Marcus Hutchins pleads guilty to US charges of writing, distributing banking malware

Hutchins hit the limelight in 2017 after he stopped the spread of the WannaCry malware

Marcus Hutchins, the British cybersecurity researcher who stopped the WannaCry malware, has pleaded guilty to US charges of developing malware to steal users' credentials from banking websites.

Hutchins stated on his website that he has "pleaded guilty to two charges related to writing malware" in the years prior to his career in cybersecurity research, and added that he now regrets those actions.

"Having grown up, I've since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks," he said.

Hutchins, who is also known by his Twitter handle 'MalwareTechBlog', now faces up to 10 years in prison, according to court documents.

In a joint court filing on Friday, Hutchins' lawyers and federal prosecutors in Wisconsin said that the Hutchins has agreed to plead guilty to writing the Kronos malware and conspiring to sell it from 2012 to 2015.

However, federal prosecutors have dismissed eight more charges against Hutchins.

Hutchins, from Ilfracombe in Devon, earned international celebrity in 2017 when he stopped the global spread of the WannaCry malware.

According to security experts, the malware could have infected many more systems worldwide had Hutchins not stemmed the spread of the infection after a spotting a weakness in WannaCry's code.

Hutchins was arrested by FBI agents in August 2017 at Las Vegas's McCarran International Airport. At that time, he was about to board a flight home after attending the Def Con security conference.

The FBI arrested Hutchins on suspicion of writing and/or selling the Kronos malware, which was designed to steal users' log-in credentials and other financial details.

He was charged with creating Kronos as well as another malware, called UPAS Kit. However, Hutchins maintained his innocence until this weekend, despite being recorded on a US prison phone effectively admitting his role in malware creation when he was younger.

Later he was freed on bail, but barred from leaving the US. Since then, he has been working as a cybersecurity consultant in California.

Hutchins now faces up 10 years in prison, although he could receive a lenient sentence after pleading guilty to two charges, the court filing said.