Transcription performed by LeahTranscribes[START OF RECORDING]
JACK: Oh my gosh, oh my gosh, oh my gosh, I’m squealing over here. After years and years of trying to get today’s guest on the show, he finally said yes. I’m so excited for this one. I’ve been sliding into his DMs for years; hey, can I interview you? I swear, he always has the same answer every time. He’s like, who are you? I say something like, oh, I’m a podcaster and I really want to hear your story. He’s like, no thank you. Fair answer. I wouldn’t want to talk to me either if I was in his position. Then I saw him at a party at Defcon, and when I first approached him in person, he was hiding behind a sign, trying not to be seen. MALWARETECH: So, I stand out in a crowd, so I’ve learned that signs are my best friend. We can hide behind a lamp post, we can hide behind a tree, we can hide behind a sign. But if I stand in the middle of the room, it’s gonna draw a lot more attention than I necessarily maybe want, although I’ve got to the point now where I think I can just handle it. But I do remember our first interactions. I think part of the awkwardness was I’m very bad at recognizing faces, and you were wearing a mask the first time you saw me.
JACK: It’s true; I had a disguise on, and yeah, I asked to interview him, and he had no idea who I was. He’s just like, who are you?
MALWARETECH: In my defense, there is no photos of you online, and I have checked. So, there is no way I could have known.
JACK: It’s true. I try real hard not to have any photos of me on the internet. I’m a very private person. But I swear, every time I asked him for an interview, he just kept asking me the same thing; who are you? No thank you.
MALWARETECH: So, I remember we had quite a long conversation, and then you went away and you came back without the mask. Then you came back and you sort of went to re-engage the conversation, and I had no idea who you were. I was like, who is this random guy?
JACK: [Music] Okay, a fair point. I wear a lot of disguises. So, you’re right, some of this is on me. But I’m happy to announce that today, finally, I am interviewing MalwareTech.
MALWARETECH: I’m MalwareTech and I’m an anonymous security researcher.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: We’re gonna start this story in early 2017. As he said, his name is MalwareTech, and he’s an anonymous security researcher. He would research malware and then publish his findings anonymously under the name MalwareTech. He never posts his picture on the internet. His Twitter profile is just a picture of a cat wearing glasses. Nobody knew who he was or what he looked like.
MALWARETECH: So, I’ve been a cybersecurity analyst since about 2016. I mostly specialized in a combination of malware, reverse engineering, and cyber threat intelligence. So, my job was basically to reverse-engineer botnet malware and then find ways to monitor their C2 infrastructure in a way that we could actually see who was being infected. So, our goal was to sort of do external threat intelligence. So, rather than being on someone’s network and saying, hey, look, there’s a sign that you’re infected with malware, our goal was to be on the bad guy’s network and be able to see all the victims of the malware and then alert them to the fact that they’re infected.
JACK: Where were you living? Was it Cornwall at the time?
MALWARETECH: So, I was Devon. So, just north of Cornwall. Pretty close to the border, actually.
JACK: What is that? I think I watched a show. There’s TV shows based out of Cornwall, and I think it was — Doctor Martin, was it?
MALWARETECH: Yeah, that was the one, yeah. I think that there were some episodes in Devon, but I remember my parents were very excited. They called me one time and they were like, there’s some famous people filming in our town. We live in the middle of nowhere, so there’s no famous people there. Any kind of filming is a huge deal. So, there’s — you’ve probably seen it on the TV once or twice.
JACK: Yeah, I have. It’s a very picturesque place. It’s beautiful.
MALWARETECH: Yeah, so where I live, which is in north Devon, we have this massive, long — I think it’s like three, four-mile-long beach. Beautiful golden sand. It picks up a nice Atlantic swell that we — I think comes from the hurricanes down in the Gulf. [Music] They’ll occasionally swing north towards the southwest coast of England. So, we actually get some really, really big surf down there. So, living so near the sea, I was like, well, what do I do for hobbies? ‘Cause we had moved from inland. So, I’m like, any new hobbies? What do people here do? The obvious answer was surfing. So, I took up surfing. It turned out it’s a really, really fun sport, but a lot of people don’t associate it with England. They think England is rock beaches, pebbles. Usually, they’re thinking of places like Blackpool. But there are some really, really good surf spots on the southwest coast, and I just happened to live right next to one. Basically, I wake up one day, and it’s all over the news that this ransomware is infecting lots and lots of British hospitals.
REPORTER: We start with breaking news this hour. [Music] A number of procedures have been canceled or redirected to other NHS providers following a cyberattack on some of London’s major hospitals.
JACK: The ransomware would soon be called WannaCry, and it was hitting tons of hospitals around the UK. Their computers would get infected and then completely encrypted. You couldn’t use it at all, and you had to pay Bitcoin to get it unlocked again. This infection forced hospitals to turn away patients and cancel procedures. It was awful.
MALWARETECH: So, I think the consensus is that it was someone working on behalf of the North Korean government.
JACK: It’s very interesting how this came about, too. We believe it was the NSA that developed the exploit, which they called EternalBlue. Which, by the way, the NSA found this exploit in Windows, Microsoft Windows, an American company, but didn’t tell Microsoft that they have this really bad vulnerability in Windows, and it absolutely flabbergasts me that NSA discovers vulnerabilities in US companies and then not tell those companies that their product is vulnerable to attack. But it gets worse. Then the NSA somehow lost control of this exploit, and it ended up in the hands of someone calling themselves the Shadow Brokers.
MALWARETECH: Just the set of circumstances that led to WannaCry were so insane, ‘cause of course you had the Shadow Brokers leak, and the Shadow Brokers isn’t — they haven’t been attributed yet, but it’s widely believed to be Russian intelligence. So, Russian intelligence hacks the NSA, steals one of their most-prized vulnerabilities, leaks it onto the open internet, at which point North Korea pick it up and decide to make ransomware with it, and we’re not even to this day sure whether WannaCry was supposed to be released yet. There are a lot of signs in the code that it might have been a work in progress that accidentally leaked a little earlier than they had intended it to.
JACK: We think the North Koreans unleashed ransomware on the world just to try to make some money, which is wild. Other nation states are not doing cyber-thug activity like this trying to make some money through ransomware, but North Korea does it. But one reason we think the exploit got released too soon was because it was discovered pretty early on that there’s no way to track who paid the ransom.
MALWARETECH: Usually ransomware would generate a unique Bitcoin address for every single victim, and then they can tell if that victim paid by telling if there was a payment in that Bitcoin wallet. But there was a bug with the code where it only generated something like three Bitcoin wallets. So, all of the payments are going to these three Bitcoin wallets. They have no way to trace who paid and who didn’t. So, while I think it was intended to be ransomware or intended to at a later date be ransomware, at the time that it was released or got out, it was essentially a file shredder. There wasn’t really any realistic way to get your data back.
JACK: What scumbags, you know? For one, for a country to extort hospitals to try to make a little bit of money? Come on. But two, to release ransomware so bad that it doesn’t even work right; it just cripples businesses with no way to undo it — so, North Korea didn’t make much money from this, and simply gave the world a black eye for no reason.
MALWARETECH: I think a lot of what went into them not making much money was it came out very early that the files weren’t decryptable. Almost immediately when the first infections happened, analysts — they raised the alarm. They went to the press and they were like, don’t pay the ransom. You’re not going to get your data back.
JACK: Of course, all this news is right up MalwareTech’s alley. Malware research is his bread and butter. He wants to know more.
MALWARETECH: Now, the thing with ransomware is back then, it was mostly spread by phishing e-mail. So, if you see a organization or two infected, that’s pretty normal. [Music] But if you’re seeing ten, twenty, thirty different parts of the same organization being infected, that’s either a lot of people falling for phishing attempts or it’s not phishing. My first instinct was this isn’t phishing. This is hitting way too many organizations, way too many parts of the same organization. It has to be something bigger. So, I went and I asked my friend Cathy, can I have a sample of this? The second I looked at it, I was like, oh, this is bad.
This isn’t your standard ransomware, ‘cause at that time, ransomware was purely spread by phishing or botnets. I didn’t think anyone had ever made wormable ransomware before. I was like, this ransomware spreads from computer to computer, completely unaided. It doesn’t need a user to click a malicious link or open a weird e-mail. It will literally just get onto a computer, look for other computers to hack, and then hack them and infect them and just repeat that process over and over. That was the point where I was realizing we are dealing with something that I don’t think has ever been seen before.
JACK: [Music] This thing was spreading fast. Hundreds of networks were spreading it to hundreds more. Soon thousands were infected, all trying to spread it to thousands more. The internet was burning like an out-of-control wildfire that day.
MALWARETECH: I was tasked with stopping the ransomware, and historically when I work with ransomware, it’s almost impossible to stop. Sometimes you can decrypt it retroactively. There’s flaws in the encryption, you can break the encryption and get people’s files back, but in terms of stopping actively-spreading ransomware, that is almost impossible. Sometimes there will be a vulnerability where we can hack into their command and control server and put a stop to it. So, that’s what we were looking for.
JACK: But as he looked through the ransomware code, he noticed something. There’s a strange domain name in this code, a URL, just a long string of gibberish letters with .com at the end. He looked; the domain wasn’t registered.
MALWARETECH: When I saw this unregistered domain in the WannaCry code, I was like, nice, this is probably a command and control server. So, I registered it and then I started looking; what can I do with this code? Like, what can I do with control of this domain? I’m thinking it’s a command and control server, and maybe we can exploit a vulnerability in the WannaCry code, maybe crash the malware or anything that could stop it from spreading. But it actually turned out, while we were trying to figure out what is the purpose of this domain, what does it actually do, we had already stopped WannaCry, because the domain was a kill switch.
JACK: Without him even realizing it, the moment he made this domain active, the WannaCry malware stopped, just suddenly and surprisingly stopped spreading.
MALWARETECH: Someone had basically just posted on Twitter that WannaCry has been stopped. Like, someone has activated a kill switch in WannaCry, and we actually didn’t know we had activated the kill switch until several hours later.
JACK: The purpose of this domain in the code was before the malware spreads, it first checks to see if the domain is up and alive, and if it is, the malware stops everything it’s doing. Since MalwareTech just registered it and set it up, that triggered the kill switch to essentially deactivate one of the most brutal, devastating ransomware attacks the UK has ever seen.
MALWARETECH: By the time we actually got around to looking at the code, it was like — it had already reached the media that we had stopped it. We were like, oh, okay.
JACK: Yeah, the media was reporting that someone stopped WannaCry before he even knew he did it. But wait, if he’s got control of this domain, can he set some sort of monitoring tool up so that he can see what traffic is going to this domain?
MALWARETECH: [Music] Yeah, so, we were actually very lucky in that we did this professionally. A lot of our work was about finding ways into botnets and then collecting these analytics. So, we actually already had the system set up to do that, which was great. So, I was like, awesome. We have this — all this analytics. We can see how many systems WannaCry was hitting. But while I was focusing on that, everyone’s like, who is this guy who stopped the world’s biggest ransomware attack? Meanwhile, I had no idea that that was going on until I checked Twitter, and I was like, oh, oh.
JACK: The thing is is he was tweeting from his username, MalwareTech, all the analytics that were coming into this domain. This made people realize MalwareTech is the guy controlling the kill switch. He’s the one that stopped it since he had all these analytics and could see what was going to that domain. But the thing is, not everyone put those pieces together like that. Some people thought, well, if he controls that domain, then that must mean he’s the one who wrote the malware.
MALWARETECH: So, as far as a lot of law enforcement and intelligence agencies are concerned at the time being, I am the one who created WannaCry. I’m the person responsible for WannaCry. [Music] That is my domain and I’m controlling it. So, it led to a very, very interesting scenario ‘cause everyone was kind of confused about — how did this happen, why is the domain there, and why did this random British teenager…? Well, I think I was twenty-two, actually, so not quite a teenager. But they’re like, why does this random British dude control the domain that is in this massive piece of ransomware that is destroying networks all across the world?
JACK: Did you discover all this in your parents’ bedroom, by the way, or your parents’ house?
MALWARETECH: Yeah, so the unfortunate stereotype of the nerd in his parents’ basement is true. It was technically not a basement ‘cause our house had multi levels. The front door was a level higher than the back door, so it was technically a basement but technically also not a basement. But I was basically in my parents’ basement.
JACK: Once the news got out that this guy, MalwareTech, is the one who stopped the world’s biggest ransomware attack in history, his whole life changed.
MALWARETECH: [Music] It went wrong in every way possible for me. I had set it up so the domain was registered through a proxy that shouldn’t have traced back to me, but I think my Twitter gave them enough to find me. My goal personally was to be an anonymous researcher. I had basically seen my whole career just being an anonymous researcher who — no one needs to know my name. They don’t need to know what I look like. I can just publish my blogs in peace, and no one needs to even know who I am. Then I got an e-mail from — I believe The Daily Telegraph, and they were like, we found your real name. We found your address. We found your parents’ name, and we’re gonna publish it tomorrow, and we’d like comment.
I begged them, do not publish my name. Don’t publish my photo. Please just respect my privacy. But of course, they have the biggest story related to WannaCry so far. The Daily Telegraph was the first person to actually correctly identify me. So, they knew they had a story that would get a lot of eyes, and I kinda knew where this was going. I was like, I’m gonna beg them anyway, but I know they’re gonna publish this, and I know it’s all downhill from here. I believe this was the Monday. So, WannaCry happened on the Friday. I woke up Monday; they had published my name, they had published my photo. The Daily Mail had published my house address for some reason. I remember reaching out to journalists and being like, dude, what the hell is this?
Why would you possibly need to publish my home address in the UK’s biggest newspaper after I’ve stopped a major criminal attack? This doesn’t make any sense. He apologized and he took it out, but I was like, dude, what goes through someone’s mind to think everyone needs to know where this person lives? But yeah, so, that day I woke up and my name was out there. Everyone knew it was me. I couldn’t walk down the street without being recognized by someone in town. I was like, this is it. This is the end of an era. I’m no longer MalwareTech, the anonymous researcher. I’m now Marcus Hutchins, and I remember just thinking, man, this is gonna be such a Earth-shattering change to the way I saw my life going.
JACK: [Music] Once his name was out there, another paper, The Daily Mail, found a picture of him and published it. The headline read, ‘Surf dude saves the day’.
MALWARETECH: I think that was the two-page spread with my face on it, right?
JACK: Yeah, front cover.
MALWARETECH: Yeah. So, before that, no one knew what I looked like because I ran an anonymous Twitter account with a cat avatar, and I believe they were the first ones to actually get a real photo of me. My mum, she reads The Daily Mail, so she came home and she handed me the newspaper, and there’s my face across a two-page spread. I’m like, oh my god.
JACK: Marcus Hutchins was now world famous, and everyone wanted to talk with him, even me.
MALWARETECH: There was this dude, this one dude; he kept ringing the doorbell every single hour. Then when we finally were like, look, you’ve gotta stop doing this, he just started calling instead. Somehow he had our phone number. There was — at one point there were several journalists just hanging around on the sidewalk outside my front door, waiting for me to come out of the house — of this funny story of me having to climb over the back fence to go and get food, because these journalists just would not leave the outside of my house. At the time I just didn’t understand why this was such a big deal, and as a very non-public person, it was actually quite scary.
JACK: Marcus is a private person. He’s a bit awkward around people, very soft spoken. He does not want this kind of spotlight on him. This was agonizing for him. He’s tall and has huge, poofy hair. You can spot him easily in a crowd, and people were stopping him to talk with him everywhere he went. Are you the guy who stopped the ransomware? It wasn’t just random people and journalists. Foreign intelligence was curious about him, too.
MALWARETECH: In the months after WannaCry while the investigation was still ongoing, before we knew that it was North Korea, there were a lot of foreign intelligence agencies. They weren’t really sure what my role was. There was actually one incident I remember quite clearly when I was traveling in a foreign country, and some researchers from a neighboring country had invited us out to lunch. [Music] They were like, hey, we’re really interested to hear about your research. Would you like to come to lunch with us? They gave us an address, and the address was across the border in their country.
I didn’t see it as immediately suspicious because we were very close to the border of this country. So, I’m like, okay, they’re researchers from this country. They’re probably gonna know more good restaurants in this country. Let’s go meet them in their country for lunch. I got a tap on the shoulder by someone who I have no idea who they are or who they worked for, and they were like, just so you know, those are intelligence operatives of that country. Those people inviting you to lunch work for their foreign intelligence service. I would maybe go get McDonalds or just go anywhere else.
JACK: So, you don’t know who tapped you on the shoulder. It was just a stranger from the crowd and then they disappeared after that.
MALWARETECH: Yep.
JACK: What?
MALWARETECH: It was one of the weirdest experiences I had in my life.
JACK: That must have been for — just to have some random person tell you that and then suddenly the camera’s zooming way out. Like, whoa, hold on, let me…
MALWARETECH: I assume it was probably someone from my country. I don’t know…
JACK: Why is someone from your country following you to another country while you’re on vacation? That is crazy. I think it was someone following those people around, and then they’re like, wait, who’s this guy they’re…? Oh, I see.
MALWARETECH: It’s entirely possible. We ended up on a lot of people’s radars after WannaCry. My colleagues not so much, ‘cause they weren’t as in the public eye as me, whereas I was the one who got tracked down first, so I took most of the heat. But I ended up having to actually go into a few different countries and speak to their law enforcement and tell them my side of the story, ‘cause there was obviously a lot of suspicion. They’re like, no one knew where WannaCry came from, and I was the only tie to it. All they knew is that this worm just came from nowhere and there’s only a single domain in the code, and it’s linked to Marcus Hutchins in Great Britain. So, I basically ended up going on this sort of — almost like an apology tour but without an apology, because I’m not responsible.
So, I had to sort of give them my side of the story, explain why we registered the domain, how it came to that, and eventually, obviously — I think it was — it might have been October. It was a good six or seven months after WannaCry that the NSA and GCHQ and I think the Australian intelligence services, they all came out and they pointed the finger at North Korea. So, after that, the heat kinda died down, but in that bit between stopping WannaCry and it being publicly attributed to North Korea, I spent a lot of my time dodging very — I don’t know how to describe it, but very suspicious situations. I suspected that people had nefarious attentions with either wanting to interview me or inviting me to their country to come speak at their conferences. There was a lot of that in that period, so it was a very, very strange time in my life.
JACK: Man, how crazy is that, to be invited to speak at another country and then to wonder, is this a ploy for some foreign intelligence operatives to arrest me? Or even worse, is North Korea mad at me and they want to pay me back for screwing up their ransomware and they’re inviting me to this thing just so they can kidnap me? Marcus has to be very careful from now on. This sudden fame was attracting a lot of strange people. WannaCry hit in May of 2017. Three months after that was Defcon, [music] the annual hacker conference in Las Vegas in the US. Marcus had been there once before in 2016, and he liked it, so he flew out again in 2017. But little did he know that this Defcon was going to radically change his life.
MALWARETECH: So, it was insane. I cannot even accurately describe the feeling of it.
JACK: Try, though. Try. Let’s hear it.
MALWARETECH: Yeah, so, there’s what we did personally and then there’s what we did within the conference. So, personally, what my friends had found out is that hotels in Vegas are ridiculously expensive. They basically calculated what could we afford if we just put all our individual hotel room costs together and got an Airbnb instead? We found we could get one of the biggest mansions in Las Vegas with the largest private hall in, I believe, the entire state. So, we went and we got this insane mansion. Then we’re like, well, the mansion’s not complete without supercars, right? There’s a car dealer in Vegas that — they let you rent supercars for like, a day, two days, three days a week. So, my friends, they went out and they rented supercars. So, we had this driveway full of supercars, and they’re not particularly expensive to rent for short periods of time.
But of course, I didn’t realize that in the background I was setting up this scene of me being this very, very wealthy person, when in reality the costs were split between about — I think eight to twelve people. So, we had this crazy Vegas trip. We stayed in this massive mansion. We were driving around in supercars. We were shooting automatic weapons. We just went all out on Vegas. Now, the conference itself was very, very different. Now, I had suspected I would get a fair amount of attention at the conference given how recent WannaCry was. It was only, I think, three months ago. [Music] But I had no idea the level that I was going to experience. I remember this was back when it was in Caesar’s Palace, the actual casino, before the forum. Anyone who’s been will remember there’s these hallways that are maybe twenty, forty feet wide, and it’s just shoulder-to-shoulder people all the way down the hallway.
I could not walk through the hallway because the traffic was moving so slowly that I would take a step, someone would recognize me; they’d come over and talk to me, and by the time I got to take my next step, someone else would come over. I had to get to this one event, and it took me two hours and fifteen minutes to walk a — maybe a hundred feet down the hallway. I was just like, I need to go to my hotel room and hide. There’s like — an average fifteen-minute conversation will drain my social battery to the point where I need to sleep, and I’m now at a level where I physically feel like I’m gonna pass out. It was one of the most crazy experiences I’ve ever had. I just remember feeling so overwhelmed, ‘cause I knew there was gonna be people who would want to come up and talk to me. I just didn’t think it would be that many.
JACK: What was some of the stuff they were saying to you?
MALWARETECH: Oh, it was all overwhelmingly positive, like super heartwarming stuff. Everyone was just really, really positive. They were all very kind, very polite. I don’t think I had, in the entire Defcon, a single negative interaction. People make out the hacking community to be all these bad people and evil, but generally speaking, I cannot think of a single negative interaction I had. Everyone was so polite and so wonderful, but then on the other side of this, I’m just an introvert, so I’m not used to this level of attention. So, inside I’m like, this is really, really heartwarming and supportive, but also, I feel like my entire body is on fire.
JACK: Yeah. Wow, so what a weekend. You gotta fly back to the UK after that, right?
MALWARETECH: Yeah, so, I believe the second of August. We spent ten days there. So, second of August I was due to fly back to the UK.
JACK: Mm-hm. So, you have to go through the McCarran Airport in Vegas. You get through security just fine?
MALWARETECH: No. So, security was a little weird, ‘cause usually when you go through security, they make you take any big items out of your bag; laptops, iPads, phones. That is my experience with that airport. They always make you take your laptop out of your bag, whereas with me, they didn’t. It seemed like they were speaking to me specifically and not the guests in general. They — as I went to put my bag — like to unpack my bag, they said, oh, just leave everything in there and put it through. It felt very weird at the time. I was like, it didn’t look like they said that to anyone else other than me. It looked like they specifically singled me out.
I had a feeling I knew what was coming. I had a feeling that it was actually gonna be related to WannaCry, that the FBI had some questions for me and they were gonna pull me aside, but I was actually — I wasn’t sure. So, my bag goes through security just fine in the weirdest way possible. I go to the lounge, and I think maybe an hour before my flight, a bunch of people in CBP uniforms approach me. [Music] I’m like, huh, ‘cause CBP is customs. I’m trying to think, what would I have done that would get me on the wrong side of customs? The only thing I could think of is this was the year that they had legalized recreational cannabis in Las Vegas.
So, I was like, did I forget to take some drugs out of my bag? So, I’m thinking they’re pulling me aside because I had forgot to take some weed out of my bag; they found it, whatever. They take me to this back room, and they take off their jackets and they unroll these badges, and it’s FBI. I’m like, oh, okay. So, I did not know that was even something you were allowed to do, to pretend to just be a different agency, or if the people who took me were genuinely also CBP. But I get to this back room in the airport and they identify themselves as FBI. At this point I still am not exactly sure why I’m being detained.
JACK: I’m sorry, but I have to take a quick ad break here. But stay with us because Marcus is about to be very surprised about why the FBI is talking with him. You have such a happy demeanor to you, so I imagine even in those first fifteen minutes or so of like, oh, okay, we’re actually the FBI, I still imagine you smiling and being like, oh yeah, you know what? There were a thousand people who wanted to ask me about WannaCry. I’m sure you’re just another one. What do you want to know? Did you have that kind of attitude, or what was that first fifteen minutes like?
MALWARETECH: So, I believe I was a bit hungover, but you are right; I always just have this happy demeanor. So, I’m like, even when things are generally really, really bad, I always just am chill and happy to be there. So, I — yeah, I think I was a bit hungover but otherwise I was like, oh, okay, it’s the FBI. Whatever, I’ll talk to them. But I hadn’t quite yet figured out why they wanted to talk to me.
JACK: Okay, and what were the questions they were asking you?
MALWARETECH: So, they started off with a bunch of random questions. It felt like they were deliberately trying to confuse me. They themselves were trying to obscure the reason why they had pulled me aside. So, it felt like they were basically just fishing for information in a way that was designed to prevent me from realizing that I’m in trouble and I need a lawyer. So, they kinda presented themselves as these very — just, we’re asking questions. We’re just some friendly FBI agents asking questions. I thought it was about WannaCry until a good thirty minutes, I think, into the interview.
[Music] So, you know in the movies when they slide the document across the table and they ask you, do you know what this is? Usually it’s a photo of a murderer or whatever. So, they did that. I didn’t think that was a real thing they did, but they did that. Except, in my case, they had basically printed off complied code. So, it was basically just fifteen pages of just straight gibberish. So, I’m going through these pages and they’re like, do you know what this is? I’m like, no — like, honestly, no. This is literal gibberish. But then one of the things with compiled code is any text that is present in the code is present in the — however you were to print it off.
So, I get to the text section of the code and I start recognizing the strings. I’m like, oh, they printed off the Kronos executable. They’ve taken the compiled Kronos malware, opened it in Notepad or something, hit Print, and this is what I’m looking at. That was kinda the point where I realized, oh, I’m in some serious trouble. But then I’m also trying not to laugh because someone has just tried to print an executable and hand it to me. Yeah, so, I’m toggling between almost smiling and oh shit, I’ve really messed up.
JACK: It is absolutely ridiculous that they printed off a program and handed it to him. It wasn’t readable code. It was compiled. Only a computer could read it. There’s no way that anyone can read this gibberish. Except, there was one word in there which made Marcus realize what he was looking at; the Kronos malware. Kronos was a devastating banking malware. It was designed to get access into a victim’s bank account, and then the person operating the malware can siphon funds out of the victim’s bank. The FBI agents handed it to Marcus and asked him if he recognized it, and he did recognize it. Because before the world knew who Marcus Hutchins was, he was only known as MalwareTech, an anonymous security researcher. But before that, he was a malware developer.
MALWARETECH: [Music] I started out as a malware writer. I specialized in writing rootkits. So, that’s malware that hides malware. So, I mostly did stuff like Trojans that would do Bitcoin mining, stuff that’s not super harmful but also not really very great, either. It’s like the — not the worst of the worst, but obviously not something that I didn’t deserve to go to jail for.
JACK: Basically, he would write malware, which in itself is not so bad. It all depends on what you do with the malware, right? But he was working with someone who wanted to take his malware and sell it so they could make money. So, now his malware was being offered to criminals for sale. But still, by itself, his malware wasn’t making any sales.
MALWARETECH: Basically, we had a seller. So, his job was to sell the malware. I would write the malware for him and then he would sell it. Then he announced to me that he had contracted this other programmer to combine my code with the banking code to make banking malware that he wanted to sell. So, essentially, I had a choice. I was like, okay, so, my code has just been made into banking malware. I am already implicated in this. What do I do? So, I was like, I don’t really want to have anything to do with this. I specifically said that any kind of credit card fraud or any kind of theft of money was over my moral line. I don’t want anything to do with this. That was the point when he basically hinted that if I didn’t continue to maintain the code, he would drop my name and address to the FBI. So, at that point, I was like, I am in too deep. There is nothing I can do at this point.
JACK: So, as a teenager he developed part of this Kronos malware, and now it was being bought by criminals and actively used to rob people’s bank accounts, and he’s actively supporting the code, adding in features, fixing issues. This made him worry.
MALWARETECH: [Music] The second he told me that he had combined it with the banking malware, I was like, yeah, this is going to come back and bite me. There is no way that I am — I knew this was gonna come. I am going to be picked up by the FBI at some point. This is gonna come back to bite me. Even then as — I think I was maybe nineteen when this happened. I knew the repercussions. I was like, this is bad.
JACK: He kept looking for a way out of this deal to stop working on the Kronos banking malware, but he feared that the guys he was working with were gonna turn him in if he quit.
MALWARETECH: So, I kept maintaining the code for about — I want to say six months, a year, until I found a way to get out in a way that wouldn’t result in him sort of doing anything to me, like he wouldn’t report me to the FBI or do anything that would harm me other than the harm that has already been done. So, eventually, about a year later, I find him out and I completely distance myself from the project. I think I spend about a year just doing blogging, and then I get a job in cybersecurity. So, I basically — I leave the life behind. I go into a professional cybersecurity role, and that’s when I started doing this malware reverse-engineering and cyber threat intelligence.
JACK: [Music] So, in August 2017, on his way back from the most epic Defcon ever, about to step foot on the plane, the FBI grabbed him and handed him a copy of his malware. He knew exactly what that was, and he feared this day would someday come. At this point he’s missed his flight. His friends are worried about what happened to him, and he’s starting to sober up. The smile faded.
MALWARETECH: So, yeah, they took me to overnight holding, which is basically — it’s like actual jail. So, it’s the jail you go to when you get arrested by the police for being drunk and disorderly or whatever.
JACK: Man, to be in jail with all the drunk and disorderly people from Las Vegas, that’s gotta be a real nightmare.
MALWARETECH: Yeah, from the nice, fancy mansion and driving around in Lamborghinis to the concrete cell in county jail — well, I don’t know if it was even called county jail. But yeah, that was a very, very high high to a very low low.
JACK: Now, the FBI needed to process him in order to charge him for these federal crimes, but it was getting late and the FBI agents were tired. So, they just needed to dump Marcus somewhere for the night, and then the FBI would pick it up again in the morning and finish processing him. So, they take him to the jail.
MALWARETECH: The jail was full. There were no free cells. So, the police handcuffed me to a chair for the entire night. They were like, you’re just gonna be handcuffed to this chair in the lobby for the next twelve hours. I was like, great, that’s very comfortable. As a six-foot-four guy, I can think of no more comfortable way to sleep than in a lobby chair. So, I was a little upset at that point. I was like, okay, I can understand the rest of the stuff, but you’re gonna handcuff me to this tiny chair for twelve hours? But then I found a solution. I needed to go to the bathroom, so I asked to go to the bathroom. It turns out, the bathroom is just a cell that they leave vacant for people to use, ‘cause each cell has its own toilet in it. So, they have a spare one which is like the visitor toilet.
So, I asked to go to the bathroom, and they throw me in that cell; they lock the door. I’m like, well, how do I get back out? I realized that you don’t. You basically just stay locked in the bathroom until the next person uses the bathroom. So, my plan for the night ended up becoming — I asked to go to the bathroom. The bathroom is just a normal cell, so it has a concrete bench. I sleep on the nice, comfy concrete bench. Then when someone else next needs to use the bathroom, they take me out, they handcuff me back to my chair. I ask to use the bathroom again, and that was basically my night, is I just slept on the concrete bench in the designated public toilet cell. Oh yeah, so, in overnight holding, because a lot of the drunk people might pass out and end up in a state where they need medical attention, the guards are supposed to do a round every twenty minutes and check on all the cells.
So, there’s a very loud audible alarm that goes off to signal the guards to start their check, and it goes off every twenty minutes. Basically, you’re just sleeping for twenty minutes at a time, ‘cause you cannot sleep through that loud of an alarm. I would put that as the rock bottom of my life, basically just sleeping on a concrete bench in a public toilet. So, I think I get woken up at 4:00 a.m. in the holding facility. They wanted to process me, which I’m like, why are you processing me? You’re not keeping me. The FBI just left me here for you to deal with overnight, but I’m not staying. I remember I was in a really bad mood because I had been woken up every twenty minutes for the entire night. My back hurt. My side hurt. Every surface of my body hurt from trying to sleep on concrete.
Then this guy’s asking me all these questions, like what’s your sexuality? I’m like, dude, you’re not — I’m not doing this. So, I told him, I’m not doing your intake form. I’m not going to be in prison here. There is no reason for me to be up at four in the morning doing prison intake. I remember him saying to me, you’re not leaving here without it. I wanted to be snarky and I wanted to be like, how much money do you want to bet on that? Of course, a couple hours later, the FBI just came and they’re like, we don’t care whatever he did here. He’s ours. They take me off to the local — I think it’s like a field office or maybe some kind of satellite office. They spend a hour processing me, like fingerprints, hair sample, saliva sample, you name it, photos. Then they — you get handed over to the US marshals.
JACK: He gets taken to a federal detention center, basically a prison. He was locked up for the banking malware that he wrote when he was nineteen. So, there was nothing he could do but just sit there and see what fate has in store for him next.
MALWARETECH: [Music] Someone who I actually didn’t know at the time — her name is Tarah Wheeler and Deviant Ollam, who — they’re pretty well known in the hacking community, but I didn’t know them and I had never met them. But they ran down to the courthouse and they posted my bail. They put up their own money. This was cash bail. If you’re not familiar with the bail system, typically if they set you a bail at 30k, you can go and borrow the money from a bail bondsman, and it’s usually — I think it’s a 10% deposit. So, you would just pay 3k and they’d put up the 30k for you. But when you have a cash bail, you have to pay the entire amount yourself. So, they put up 30k of their own money to bail me out of jail. That was just — that truly just blew my mind that a stranger, someone I’ve never met, would be kind enough to do something like that for me.
JACK: Tarah and Deviant simply saw Marcus as someone who helped the world by disabling WannaCry, so they asked the hacker community to all pitch in and help bail out Marcus, and people did. Honestly, this is gonna sound crazy, but it’s true; I randomly ran into Tarah myself at that time. We were on a remote island deep in the woods of all places, and in the first few minutes of meeting her, she asked me, hey, we’re raising money to help Marcus. Are you in? I actually gave her some of my money myself. She made a good case on why it was important to help people in situations like this, and they raised enough money to spring them out of jail.
MALWARETECH: I came into the US on what’s called an ESTA, which is — a lot of countries have Visa-free travel programs that allow you to visit as a tourist for thirty to ninety days without needing a Visa. But you’re not allowed to work on those and you’re not allowed to stay longer than the thirty to ninety-day period. So, I’m in the US on a temporary Visa, but my bail condition is I’m not allowed to leave the country until the case is over. [Music] Federal court cases go on for a long time.
It’s very, very rare for a federal court case to go on for less than a year. So, I’m now in this sticky position where I need money to survive, but I’m also legally not allowed to be in the country, but I’m also legally not allowed to leave the country. So, I’m like, huh. Do you guys have a protocol for this? They’re like, no. Usually we don’t arrest foreign nationals like this. Or if you — when we do, you would be in jail. We’ve actually not had anyone be granted bail in this way. So, I’m like, okay, so I guess I’m just on my own here. I’m just gonna have to figure it out myself.
JACK: He was stuck; can’t leave, can’t work. Lucky for him, a few good lawyers heard about his case and wanted to help him.
MALWARETECH: Yeah, so, one of my lawyers lived in LA, and my case was out of Milwaukee. As much as I love the people of Milwaukee, Milwaukee’s not my scene. I’m a West Coast kind of surfer vibe, so I want to be near the coast. I want to be surfing. I want the nice, warm weather. Basically, one of my lawyers made the argument that, well — one of my lawyers is from LA and the other’s from San Francisco. So, if I’m stranded in Milwaukee, any time we need to do legal meetings, they’re both going to have to fly to me or I’m going to have to fly to one of them, and the other is going to have to fly to one of them. It’s a logistical nightmare. So, my lawyers were like, well, wouldn’t it make sense if he lived near one of his lawyers?
The judge was like, yeah, that’s actually the more sane way to do this. So, they basically agreed that I could go and live with — in the same city as one of my lawyers. I don’t remember how or who chose it, but it ended up being LA. So, I get moved to LA, and I had never been to LA before. I didn’t know what it was like. I didn’t know what to expect, and I remember just kind of falling in love with the city within two weeks, which was pretty funny, ‘cause a lot of governments, their strategy was give us what we want and we’ll let you go home.
But after two weeks in LA, I’m like, actually, you know, I’m kinda good. I like it here. They’re like, give us what we want and you can go home. I’m like, no. They’re like, okay, give us what we want and — or we will deport you. I’m like, but you can’t deport me until the case is over. It just — it made things a little bit tricky for them because they had angled their whole case on this idea that I desperately wanted to go home to the UK, which was no longer the case. I actually — I made a lot of new friends in LA. I found a lot of cool stuff to do, and I was like, you know what? I’m actually pretty happy here.
JACK: So, he became a bit of a beach bum. He couldn’t work or leave, so surfing just became the thing he’d do, right there on Venice Beach. Okay, so what charges did they have on you at this point? What is the — what are you facing?
MALWARETECH: I actually don’t know. This is gonna sound absolutely insane, but I regularly have to Google what I was convicted of, because it was very obscure. Because in the US, it is not illegal to write malware. You might intuitively think, malware bad; surely it’s illegal. It’s not. There is actually no federal law against writing malware. So, what they tend to do is they tend to find other laws that can be interpreted in such a way as to charge you with malware. Now, initially I think they hit me with six charges and then they later upped it to ten, but they were all very obscure. They were things like conspiracy to commit wire tapping, conspiracy to sell a wire-tapping device, conspiracy to advertise a wire-tapping device.
Their basic argument was that malware listens to keystrokes. Like, it’s like a key-logger, and a key-logger is like listening in on telephone calls, therefore we can use the wire-tapping act to charge him with what I would not call wire tapping, but they had argued is. So, I’m being charged with a statute that was originally made for stopping people from listening in on telephone calls. I’m also being charged with conspiracy to commit computer hacking. The way that works is if I am in any way involved with someone else doing hacking, they can charge me with conspiracy, being a part of a conspiracy. So, they basically argued because someone used my malware to hack people and I wrote the malware and then it was sold to that someone, I am therefore a conspirator in the — in whatever hacking happened.
So, although I had never used my malware to hack anyone and I had never hacked any systems, they got me on conspiracy to commit computer hacking. I remember my lawyers explaining all this to me for the first time, and I was just insanely confused because in England, it’s just illegal to write malware. So, if I was charged in England, they’d be like, this is the no-writing-malware law. You’re being convicted of the no-writing-malware. But in the US, it was just so obscenely complicated that I couldn’t even wrap my head around what I was actually being charged with. I’m like, telephone wire tapping? This makes no sense.
JACK: Here’s the thing; Marcus knew that by creating the Kronos malware, what he did was wrong. He knew he should face charges for that, but these charges? No. These were not the right charges. I’ve heard this time and time again from hackers on this show. They knew they did something bad. They were ready to face the consequences for it, but the charges that they were facing were for something else entirely, and that doesn’t feel right. Like, if you steal a thousand dollars from someone and get caught, you know you’re guilty, right? So, when the police say, did you do it? Yep. Okay, great, here are your charges. We know you worked with five other guys and together you all sold $200,000, so you’re facing ten crimes total. Whoa, whoa, whoa, hold on. I only stole a thousand dollars. This is not right. You know you’re guilty of stealing, but not guilty of all the other stuff. So, you feel like you have to say ‘not guilty’ to all of the charges since none of them match the actual crime you did. It’s a broken system.
MALWARETECH: At that point I think I had decided to fight the case, because what had basically happened is they had made it very clear to me that they did not care that I committed crimes. This was not ‘you’ve done something wrong and we’re bringing you to justice’. They were very, very clear that they were only charging me to leverage me into becoming an informant and giving them up someone that they wanted. At that point I was kind of annoyed, because in my mind that’s not how the justice system works, right? You do a bad thing; you go to jail because you did a bad thing. Whereas they were saying, we don’t actually care what you did. We just want this other guy. I’m like, what? ‘Cause this isn’t — I guess for the American listeners out there, this is not how the UK system works.
In the UK, you don’t have plea deals and it’s very, very hard for prosecutors to do cases in this way. The UK system is a lot more clear cut. You do a bad thing, you get charged with the bad thing, and you go to jail for doing the bad thing, whereas the US is a lot more geared towards — there’s always a bigger fish. They just — they want the bigger fish. They don’t really care about you or what you did. This was, of course, my first experience with the US justice system. So, I’m confused. I’m a bit frustrated. I’m annoyed. So, I ended up kind of deciding to fight the case because I also noticed that these charges don’t really make any sense. There is no law against writing malware, so you’re just charging me with these weird crimes. So, I’m like, okay, let’s just fight it and see what happens.
JACK: [Music] Okay, so you had two lawyers at the time. That must have been costly.
MALWARETECH: No. So, I was actually very lucky. These two great, great lawyers, Marcia Hofmann and Brian Klein, they reached out to me and they were like, we would like to take your case pro bono. These are like top, top lawyers, the kind that you would want on your side in a cyber-crime case. I remember they reached out to me and they were just like, we want to take your case free of charge. You’ll obviously have to pay court fees and filing fees and for your flights to and from the courthouse, but other than that, we’re not gonna charge you for our services. It just felt like a gift from the heavens. It was like, so much of the theme behind this story was just random people I had never met just sort of going out of their way to help me, and it was just such a surreal experience to have all of these people coming to my aid out of seemingly nowhere.
JACK: Okay, the fight is on. Two powerhouse lawyers ready for action, Marcus unhappy with the way the justice system is acting and wants to make things right. But it’s a federal case. Federal cases are extremely slow. We’re talking years for them to finish. He’s gotta fly back and forth between Wisconsin where the trial is and California where he lives. Flying gets more and more tricky since his Visa expired and he’s not supposed to be in the country anymore, but he’s also not allowed to leave the country, and he can’t work in the US, either.
MALWARETECH: So, for a lot of the time, I was kinda wrestling with this internal conflict of like, A) I’m guilty and I did everything they say I did, but B) I’m also kind of really just fighting not because I believe I’m innocent but because I don’t feel like this is how the justice system should work. But what really kind of wore me down is just the time. We’re talking a year, two years into the case, and I’m — this is — it’s very, very hard to explain how stressful being in a federal case is. It is a level of stress that goes way beyond even the worst incident response cases I’ve ever worked, and it’s daily. Every day you just wake up and you’re just like, is today the day I go to jail? What’s happening in my case? Blah, blah, blah. It just — it wears you down so fast. I mean, people have committed suicide.
There are people in the hacking community who have committed suicide from the just sheer constant stress of going through that system. I don’t think there is anyone who is set up to actually see that through to the end. At some point it just gets you to the point where you’re just like, I just — I give up. For me, I think that was about a year and a half, maybe a bit more in. We had fought a bunch of motions with the judge to get certain pieces of evidence dismissed and arguing that certain charges weren’t correct, and all of the motions were denied. So, at that point we’re basically starting from zero. We’ve got to find a new strategy. We’ve got to — we’re gonna be going for at least another year. At that point I was like, you know what? I just — I can’t do this anymore. So, I ended up just pleading guilty.
JACK: [Music] After fighting it for almost two years, he switched and gave in and said, fine, charge me with whatever stupid stuff you want. I’m tired of this.
MALWARETECH: Honestly, at that point, I was like, if I had just gone to jail from the start and spent a year or two in jail, it would have been infinitely easier on my mental health than going through this case. So, it was a lot and I just couldn’t take it anymore, so I folded.
JACK: Okay then, guilty on all charges. Well, the case can be closed now, except for one last thing. The court now has to decide what his punishment is. So, a sentencing hearing was scheduled. Some early calculations were saying that he could get anywhere from two to eight years in prison. But of course, his lawyers were trying to fight for him to get the least amount of prison time as possible.
MALWARETECH: In my case, their argument was the FBI actually couldn’t produce any evidence of Kronos having damaged systems. That’s not to say it didn’t; I’m sure it did, but they had not produced any evidence. Part of their argument was that we estimate it caused X tens of — I think it was hundreds of thousands in damages, and they could not produce any evidence to back that up. Their sentencing recommendation was based on their claim that I had caused these hundreds of thousands of dollars in damages, which they couldn’t prove. So, my lawyers had a argument there of, well, if there is damages, where are they?
JACK: [Music] So, his sentencing day comes. He heads into the courtroom.
MALWARETECH: So, I had basically convinced myself from the start that I was going to jail. So, I went into that hearing with the belief that I was going to jail, and…
JACK: I think you tweeted something, too, like, okay, I’m going to jail and whatever happens, I love you all.
MALWARETECH: Yeah, pretty much. I was sure that I was not leaving that courtroom.
JACK: The prosecution gave their arguments. His side gave his arguments. The judge listened to it all and came to a decision.
MALWARETECH: Basically, my punishment was sentencing me to time served. Even when the judge said ‘time served’, it didn’t register, ‘cause they don’t — it’s not like in the movies where they bang the gavel and they’re like, this is your sentence. There’s usually — they say the sentence and they’ll talk a bit about why, and then they’ll talk about what happens next and blah, blah, blah. So, he sort of said the sentence and he kept talking. I’m like, okay, so — I actually didn’t really know what time served means. So, I’m like, is that the sentence? I don’t know. Then he’s still talking and I’m like, I’m waiting for him to say how much jail time, and it’s not coming. Then I think the hearing went on for maybe thirty, forty more minutes, and I was still confused at the end.
I was like, I don’t actually understand how this system works or what time served means. I remember my lawyer just being like, you’re going home. I’m like, what? It just — it never registered. It didn’t register in the courtroom, it didn’t register when I went home, and it still doesn’t register now. In the back of my mind, I still feel like I have this thing hanging over me, and any minute now I’m going to go to jail. It was because I had just convinced myself since the beginning of the case that this ends in me going to jail, and because there was never any jail, it hasn’t ended in my mind. So, I’ve always — I’ve never been able to fully kind of clear that period of my life from my mind.
JACK: Well, you should take a trip out to Alcatraz, hang out there for an hour, and do some sort of mental cleansing of, okay, I’m here, I did it, now I’m leaving. It’s over.
MALWARETECH: It sounds funny, but that actually might not be a bad idea.
JACK: [Music] The judge seemed to understand all aspects of this case even before the defense gave their side. People sent in tons of letters saying why Marcus should be free and serve no jail time. The judge read newspaper clippings of how Marcus is a hero in the UK for stopping one of the world’s biggest cyber-attacks, and one thing the judge had to think about was…
MALWARETECH: What is gained by putting him in jail? Because he’s already on the good side. He’s doing good work and you’re just taking him away from doing the good work. What do you seek to gain for putting him in jail? That’s actually what the judge’s own argument was. I think — I suspect the judge had actually made up his mind about the sentence before any of us had made our arguments. He had looked at the case, he had looked at the totality of the circumstances, and he had been like, this just doesn’t make any sense. So, I strongly suspect the judge had already decided to sentence me to no jail time before we even got into the courtroom.
He basically said that, yeah, he’s being — he’s self-rehabilitated, so there’s no ‘he needs rehabilitation’ angle. He’s stopped one of the largest ransomware attacks in history, and he’s been doing all of this great cybersecurity work. He’s got all of these letters from various people in the cyber community. They wrote in letters explaining why they think I shouldn’t go to jail, and I think all of that just put together made a really strong case for sentencing me to time served.
JACK: Time served simply means whatever time you’ve spent on this case already is enough punishment. You’re done. You can go home now. Case closed. You might think he got the best possible outcome here, but the stress of not knowing what’s going to happen to you for two years is a lot harder than you realize.
MALWARETECH: To be honest, I’m being 100% real when I say this; if I could have taken a year or two in jail instead of going through all of that stress, I would have taken it.
JACK: So, WannaCry was one of the worst things that happened to him, yet seemed to also be the very thing that saved him.
MALWARETECH: It’s obviously hard to speculate what would have happened had WannaCry not happened, but there is a chance that I would have got sentenced to jail time if it was not for WannaCry. I don’t know that for sure, but yeah, I do think WannaCry was the silver lining of — at the time it felt horrible. It was like, my anonymity is gone. My life has been turned upside down, but then it most likely helped me out in the court case and it helped me come to turns with learning, I guess, better social skills and how to do public speaking.
So, while at the time when it happened, I would say this was the most terrible thing that happened that far in my life, and I had gone through a lot of terrible things. But now when I look back, I think it was — it led to a lot of important growth that was needed and it helped me out in a lot of scenarios that would have made my life a lot worse had it not happened. So, I’m not saying — I’m not changing my answer, but I’m saying versus when it was happening, I was very adamant that this was the worst thing to happen to me, but now in hindsight, having had years and years of personal development, I think it turned out for the better. I think it improved me as a person and it bailed me out of potentially going to jail, potentially.
(Outro): [Outro music] Thank you so much to Marcus Hutchins for coming on the show and finally sharing this story with us. This is such an incredible story. I’m so glad you finally said ‘yes’ to it. I started this show the year he got arrested and have dreamed about having him on this whole time. I get it; he was busy fighting for his life the whole time and was constantly being bombarded with interview requests. But that’s the thing about me; I don’t mind waiting eight years to get the story. Take your time. Unwind. Decompress from the craziest time of your life, and then let’s talk. It’ll still be a really good story when you’re ready.
This episode was created by me, Ctrl + Alt + Deluxe, Jack Rhysider. Our editor is the zero-day dreamer, Tristan Ledger. Mixing done by Proximity Sound, and our intro music is by the mysterious Breakmaster Cylinder. The romantic bedroom scene often mimics what a hacker does. There’s gaining initial access, lateral movement, navigating trust levels, privilege escalation, putting things into memory, but just make sure you don’t get root access and then realize you’re in the wrong environment. This is Darknet Diaries. [END OF RECORDING]