Marcus Hutchins

Early Life

Marcus Hutchins was born in 1994, the elder son of Janet Hutchins, a Scottish nurse, and Desmond Hutchins, a Jamaican social worker. He grew up initially in Bracknell, near London, before his family relocated to rural Devon around 2003, when he was nine years old. He is from Ilfracombe, Devon. Alongside an early aptitude for computers, he also spent time training as a surf lifeguard.

From a young age, Hutchins experimented with basic hacking techniques, including bypassing security on school computers to install video game software. Around age 14, he became involved with an online forum centered on malware development, where members shared work primarily to demonstrate technical skill. His contribution was a password stealer exploiting Internet Explorer's AutoFill feature. His increasing involvement with these communities coincided with declining school performance, and after school systems were compromised — an incident authorities attributed to him, though he denied involvement — he was permanently barred from school computers.

Career

Early Malware Development

Hutchins moved on to HackForums, where he built an 8,000-computer botnet at age 15 by tricking BitTorrent users into running malicious files. He also set up web hosting for illegal sites through the forum and created custom malware by analyzing existing rootkits.

At around age 16, an online contact known only as "Vinny" commissioned him to write a sophisticated, marketable rootkit. By mid-2012, Hutchins had completed UPAS Kit, named after the poisonous upas tree. Sales of UPAS Kit earned him thousands of dollars in bitcoin, enabling him to drop out of school. Vinny subsequently pressured Hutchins — using personal information including his address, obtained through an earlier gift of recreational drugs — to add keylogging and web inject capabilities to a second version. Hutchins added keylogging but refused the web inject component. A separate programmer later completed the web inject code, and the combined package was renamed Kronos by Vinny, after the mythological Greek Titan, and sold on dark web marketplaces beginning around June 2014.

During this period, Hutchins developed a drug addiction while working on Kronos. He later shared a copy of Kronos with an online contact known as "Randy" after a power failure caused him to lose over $5,000 of Randy's bitcoin. Recognizing the risk this disclosure posed, Hutchins grew increasingly fearful of law enforcement attention.

MalwareTech and Kryptos Logic

Hutchins graduated from community college in 2015 and stopped his drug use. Distancing himself from Vinny and Kronos, he launched an anonymous blog called MalwareTech, applying the reverse-engineering knowledge he had accumulated to analyze emerging malware and botnets, including Kelihos and Necurs. He also developed a botnet tracking service capable of monitoring botnet operations from within.

The blog attracted the attention of Salim Neino, CEO of cybersecurity firm Kryptos Logic, who offered Hutchins a position. Working remotely from Ilfracombe, Hutchins reverse-engineered new botnets and supplied detailed intelligence to Kryptos Logic while publishing higher-level findings on MalwareTech. A former NSA hacker described him as a "reversing savant." Hutchins and Kryptos Logic were also instrumental in stopping a Mirai botnet-based DDoS attack against Lloyds Bank in 2016.

WannaCry

On 12 May 2017, the WannaCry ransomware attack began spreading via an exploit in Microsoft Windows' Server Message Block protocol, ultimately infecting over 230,000 computers across 150 countries within a single day. While on vacation, Hutchins began reverse-engineering the malware from his bedroom that afternoon. He identified an unregistered domain name embedded in the code and registered it, setting up honeypot servers at Kryptos Logic. Security researchers subsequently determined that this registration had activated a killswitch built into the worm, halting further execution. Hutchins, Kryptos Logic, and the UK's National Cyber Security Centre spent the following days defending the honeypot servers against DDoS attacks to keep the killswitch active while Microsoft issued patches.

The press identified Hutchins as the person behind MalwareTech in the days following the attack. He agreed to a single interview with the Associated Press under his real name but otherwise sought to avoid media attention.

Arrest and Legal Proceedings

On 3 August 2017, as Hutchins was preparing to leave Las Vegas following DEF CON, the FBI arrested him on six federal charges related to the creation and distribution of Kronos. Investigators had linked him to the malware following the seizure of the AlphaBay dark web marketplace in July 2017 and through earlier seizures that yielded his conversations with Randy.

Hutchins pleaded not guilty at arraignment and was placed under house arrest in Los Angeles. In early 2018, the FBI offered to reduce his sentence to zero prison time in exchange for information on Vinny and other hackers; Hutchins declined. Four additional charges were added to his indictment by June 2018.

On 19 April 2019, Hutchins pleaded guilty to two of ten charges: conspiring to commit wire fraud and distributing a device used to intercept electronic communications. On 26 July 2019, Judge Joseph Peter Stadtmueller sentenced him to time served and one year of supervised release, acknowledging that Hutchins had redirected his skills toward constructive purposes well before facing legal consequences.

Later Life

Following his year of supervised release, Hutchins expected to be deported to the United Kingdom, having overstayed his travel visa. According to a 2020 Wired profile, he stated a preference for remaining in Los Angeles. He has continued to work in cybersecurity and remains employed by Kryptos Logic.