Federal prosecutors in Wisconsin and Marcus Hutchins’ attorneys said in a joint court filing Friday that the 24-year-old agreed to plead guilty to developing malware called Kronos and conspiring to distribute it from 2012 to 2015. In exchange for his plea to those charges, prosecutors dismissed eight more.
Hutchins faces up 10 years in prison but could receive a more lenient sentence for accepting responsibility, the court filing said. Attorneys said Hutchins understands he could be deported.
Sentencing has not been scheduled.
Prosecutors said Hutchins made incriminating statements during a two-hour interrogation, and later during a jailhouse phone call that Hutchins was told was being recorded, he told an unidentified person that he “used to write malware” years before.
“I knew it was always going to come back,” Hutchins said on the call, but that he didn’t “think it would be so soon.”
Prosecutors said in court filings that Hutchins sold the Kronos software to someone in Wisconsin and that he “personally delivered” the software to someone in California. The malware was designed “to intercept communications and collect personal information, including usernames, passwords, email addresses, and financial data” from computers, prosecutors said.
Kronos was “used to infect numerous computers around the world and steal banking information,” prosecutors said, without providing an exact number. It’s unclear how much Hutchins’ profited from creating the malware, but in online chats the FBI intercepted on November 2014, Hutchins’ lamented he had only made $8,000 from five sales. Hutchins said he thought he would be making around $100,000 annually by selling Kronos with one of his conspirators, who is not named in the indictment.
Hutchins initially pleaded not guilty to all the charges and was scheduled to go on trial in July. While his case has been pending, prosecutors barred Hutchins from returning home. He has been living in California, working as a cybersecurity consultant.