Marcus Hutchins, the Kill Switch, and the Long Strange Year After

On the morning of Friday May 12, 2017, a piece of ransomware called WannaCry started spreading on the public internet. By midday it was inside the United Kingdom's National Health Service, where it encrypted patient records, surgical scheduling systems, and a substantial fraction of the operational infrastructure of an entire country's healthcare delivery. Hospitals diverted ambulances. Surgeries were canceled. Triage staff were running on paper.

WannaCry was not subtle. It used a Windows SMB exploit called EternalBlue that the NSA had developed and that had been leaked publicly by the Shadow Brokers two months earlier. It spread laterally inside any network it touched. It encrypted files and demanded a ransom in Bitcoin. By the end of the day, it had hit Telefonica in Spain, FedEx in the United States, the Russian Ministry of the Interior, Renault factories in France, and at least two hundred thousand additional machines across roughly one hundred fifty countries.

What stopped it was not any of the major security vendors. It was a 23-year-old self-taught researcher in Ilfracombe, a town on the north coast of Devon, who blogged under the handle MalwareTech and who, that morning, was eating lunch with his roommates and decided to take a look at the malware sample everyone was talking about.

His real name was Marcus Hutchins. He had been a working security researcher for about three years. He was not employed by a major firm. He worked from his bedroom. He was about to become, within twelve hours, one of the most famous figures in the global security community, and within twelve weeks, the subject of a federal criminal prosecution in the United States.

What He Did

The technical move was small. Hutchins reverse-engineered the WannaCry binary on Friday afternoon, looking for whatever made it tick. He noticed that, before doing anything else, the malware reached out to a specific domain name. The domain name was a long, randomly generated string: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea dot com, or something similarly nonsensical. WannaCry would attempt an HTTP request to that domain. If the request succeeded (if the domain resolved and a server responded), the malware would terminate without doing anything. If the request failed (if the domain did not resolve), the malware would proceed with its full payload of encryption and lateral spread.

This pattern is sometimes used as a sandbox-detection mechanism: malware authors assume that an automated analysis environment will resolve any domain to make analysis easier, so a domain that resolves means the malware is being analyzed, so the malware should not run. In WannaCry's case, the implementation was sloppy. The check was hard-coded to that one specific domain. If you registered that domain and pointed it at any web server anywhere, every copy of WannaCry that contacted that domain would believe it was being analyzed and would silently terminate.

Hutchins registered the domain. It cost him about ten dollars. He pointed it at a sinkhole server he ran. Within minutes, WannaCry infections worldwide started receiving the response that told them to exit. The outbreak stopped propagating.

This was the kill switch. It was effective for the same reason it should never have worked: the WannaCry authors had not taken seriously the possibility that someone would notice the unregistered domain in their code. They built a ten-dollar single point of failure into their global ransomware operation. Hutchins paid the ten dollars.

The Instant Fame

The British press went looking for who had done it within a few hours. By Saturday morning Hutchins was on the front page of the Sunday papers. The Guardian called him an accidental hero. The BBC ran a long profile. Sky News parked a satellite truck outside his parents' house in Devon. The narrative arc was irresistible: a young man working out of a bedroom in a coastal town saves the National Health Service from a global cyberattack.

Hutchins was unprepared for any of this. He had been a security researcher for three years, mostly writing technical blog posts that were widely read inside the security community but that nobody outside that community had ever paid attention to. He had not given press interviews. He had not done television. He had not built a public persona. He was abruptly the most-photographed twenty-three-year-old in British technology journalism, and he was visibly uncomfortable about it.

He handled it about as well as anyone could have. He gave a small number of careful interviews. He credited the broader security community for the work that had made his analysis possible. He pushed back on the lone-hero framing in favor of a more accurate description of what had happened, which was that a domain check in malware is the kind of thing security researchers look for as a matter of routine, and that any of dozens of working researchers would have noticed the same thing within hours.

He went to DEF CON 25 in Las Vegas in early August 2017 the way he went every year. It was the largest security conference in the world. He was now its most famous attendee. He gave a talk. He took meetings. He did the conference circuit. On August 2, on his way home, FBI agents arrested him in the hotel lobby of the Las Vegas resort he had been staying at.

The Arrest

The charges had nothing to do with WannaCry. The federal indictment, which had been sealed and was unsealed at the time of the arrest, alleged that Hutchins had, between 2012 and 2015, written code that became part of a banking trojan called Kronos. Kronos was malware-for-sale: it was distributed through underground criminal markets and used by buyers to steal banking credentials from infected victims. The indictment alleged that Hutchins had authored components of Kronos and conspired with others to sell it.

The arrest was a shock to the security community. The image that the press had been running for three months (heroic researcher who saved the NHS) was suddenly in tension with the image the prosecution was running (malware author with a criminal past). The truth, which would emerge over the following two years through court filings and Hutchins' own eventual writing, was a more complicated story about what an extremely young person had done as a teenager in a particular online subculture, and what that person had become by his early twenties.

Hutchins had, in fact, written code that ended up in Kronos. He had done so as a teenager. He had been part of an online community where the line between "doing security research" and "writing malicious tools that get sold to criminals" was significantly blurrier than it should have been, and where he had crossed that line in ways that he later understood were not defensible. By the time he was twenty-three and registering the WannaCry kill switch, he had spent years working as a defender, building a reputation for legitimate research, and trying to put the earlier work behind him. The prosecution was, in effect, holding him accountable for actions taken at sixteen by a different version of himself.

The legal case dragged on for two years. He was released on bail in August 2017 and lived in Los Angeles for the duration, unable to leave the country. The security community organized financial support for his legal defense. He continued doing public security research throughout, including detailed reporting on then-current ransomware campaigns.

The Plea and the Years Since

In April 2019, Hutchins pleaded guilty to two charges related to the Kronos work. The plea agreement allowed for a sentence range that started at no jail time. In July 2019, the sentencing judge agreed with the defense recommendation: time served (the time already spent on pretrial release), one year of supervised release, no additional incarceration. The judge said publicly that Hutchins' work as a defender, including the WannaCry kill switch, had earned him significant credit and that further incarceration would not serve the public interest.

He returned to the United Kingdom shortly after. He resumed full-time security research. He has been one of the most prolific public commentators on ransomware, malware analysis, and the security industry's structural problems through the rest of the early 2020s. He maintains an active blog and a substantial Twitter and Mastodon presence. He works for Kryptos Logic, the security firm that initially supported his sinkhole infrastructure during the WannaCry response.

He has written, in interviews and longer-form pieces, about what the experience of being arrested at DEF CON did to his trust in the relationship between independent security researchers and US federal law enforcement. The position is not bitter, but it is clear-eyed. Researchers who do work that occasionally requires them to investigate criminal infrastructure (which is most useful security research) are operating in a legal environment where the line between investigation and participation is not always crisp, and where prosecutors have substantial discretion to interpret old activity in unfavorable ways.

What the Story Reveals

The Hutchins arc is sometimes told as a redemption story or a cautionary tale. Both framings are too simple.

The useful frame is structural. The WannaCry response demonstrated that, in the present global security ecosystem, the front line of malware defense is staffed in large part by independent researchers who work on commodity hardware in their bedrooms, who are not paid by the institutions whose infrastructure they protect, and who depend for their work on a legal environment that does not treat investigative reverse engineering as criminal. The arrest demonstrated that the second of those conditions is not stable. A researcher whose past actions can be reinterpreted under a strict reading of the Computer Fraud and Abuse Act lives one prosecutor's decision away from being detained at the airport.

The security community that came together to defend Hutchins through 2017 to 2019 understood that the prosecution, if it had succeeded with the harshest available outcome, would have had a substantial chilling effect on the kind of work that, three months earlier, had stopped a ransomware attack from taking down a national healthcare system. The fact that the case ended in time served was the right outcome, but the path to that outcome consumed two years of Hutchins' life and tested the limits of community support that not every researcher in his position would have had access to.

Coda

Marcus Hutchins is now thirty-one years old. He has spent more than a third of his life as a publicly known figure. He has continued to do the work. The work is harder than it was when he was an anonymous blogger. The stakes have not gotten lower.

The kill switch domain he registered in May 2017 is still online. The sinkhole still receives, every day, contact attempts from copies of WannaCry that are still running on unpatched Windows machines somewhere in the world. The infections never stopped. The kill switch never stopped suppressing them. Both will probably continue indefinitely, the way old malware infections always continue indefinitely, in machines whose owners have forgotten they exist.

The internet has many of these quiet, ongoing maintenance tasks running in the background. Most of them are upheld by people whose names you do not know. Hutchins is the one whose name you know.