to at a later date be ransomware,
at the time that it was released or got out, it was essentially a file shredder.
Like there wasn't really any realistic way to get your data back.
What scumbags, you know? Like, for one, for a country to extort hospitals to try to make a
little bit of money, I mean, come on. But two, to release ransomware so bad that it doesn't even
work right. It just cripples businesses with no way to undo it. So North Korea didn't make much money from this and simply gave the world a black eye
for no reason.
I think a lot of what went into them not making much money was it came out very early that
the files weren't decryptable.
Almost immediately when the first infections happened, analysts raised the alarm, they
went to the press and they were like, don't pay the ransom.
You're not going to get your data back.
Of course, all this news is right up malware tax alley. Malware research is his bread and
butter. He wants to know more.
Now the thing with ransomware is back then, it was mostly spread by phishing email. So
if you see a organization or two infected, that pretty normal but if you're seeing like 10,
20, 30 different parts of the same organization being infected that's either a lot of people
falling for phishing attempts or it's not phishing and my first instinct was this isn't
phishing this is hitting way too many organizations way too many parts of the same organization, it has to be something
bigger. So I went and asked my friend caffeine, can I have a sample of this? And the second
I looked at it, I was like, Oh, this is this is bad. Like this isn't your standard ransomware,
because at that time, ransomware was purely spread by phishing or botnets. I don't think anyone had ever made
wormable ransomware before and I was like this ransomware spreads from computer to computer
completely unaided. It doesn't need a user to click a malicious link or open a weird email,
it will literally just get onto a computer, look for other computers to hack and then hack them and
infect them and just repeat that process over and over and that was the point where I was realizing
we are dealing with something that I don't think has ever been seen before.
This thing was spreading fast, hundreds of networks were spreading it to
hundreds more, soon thousands were infected all trying to spread it to
thousands more. The internet was burning like an out-of-control
wildfire that day. I was tasked with stopping the ransomware and historically when I worked
with ransomware it's almost impossible to stop. Sometimes you can decrypt it retroactively,
there's flaws in the encryption, you can break the encryption and get people's files back.
But in terms of stopping actively spreading ransomware, that is almost impossible.
Sometimes there'll be a vulnerability where we can hack into their command and control server and put a stop to it.
So that's what we were looking for.
But as he looked through the ransomware code, he noticed something.
There's a strange domain name in this code, a URL.
Just a long string of gibberish letters with.com at the end.
He looked.
The domain wasn't registered.
And when I saw this unregistered domain in the WannaCry code, I was like, nice, this
is probably a command and control server.
So I registered it.
And then I started looking, what can I do with this code?
What can I do with the control of this domain?
I'm thinking it's a command and control server and maybe we can exploit a vulnerability in
the WannaCry code, maybe crash the malware or anything that could stop it
from spreading.
But it actually turned out while we were trying to figure out what is the purpose of this
domain, what does it actually do, we had already stopped WannaCry because the domain was a
kill switch.
Without him even realizing it, the moment he made this domain active, the WannaCry malware stopped.
Just suddenly and surprisingly stopped spreading.
Someone had basically just posted on Twitter that WannaCry has been stopped. Someone has
activated a kill switch in WannaCry and we actually didn't know we had activated the
kill switch until several hours later.
The purpose of this domain in the code was before the malware spreads, it first checks
to see if the domain is up and alive.
And if it is, the malware stops everything it's doing.
And since MalwareTech just registered it and set it up, that triggered the kill switch
to essentially deactivate one of the most brutal, devastating, ransomware attacks the
UK has ever seen.
By the time we actually got around to looking at the code, it was like it had already reached
the media that we had stopped it and we were like, oh, okay.
Yeah, the media was reporting that someone stopped WannaCry before he even knew he did
it.
But wait, if he's got control of this domain, can he set some sort of monitoring tool up
so that he can see what traffic is going to this domain?
Yeah, so we're actually very lucky in the...
We did this professionally.
A lot of our work was about finding ways into botnets and then collecting these analytics.
So we actually already had the system set up to do that which was great so I was like
awesome we have this all this analytics we can see how many systems WannaCry was hitting
but while I was focusing on that everyone's like who is this guy who's stopped the world's biggest
ransomware attack meanwhile I had no idea that that was going on until I checked Twitter and I was like, oh, oh.
The thing is, is he was tweeting from his username, MalwareTech, all the analytics that
were coming into this domain.
And this made people realize MalwareTech is the guy controlling the kill switch.
He's the one that stopped it, since he had all these analytics and could see what was
going into that domain.
But the thing is, not everyone put those pieces together like that.
Some people thought, well, if he controls that domain, then that must mean he's the
one who wrote the malware.
So as far as a lot of law enforcement and intelligence agencies are concerned at the
time being, I am the one who created WannaCry.
I'm the person who created WannaCry. I'm the person responsible for
WannaCry. That is my domain and I'm controlling it. So it led to a very, very interesting scenario
because everyone was kind of confused about how did this happen? Why is the domain there? And why
does this random British teenager, well I think I was 22 actually, so not quite a teenager,
but they're like, why does this random British dude control the domain
that is in this massive piece of ransomware
that is destroying networks all across the world?
Did you discover all this in your parents' bedroom, by the way?
Or I mean, in your parents' house?
Yeah, so the unfortunate stereotype of the nerd in his parents' basement is true.
It was technically not a basement because our house had multi-levels.
The front door was a level higher than the back door.
It was technically a basement, but technically also not a basement.
But I was basically in my parents' basement.
Once the news got out that this guy malware Tech is the one who stopped the world's biggest
ransomware attack in history, his whole life changed.
It went wrong in every way possible for me.
I had set it up so the domain was registered through a proxy that shouldn't have traced
back to me, but I think my shouldn't have traced back to me.
But I think my Twitter gave them enough to find me.
And my goal personally was to be an anonymous researcher.
I had basically seen my whole career just being an anonymous researcher who no one needs to know my name. They don't need to know what I look like.
I can just publish my blogs in peace and no one needs to even know who I am.
And then I got an email from
I believe the Daily Telegraph and they were like we found your real name, we found your address,
we found your parents name and we're going to publish it tomorrow and we'd like comment.
And I begged them like do not publish my name, don't publish my photo, please just like
publish my name, don't publish my photo, please just like respect my privacy. But of course they had the biggest story related to Wanna Cry so far.
The Daily Telegraph was the first person to actually correctly identify me.
So they knew they had a story that would get a lot of eyes.
And I kind of knew where this was going.
I was like, I'm going to beg them anyway, but I know they're going to publish this.
And I know it's all downhill from here.
I believe this was the Monday.
So WannaCry happened on the Friday.
I woke up Monday.
They had published my name.
They had published my photo.
The Daily Mail had published my house address
for some reason.
I remember reaching out to journalists and being like,
dude, like what the hell is this? Like why would you possibly need to publish my home
address in the UK's biggest newspaper after I've stopped a major criminal attack? Like
this doesn't make any sense. And he like apologized and he took it out. But was like dude like like what what what goes through
someone's mind to think everyone needs to know where this person lives but yeah
so that day I woke up and my name was out there everyone knew it was me I
couldn't walk down the street without being a recognized by someone in town
and I was like this is this is it this is the end of an era. Like, I'm no longer MalwareTech, the anonymous researcher.
I'm now Marcus Hutchins.
And I remember just thinking, man, this is going to be such a, like,
earth shattering change to just the way I saw my life going.
going. Once his name was out there, another paper, the Daily Mail, found a picture of him and
published it.
The headline read, Surf Dude Saves the Day.
I think that was the two page spread with my face on it, right?
Yeah, front cover.
Yeah. So before that, no one knew what I looked like because I ran an anonymous Twitter account
with a cat avatar and I believe they were the first ones to actually get a real photo
of me.
And my mom, she reads the Daily Mail, so she came home and she handed me the newspaper
and there's my face across a two page spread and I'm like, Oh my God.
Marcus Hutchins was now world famous and everyone wanted to talk with him.
Even me. There was this dude, this one dude, he kept ringing the doorbell like every single hour.
And then when we finally were like, look, you've got to stop doing this.
He just started
calling instead like somehow he had our phone number and there was at one point there was
several several journalists just like hanging around on the sidewalk outside my front door
waiting for me to come out of the house of this funny story of me having to climb over
the back fence to go and get food because these journalists just would not leave the outside of my house.
And at the time I just I didn't understand why this was such a big deal.
And as a very non-public person, it was it was actually quite scary.
Marcus is a private person.
He's a bit awkward around people, very soft spoken.
He does not want this kind of spotlight on him. This was agonizing
for him. He's tall and has huge poofy hair. You can spot him easily in a crowd. And people
were stopping him to talk with him everywhere he went. Are you the guy who stopped the ransomware?
And it wasn't just random people and journalists. Foreign intelligence was curious about him
too.
In the months after WannaCry, while the investigation was still ongoing, before we knew that it
was North Korea, there were a lot of foreign intelligence agencies that weren't really
sure what my role was.
And there was actually one incident I remember quite clearly when I was traveling in a foreign
country and some researchers from a neighboring country had invited us out to
lunch.
They were like, hey, we're like really interested to hear about your research.
Would you like to come to lunch with us?
And they gave us an address and the address was across the border in their country.
And I didn't see it as immediately suspicious because we were very close to the border of
this country.
So I'm like, okay, there are researchers from this country.
They're probably going to know more good restaurants in this country.
Let's go meet them in their country for lunch.
And I got a tap on the shoulder by someone who I have no idea who they are,
who they work for.
And they were like, just so you know, those are intelligence operatives of that country.
Those people inviting you to lunch work for their foreign intelligence service.
I would maybe go get McDonald's or just go anywhere else.
So you don't know who tapped you on the shoulder.
It was just a stranger from the crowd and then they disappeared after that.
Yep.
It was one of the weirdest experiences I had in my life. That must have been for just to have some random person tell you that and then suddenly
you're, you know, the camera's zooming way out like, whoa, hold on, let me.
I assume it was probably someone from my country.
I don't know.
Why is someone from your country following you to another country while you're on vacation?
That is crazy.
I think it was someone following those people around and then they're like, wait, who's
this guy they're talking to?
Oh, I see.
It's entirely possible.
We ended up on a lot of people's radars after WannaCry.
My colleagues not so much because they weren't as in the public eye as me, whereas I was
the one who got tracked down first, so I took most of the heat.
But I ended up having to actually go into a few different countries and speak to their
law enforcement and tell them my side of the story because there was obviously a lot of
suspicion.
They're like, no one knew where WannaCry came from and I was the only tie to it.
All they knew is that this worm just came from nowhere and there's only a single domain
in the code and it's linked to Marcus Hutchins in Great Britain.
So I basically ended up going on this sort of almost like an apology tour but without
an apology because I'm not responsible.
So I had to sort of give them my side of the story, explain why we registered as a main,
how it came to that.
And eventually, obviously, I think it was, it might have been October, like it was a
good like six or seven months after WannaCry that the NSA and GCHQ and I think the Australian
intelligence services, they all came out and they pointed the finger at North Korea.
So after that, the heat kind of died down.
But in that bit between stopping WannaCry and it being publicly attributed to North
Korea, I spent a lot of my time dodging very, I don't know how to describe it, but very
suspicious situations.
I suspected that people had infarious intentions with either wanting to interview me or inviting
me to their country to come and speak at their conferences.
There was a lot of that in that period.
So it was a very, very strange time in my life.
Man, how crazy is that to be invited to speak at another country and then to wonder, is
this a ploy for some foreign intelligence operatives to arrest me?
Or even worse, is North Korea mad at me and they want to pay me back for screwing up their
ransomware and they're inviting me to this thing just so they can kidnap me?
Marcus had to be very careful from now on.
This sudden fame was attracting a lot of strange people.
WannaCry hit in May of 2017.
Three months after that was DEFCON, the annual hacker conference in Las Vegas in the US.
Marcus had been there once before in 2016 and he liked it, so he flew out again in 2017.
But little did he know that this DEFCON was going to radically change his life.
So it was insane.
I cannot even accurately describe the feeling of it.
Try though, try.
Let's hear it.
Yeah so there's what we did personally and then there's what we did within the conference. So personally, what my friends had found out is that hotels in Vegas are ridiculously expensive.
And they basically calculated what could we afford if we just put all our individual hotel room costs
together and got an Airbnb instead.
And we found we could get one of the biggest mansions in Las Vegas with the largest
private pool in I believe the entire state. So we went and we got this insane mansion
and then we're like well the mansion is not complete without supercars right? And there's
a car dealer in Vegas that they let you rent supercars for like a day, two days, three
days a week. So my friends they went out and they rented supercars for like a day, two days, three days a week. So my friends, they went out and they rented supercars.
So we had this driveway full of supercars and they're not particularly expensive to rent for like short periods of time.
But of course, I didn't realize that in the background I was setting up this scene of me being this very, very wealthy person
when in reality the costs were split
between about I think 8 to 12 people.
So we had this crazy Vegas trip, we stayed in this massive mansion, we were driving around
in super cars, we were shooting automatic weapons.
We just went all out on Vegas.
Now the conference itself was very, very different. Now I had
suspected I would get a fair amount of attention at the conference given how recent WannaCry
was. It was only I think three months ago, but I had no idea the level that I was going
to experience. I remember this was back when it was in Caesar's Palace,
the actual casino before the forum.
And anyone who's been will remember there's these hallways
that are maybe like 20, 40 feet wide,
and it's just shoulder to shoulder people
all the way down the hallway.
And I could not walk through the hallway
because the traffic was moving so
slowly that I would take a step, someone would recognize me, they'd come over and talk to
me and by the time I got to take my next step someone else had come over and I had to get
to this one event and it took me two hours and 15 minutes to walk a maybe like a hundred feet down the hallway and
I was just like I need to go to my hotel room and hide like there's like an
average 15 minute conversation will drain my social battery to the point
where I need to sleep and I'm now at a level where I physically feel like I'm
gonna pass out it was like one of the most crazy
experiences I've ever had I
Just remember feeling like so overwhelmed because I I knew there was gonna be people who would want to come up and talk to me
I just didn't think it would be that many. What was with some of the stuff they were saying you oh
It was it was all
overwhelmingly positive like super heartwarming stuff.
Like everyone was just really, really positive.
They were all very kind, very polite.
I don't think I had in the entire Defcon
a single negative interaction.
Like people make out the hacking community
to be all these like bad people and evil,
but generally speaking, I cannot think of a single
negative interaction I had. Like everyone was so polite and so wonderful. But then on the other
side of this, I'm just an introvert. So I'm not used to this level of attention. So inside, I'm
like, this is really, really, like heartwarming and supportive. But also I feel like my entire body is on fire.
Yeah. Wow. So what a weekend. You're going to fly back to the UK after that, right?
Yeah. So I believe the 2nd of August, we spent 10 days there. So 2nd of August, I was due to fly back to the UK. And so, you have to go through the McLaren airport in Vegas. You get through security
just fine?
No. So, security was a little weird because usually when you go through security, they
make you take any big items out your bag, laptops, iPads, phones.
And that is my experience with that airport.
They always make you take your laptop out of your bag.
Whereas with me, they didn't.
It seemed like they were speaking to me specifically and not the guests in general.
As I went to unpack my bag, they said, just leave everything in there and put it through and it felt like very weird at the time I was
like it didn't look like they said that to anyone else other than me.
It looks like they specifically singled me out and I had a feeling I knew what was coming.
I had a feeling that it was actually going to be related to WannaCry.
The FBI had some questions for me and they were going to pull me aside but I was actually,
I wasn't sure so my bag goes through security just fine in the weirdest way possible. I
go to the lounge and I think maybe an hour before my flight, a bunch of people in CBP uniforms approached me.
And I'm like, huh, because CBP is customs. And I'm trying to think what would I have done that would
get me on the wrong side of customs. And the only thing I could think of is this was the year that they had legalized recreational cannabis in Las Vegas.
So I was like, did I forget to take some drugs out of my bag? So I'm thinking they're pulling
me aside because I forgot to take some weed out of my bag. They found it, whatever. And they take
me to this back room and they take off the jackets and they unroll these badges and it's FBI.
And I'm like, oh, okay.
So I did not know that was even something you were allowed to do to pretend to just
be a different agency or if the people who took me would genuinely also CBP.
But I get this back room in the airport and they identify themselves as FBI.
And at this point, I still am not exactly sure why I'm being detained.
I'm sorry, but I have to take a quick ad break here.
But stay with us because Marcus is about to be very surprised about why the FBI is talking
with him.
This episode is sponsored by Kinsta. I've launched a bunch of websites in the past and it's always a challenge.
I mean, have you ever tried to configure a web server and then fine tune it?
You might get it going, but then it just crashes like two months later and you have no idea why.
Kinsta doesn't want you tearing your hair out trying to bring your site to life.
No, Kinsta's team of experts are there to manage hosting your WordPress sites.
They've bundled up all the essentials to make sites stress-free with speeds that'll
wow your visitors, enterprise-level security, and a dashboard so intuitive you'll wonder
why everything isn't this easy.
Kinsta knows that your site has to be up and performing smoothly for your SEO to work,
for the traffic visiting your site to stay around and see what you have to offer.
Heard of TripAdvisor, NASA, indeed,
they are among the 120,000 businesses
that trust Kinsta with their WordPress websites.
And that's why I like what Kinsta does.
It's not that they just host WordPress sites.
I can trust Kinsta to make sure they are fast,
secure, and reliable.
Tired of being your own hosting support team?
Switch to Kinsta to get your first month free.
And don't worry about the move. They'll handle the migration for you.
No tech expertise required. Just visit kinsta.com slash darknet to get started.
That's spelled K-I-N-S-T-A. Kinsta.com slash darknet.
You have such a happy demeanor to you.
So I imagine even in those first 15 minutes or so of like, oh, okay, we're actually the
FBI.
I still imagine you smiling and being like, oh yeah, you know what?
There were a thousand people who wanted to ask me about you want to cry.
I'm sure you're just another one.
What do you want to know?
Did you have that kind of attitude?
Or what was that first 15 minutes like?
So I believe I was a bit hungover, but you are right.
I always just have this happy demeanor.
So I'm like, even when things are generally really, really bad, I always just am chill
and happy to be there.
So I think I was a bit hungover, but otherwise I was like, oh, okay, it's the FBI, whatever,
I'll talk to them.
But I hadn't quite yet figured out why they wanted to talk to me.
Okay.
I mean, what were the questions they were asking you?
So they started off with a bunch of random questions.
It felt like they were deliberately trying to confuse me.
They themselves were trying to obscure the reason why they
had pulled me aside. So it felt like they were basically just fishing for information
in a way that was designed to prevent me from realizing that I'm in trouble and I need a
lawyer. So they kind of presented themselves as these very, just we're asking questions.
We're just some friendly FBI agents asking questions.
And I thought it was about one a cry until a good 30 minutes, I think, into the interview.
So you know in the movies when they slide the document across the table and they ask
you, do you know what this is?
And usually it's like a photo of a murder or whatever.
So they did that. I didn't think that was a or whatever. Yeah. So they did that.
I didn't think that was a real thing they did, but they did that.
Except in my case, they had basically printed off compiled code.
So it was basically just a like 15 pages of just straight gibberish.
So I'm like going through these pages and they're like, do you know what this is?
And I'm like, no, like honestly, you know what this is and I'm like no like honestly no
like this is literal gibberish. But then one of the things with compiled code is any text that is
present in the code is present in the however you were to print it off. So I get to the text section
of the code and I start recognizing the strings and I'm like,
oh, they printed off the Kronos executable.
Like they've taken the compiled Kronos malware, opened it in Notepad or something, hit print,
and this is what I'm looking at.
And that was kind of the point where I realized, oh, I'm in like some serious trouble.
But then I'm also trying not to laugh because someone
has just tried to print an executable and hand it to me.
Yeah, so I'm like toggling between almost smiling and oh shit, I've really messed up.
It is absolutely ridiculous that they printed off a program and handed it to him.
It wasn't readable code, it was compiled.
Only a computer could read it.
There's no way that anyone can read this gibberish, except there was one word in there which made
Marcus realize what he was looking at.
The Kronos malware.
Kronos was a devastating banking malware.
It was designed to get access into a victim's bank account, and then the person operating
the malware can siphon funds out of the victim's bank.
The FBI agents handed it to Marcus and asked him if he recognized it, and he did recognize
it.
Because before the world knew who Marcus Hutchins was, he was only known as Malware Tech, an
anonymous security researcher. But before that, he was a malware developer.
I started out as a malware writer.
I specialize in writing root kits.
So that's malware that hides malware.
So I mostly did stuff like Trojans
that would do Bitcoin mining, stuff that's not
super harmful, but also not really very great either.
It's like the... not the worst of the worst,
but obviously not something that I didn't deserve to go to jail for.
Basically, he would write malware, which in itself is not so bad.
It all depends on what you do with the malware, right?
But he was working with someone who wanted to take his malware and sell it,
so they could make money. And so now his malware was being offered to criminals for sale. But still,
by itself, his malware wasn't making any sales.
Basically, we had a seller. So his job was to sell the malware. I would write the malware
for him and then he would sell it. And then he announced to me that he had contracted this other programmer
to combine my code with the banking code to make banking malware that he wanted to sell.
So essentially I had a choice. I was like okay so my code has just been made into banking malware,
I am already implicated in this, what do I do? So I was like I don't really want to, I
don't want to have anything to do with this. Like I specifically said that any
kind of credit card fraud or any kind of theft of money was over my moral line, I
don't want anything to do with this. And that was the point when he basically
hinted that if I didn't continue to maintain the code, he would drop my name and address to the FBI.
So at that point, I was like, I'm in too deep.
There is nothing I can do at this point.
So as a teenager, he developed part of this Kronos malware.
And now it was being bought by criminals and actively used to rob people's bank accounts.
And he's actively supporting the code, adding in features, fixing issues.
This made him worry.
The second he told me that he had combined it with the banking malware, I was like, yeah,
this is going to come back and bite me.
There is no way that I am like, I knew this was going to come back and bite me. There is no way that I am, like I knew this was going to come.
I am going to be picked up by the FBI at some point.
This is going to come back to bite me.
And even then, I think I was maybe 19 when this happened, I knew the repercussions.
I was like, this is bad.
He kept looking for a way out of this deal to stop working on the Kronos banking malware.
But he feared that the guys he was working with
were going to turn him in if he quit.
So I kept maintaining the code for about,
I want to say like six months, a year,
until I found a way to get out in a way
that wouldn't result in him sort of doing anything to me.
Like he wouldn't report me to the FBI or do anything that would harm me other than the harm that
has already been done.
So eventually about a year later, I find an out and I completely distance myself from
the project.
I think I spend about a year just doing blogging and then I get a job in cyber security.
So I basically, I leave the life behind, I go into a professional cyber security role
and that's when I started doing this sort of malware reverse engineering and cyber threat
intelligence.
And so in August 2017, on his way back from the most epic DEFCON ever, about to step foot on the plane,
the FBI grabbed him and handed him a copy of his malware.
And he knew exactly what that was.
And he feared this day would someday come.
At this point, he's missed his flight.
His friends are worried about what happened to him.
And he's starting to sober up.
The smile faded.
So yeah, they took me to Overnight Holding,
which is basically, it's like actual jail.
So it's the jail you go to when you get arrested by the police
for like being drunk and disorderly or whatever.
Man, to be in jail with all the drunk and disorderly people
from Las Vegas, that's got
to be a real nightmare.
Yeah, from the nice fancy mansion and the driving around in Lamborghini's to the concrete
cell in like County Jail.
I don't know if it's even called County Jail, but yeah, that was a very, very high high
to a very low low.
Now, the FBI needed to process them in order to charge them for these federal crimes,
but it was getting late and the FBI agents were tired.
So they just needed to dump Marcus somewhere for the night,
and then the FBI would pick it up again in the morning and finish processing him.
So they take him to the jail.
And um, the jail was full.
Like there were no free cells.
So the police handcuffed me to a chair for the entire
night. They were like, you're just going to be handcuffed to this chair in the lobby for
the next 12 hours. And I was like, great, that's that's very comfortable as a six foot four
guy. I can think of no more comfortable way to sleep than in a lobby chair. So I was a little upset at that point.
I was like, okay, I can understand the rest of the stuff, but like you're gonna handcuff me to this
tiny chair for 12 hours. But then I found a solution. I need to go to the bathroom, so I asked
to go to the bathroom. And it turns out the bathroom is just a cell that they leave vacant for people to use because each cell has its own toilet in it. So they have a spare one
which is like the visitor toilet. So I asked to go to the bathroom and they throw me in
that cell, they lock the door and I'm like, well how do I get back out? And I realized
that you don't. You basically just stay locked in the bathroom
until the next person uses the bathroom.
So my plan for the night ended up becoming,
I asked to go to the bathroom.
The bathroom is just a normal cell,
so it has a concrete bench.
I sleep on the nice comfy concrete bench.
Then when someone else next needs to use the bathroom,
they take me out, they handcuff me back to my chair.
I asked to use the bathroom again They take me out. They handcuff me back to my chair. I asked to use the bathroom again and that was basically my night. I just slept on a concrete
bench in the designated public toilet cell. Oh yeah, so in overnight holding, because a lot of
the drunk people might like pass out and you know like end up in a state where they need medical
attention, the
guards are supposed to do around every 20 minutes and check on all the cells.
So there's a very loud audible alarm that goes off to signal the guards to start
their check and it goes off every 20 minutes. Basically you're just sleeping
for 20 minutes at a time because you cannot sleep through that loud of an
alarm. And I would put that as the rock bottom of my life.
Like basically just sleeping on a concrete bench in a public toilet.
So I think I get woken up at 4 a.m. in the holding facility.
They wanted to like process me, which I'm like, why are you processing me?
Like, you're not keeping me.
The FBI just left me here for you to deal with overnight, which I'm like, why are you processing me? Like, you're not keeping me. The FBI just left me here for you to deal with overnight,
but I'm not staying.
And I remember like, I was in a really bad mood
because like I had been woken up every 20 minutes
for the entire night.
My back hurt, my side hurt, like every surface of my body
hurt from trying to sleep on concrete.
And then this guy's asking me all these questions,
like, what's your sexuality? And I'm like, dude, like, you're not like I'm not doing
this. So I told him like, I'm not doing your your intake form. Like, I'm not going to be
in prison here. There is no reason for me to be up at four in the morning doing prison
intake. And I remember him saying to me, you're not leaving here without it. And I wanted
to be snarky. And I wanted to be like, how much money do you want to bet on that?
And of course, like a couple hours later, the FBI just came and they're like, we don't care whatever he did here.
He's ours. They take me off to the local, I think it's like a field office or maybe like some kind of satellite office. They spend like an hour processing me like fingerprints,
hair samples, saliva sample, like you name it, photos.
And then they, you get handed over to the US Marshals.
He gets taken to a federal detention center,
basically a prison.
He was locked up for the banking malware
that he wrote when he was 19.
And so there was nothing he could do,
but just sit there and see what fate has in store for him next.
Someone who I actually didn't know at the time,
her name's Tara Wheeler and Deviant Ollam,
who they're pretty well known in the hacking community,
but I didn't know them and I had never met them.
But they ran down to the courthouse
and they posted my bail.
They put up their own money and this was cash bail.
If you're not familiar with the bail system, typically if they set your bail at 30k, you
can go and borrow the money from a bail bondsman and it's usually, I think it's like a 10%
deposit.
So you would just pay 3k and they'd put up the 30K for you.
But when you have a cash bail, you have to pay the entire amount yourself.
So they put up 30K of their own money to bail me out of jail.
And like that was just that truly just blew my mind that
a stranger like someone I've never met would be kind enough to do something like that for me.
Tara and Deviant simply saw Marcus as someone who helped the world by disabling WannaCry.
So they asked the hacker community to all pitch in and help bail out Marcus.
And people did.
And honestly, this is going to sound crazy, but it's true.
I randomly ran into Tara myself at that time.
We were on a remote island, deep in the woods of all places.
And in the first few minutes of meeting her, she asked me,
hey, we're raising money to help Marcus, are you in?
And I actually gave her some of my money myself.
She made a good case on why it was important
to help people in situations like this.
And they raised enough money to spring them out of jail.
I came into the US on what's called an ESTA, which is a lot of countries have visa-free
travel programs that allow you to visit as a tourist for 30 to 90 days without needing
a visa.
But you're not allowed to work on those and you're not allowed to stay longer than the
30 to 90 day period.
So I'm in the US on a temporary visa, but my bail condition is I'm not allowed to leave
the country until the case is over.
Federal court cases go on for a long time.
It's very, very rare for a federal court case to go on for less than a year.
So I'm now in this sticky position where I need money to survive, but I'm also legally
not allowed to be in the country, but I'm also legally not allowed to leave the country.
So I'm like, huh, like, do you guys have a protocol for this?
And they're like, no, like, usually we don't arrest foreign nationals like this.
Or if you, when we do, you would be in jail.
We've actually not had anyone be granted bail in this way.
So I'm like, okay, so I guess I'm just on my own here.
Like, I'm just going to have to figure it out myself.
He was stuck. Can't leave, can't work.
Lucky for him, a few good lawyers heard about his case and wanted to help him.
Yeah, so one of my lawyers lived in LA and my case was out in Milwaukee and
As much as I love the people of Milwaukee, Milwaukee is not my scene. Like I'm I'm a
West Coast kind of surfer vibe. So I want to be near the coast. I want to be surfing
I want the nice warm weather and basically one of my lawyers made the argument that
well, like one of my lawyers made the argument that, well, like, one of my lawyers is from
LA and the other is from San Francisco.
So if I'm stranded in Milwaukee, anytime we need to do legal meetings, they're both going
to have to fly to me or I'm going to have to fly to one of them and the other is going
to have to fly to one of them.
And it's like a logistical nightmare.
So my lawyers were like, well wouldn't it make sense if
he lived near one of his lawyers and the judge was like, yeah that's actually the more sane way to do
this. So they basically agreed that I could go and live with like in the same city as one of my lawyers
and I don't remember how or who chose it but it ended up being LA. So I get moved to LA and I'd never been to LA before.
I didn't know what it was like. I didn't know what to expect. And I remember just kind of falling
in love with the city within like two weeks, which was pretty funny because a lot of the
government's strategy was give us what we want and we'll let you go home. But after two weeks in LA,
I'm like, actually, you know, I'm kind
of good. Like, I like it here. They're like, give us what you want and you can go home.
And I'm like, no, and they're like, okay, give us what we want and we will deport you.
And I'm like, but you can't deport me until the case is over. And it just, it made things
a little bit tricky for them because they had angled their whole case on this idea that
I desperately wanted to
go home to the UK, which was no longer the case.
I actually, I made a lot of new friends in LA.
I found like a lot of cool stuff to do and I was like, you know what, I'm actually pretty
happy here.
So he became a bit of a beach bum.
I mean, he couldn't work or leave.
So surfing just became the thing he'd do right there on Venice Beach.
Okay.
So what charges do they have on you at this point?
What are you facing?
I actually don't know.
Like I, this is going to sound absolutely insane, but I regularly have to Google what
I was convicted of because it was very obscure.
Because in the US it is not illegal to write malware.
You might intuitively think malware bad, surely it's illegal.
It's not. There is actually no federal law against writing malware.
So what they tend to do is they tend to find other laws that can be interpreted in such a way as to charge you with malware.
Now initially I think they hit me with six charges and then they
later up to 10, but they were all very obscure. They were things like a conspiracy to commit
wiretapping, conspiracy to sell a wiretapping device, conspiracy to advertise a wiretapping
device. Their basic argument was that malware listens to keystrokes like it's like a keylogger and a keylogger is like a
listing in on telephone calls therefore we can use the wiretapping act to charge him
with what I would not call wiretapping but they had argued is.
So I'm being charged with a statute that was originally made for stopping people from
listing in on telephone calls.
I'm also being charged with conspiracy to commit computer hacking.
And the way that works is if I am in any way involved with someone else doing hacking,
they can charge me with conspiracy being a part of a conspiracy.
So they basically argued because someone used my malware to hack people and I wrote the malware and then it was sold
to that someone, I am therefore a conspirator in whatever hacking happened.
So although I had never used my malware to hack anyone and I had never hacked any systems,
they got me on conspiracy to commit computer hacking.
And I remember my lawyers explaining all this to me for the first time and I was just insanely confused because in England it's just illegal to write malware.
So if I was charged in England, they'd be like, this is the no writing malware law.
You're being convicted of the no writing malware. But in the US, it was just so obscenely complicated
that I couldn't even wrap my head around what I was actually being charged with. I'm like
telephone wiretapping?
This makes no sense.
And here's the thing.
Marcus knew that by creating the Kronos malware, what he did was wrong.
He knew he should face charges for that.
But these charges?
No.
These were not the right charges.
And I've heard this time and time again from hackers on this show.
They knew they did something bad.
They were ready to face the consequences for it.
But the charges that they were facing were for something else entirely.
And that doesn't feel right.
Like, if you steal $1,000 from someone and get caught,
you know you're guilty, right?
So when the police say, did you do it?
Yep.
OK, great.
Here are your charges. We know you worked with five other guys, and together So when the police say, did you do it? Yep. Okay, great.
Here are your charges.
We know you worked with five other guys
and together you all stole $200,000
so you're facing 10 crimes total.
Whoa, whoa, whoa, hold on.
I only stole $1,000.
This is not right.
You know you're guilty of stealing
but not guilty of all the other stuff.
And so you feel like you have to say,
not guilty to all of the charges since none of them match
the actual crime you did.
It's a broken system.
At that point, I think I had decided to fight the case because what had basically happened
is they had made it very clear to me that they did not care that I committed crimes.
This was not you've done something wrong and we're bringing you to justice.
They were very, very clear that they were only charging me to leverage me into becoming
an informant and giving them up someone that they wanted.
And at that point, I was kind of annoyed because in my mind, that's not how the justice system
works, right?
Like you do a bad thing, you go to jail because you did a bad thing.
Whereas they were saying, we don't actually care what you did. We just want this other guy. And
I'm like, what? Because this isn't, I guess for the American listeners out there, this
is not how the UK system works. In the UK, you don't have plea deals. And it's very,
very hard for prosecutors to do cases in this way. The UK system is a lot more clear cut. You do a bad thing,
you get charged with the bad thing and you go to jail for doing the bad thing. Whereas
the US is a lot more geared towards, there's always a bigger fish. They just, they want
the bigger fish. They don't really care about you or what you did. And this was of course
my first experience with the US justice system.
So I'm confused, I'm a bit frustrated, I'm annoyed.
So I ended up kind of deciding to fight the case because I also noticed that these charges
don't really make any sense.
Like there is no law against writing malware.
So you're just charging me with these these weird crimes.
So I'm like, okay, let's just fight it and see what happens.
Okay, so you had two lawyers at the time. That must have been costly.
No, so I was actually very lucky and these two great, great lawyers, Marsha Hoffman and Brian Klein, they reached out to me and they were like,
we would like to take your case pro bono. And these are like top top lawyers, the kind that you would want on your side in a cybercrime case.
And I remember they reached out to me and they were just like, we just want to take your case
for a charge. You'll obviously have to pay like court fees and filing fees and for your flights
to and from the courthouse. But other than that,
we're not going to charge you for our services. And it just felt like a gift from the heavens.
It was like so much of the theme behind this story was just random people I'd never met
just sort of going out of their way to help me. And it was just such a surreal experience
to have all of these people just coming to my aid
out of seemingly nowhere.
Okay, the fight is on.
Two powerhouse lawyers ready for action.
Marcus, unhappy with the way the justice system is acting
and wants to make things right.
But it's a federal case.
Federal cases are extremely slow.
We're talking years for them to finish.
He's got to fly back and forth between Wisconsin,
where the trial is, and California, where he lives.
Flying gets more and more tricky since his visa expired
and he's not supposed to be in the country anymore,
but he's also not allowed to leave the country
and he can't work in the US either.
So for a lot of the time I was kind of wrestling with this internal conflict of like, A, I'm
guilty and I did everything they say I did.
But B, I'm also kind of really just fighting not because I believe I'm innocent, but because
I don't feel like this is how the justice system should work. But what really kind of wore me down is just the time.
Like, we're talking a year, two years into the case,
and I'm... this is like...
It's very, very hard to explain how stressful being in a federal case is.
Like, it is a level of stress that goes way beyond even the worst like incident response
cases I've ever worked. And it's daily like every day you just wake up and you're just
like is today the day I go to jail? Like what's happening in my case? Blah, blah, blah. And
it just it wears you down so fast. I mean people have committed suicide. There are people in the hacking community who have committed suicide from the just sheer constant stress of
going through that system and I don't think there is anyone who is set up to
actually see that through to the end. At some point it like it just gets you to
the point where you're just like, I just, I give up.
And for me, I think that was, I think it was about like a year and a half, maybe a bit more in.
We had fought a bunch of motions with the judge to get like certain pieces of evidence dismissed and arguing that certain charges weren't correct.
And all of the motions were denied.
So at that point, we're basically starting from zero.
We've got to find a new strategy.
We're going to be going for like at least another year.
And at that point I was like, you know,
I can't do this anymore.
So I ended up just pleading guilty.
After fighting it for almost two years,
he switched and gave in and said,
fine, charge me with whatever stupid stuff you want. I'm tired of this.
Honestly, at that point, I was like, if I had just gone to jail from the start and spent a year or
two in jail, it would have been infinitely easier on my mental health than like going through this case. So it was a lot and I just
couldn't take it anymore so I folded.
Okay then. Guilty on all charges. Well, the case can be closed now. Except for one last
thing. The court now has to decide what his punishment is. So a sentencing hearing
was scheduled. Some early calculations were saying that he could get anywhere from two
to eight years in prison. But of course, his lawyers were trying to fight for him to get
the least amount of prison time as possible.
In my case, their argument was the FBI actually couldn't produce any evidence of Kronos having
damaged systems. That's not to say it didn't, I'm sure it did, but they had not produced any evidence.
And part of their argument was that we estimate it caused X tens of thousands, I think it
was hundreds of thousands in damages and they could not produce any evidence to back that
up.
And their sentencing recommendation was based on their claim that I had caused these
hundreds of thousands of dollars in damages, which they couldn't prove.
So my lawyers had a argument there of, well, if there is damages, where are they?
So his sentencing day comes and he heads into the courtroom.
So I had basically convinced myself from the start that I was going to jail.
So I went into that hearing with the belief that I was going to jail.
I think you tweeted something too like, okay, I'm going to jail and whatever happens, I
love you all.
Yeah, pretty much.
Like I was sure that I was not leaving that courtroom.
The prosecution gave their arguments, his side gave his arguments.
The judge listened to it all and came to a decision.
Basically my punishment was sentencing me to time served.
And even when the judge said time served, it didn't register.
Because like, they don't, it's not like in the movies where they bang the gavel and they're
like, this is your sentence
There's usually they say the sentence and they'll talk a bit about why and then they'll talk about like what happens next and blah blah blah
So he sort of said the sentence and then he kept talking and I'm like, okay
So I actually didn't really know what time served means so I'm like, is that the sentence?
I don't know and then he's still talking and I'm like I'm waiting for him to say how much jail time and it's
not coming. And then I think the hearing went on for maybe 30, 40 more minutes. And I was
still confused at the end. I was like, I don't actually understand how this system works
or what time served means. And I remember my lawyer just being like, you're going home.
And I'm like, what?
And it just, it never registered.
Like it didn't register in the courtroom.
It didn't register when I went home and it still doesn't register now.
Like in the back of my mind, I still feel like I have this thing hanging over me and
any minute now I'm going to go to jail.
And it was because I had just convinced myself since the beginning of the case
that this ends in me going to jail.
And because there was never any jail, it hasn't ended in my mind.
So I've always like, I've never been able to like fully kind of clear that period
of my life from my mind.
Well, you should take a trip out to Alcatraz, hang out there for an hour, and do like some
sort of mental cleansing of, okay, I'm here, I did it, now I'm leaving, it's over.
It sounds funny, but that actually might not be a bad idea.
The judge seemed to understand all aspects of this case, even before the defense gave
their side.
People sent in tons of letters saying why Marcus should be free and serve no jail time.
The judge read newspaper clippings of how Marcus is a hero in the UK for stopping one
of the world's biggest cyber attacks.
And one thing the judge had to think about was what is gained by putting him in jail
because he's already on the good side. He's doing good work
and you're just taking him away from doing the good work. What do you seek to gain for putting
him in jail? And that's actually what the judge's own argument was. I think, I suspect the judge
had actually made up his mind about the sentence before any of us had made our arguments.
Like he had looked at the case, he'd looked at the totality of the circumstances,
and he had been like, this just doesn't make any sense.
So I strongly suspect the judge had already decided to sentence me to no jail time before we even got into the courtroom. He basically said that, yep, he's self rehabilitated,
so there's no, he needs rehabilitation angle.
He's stopped one of the largest ransomware attacks
in history, and he's been doing all of this great
cyber security work, he's got all of these letters
from various people in the cyber community,
they wrote in letters explaining why they
think I shouldn't go to jail.
And I think all of that just put together just made a really strong case for sentencing
me to time served.
Time served simply means whatever time you've spent on this case already is enough punishment.
You're done.
You can go home now.
Case closed.
And you might think he got the best
possible outcome here, but the stress of not knowing what's going to happen to you for two years
is a lot harder than you realize. To be honest, like I'm being a hundred percent real when I say
this. If I could have taken a year or two in jail instead of going through all of that stress,
I would have taken it.
So WannaCry was one of the worst things that happened to him, yet seemed to also be the
very thing that saved him.
It's obviously hard to speculate what would have happened had WannaCry not happened, but
there is a chance that I would have got sentenced to jail time if it was not for WannaCry.
I don't know that for sure, but yeah, I do think WannaCry was this silver lining of at
the time it felt horrible.
It was like my non-immunities gone, my life has been turned upside down, but then it most
likely helped me out in the court case and it helped me come to terms with like learning,
I guess, better social skills and
how to how to do public speaking.
So while at the time when it happened, I would say like this was the most terrible thing
that happened that far in my life and I had gone through a lot of terrible things.
But now when I look back, I think it was like it led to a lot of important growth that was
needed and it helped me out in a lot of scenarios that would have made my life a lot worse had it not happened.
So I'm not saying I'm like I'm not changing my answer but I'm saying versus like when it was
happening I was very adamant that this was the worst thing to happen to me.
But now in hindsight having had like years and years of personal development, I think it
turned out for the better.
I think it improved me as a person and it bailed me out of potentially going to jail,
potentially.
Thank you so much to Marcus Hutchins for coming on the show and finally sharing the story
with us.
This is such an incredible story.
I'm so glad you finally said yes to it.
I started this show the year he got arrested and I've dreamed about having him on this
whole time.
And I get it, he was busy fighting for his life the whole time.
I was constantly being bombarded with interview requests. But that's the thing about me.
I don't mind waiting 8 years to get the story.
Take your time.
Unwind.
Decompress from the craziest time of your life.
And then let's talk.
It'll still be a really good story when you're ready.
This episode was created by me.
Control Alt Deluxe.
Jack Reisider.
Our editor is Zero Day Dreamer.
Tristan Ledger.
Mixing done by Proximity Sound,
and our intro music is by the mysterious Breakmaster Cylinder.
There are two kinds of people in InfoSec.
Those who have taken a production server down, and liars.
This is Darknet Diaries.