Oh my gosh, oh my gosh, oh my gosh, I'm squealing over here. After years and years of trying to get today's guest on the show, he finally said yes. I'm so excited for this one. I've been sliding into his DMs for years. Hey, can I interview you? And I swear he always has the same answer every time. He's like, who are you?
And I say something like, oh, I'm a podcaster, and I really want to hear your story. And he's like, oh, thank you. And fair answer, I wouldn't want to talk to me either if I was in his position. And then I saw him at a party at DEF CON. And when I first approached him in person, he was...
hiding behind a sign, trying not to be seen. So I stand out in a crowd, so I've learned that signs are my best friend. We can hide behind the lamppost, we can hide behind the tree, we can hide behind the sign. But if I stand in the middle of the room... it's going to draw a lot more attention than I necessarily maybe want. Although I've got to a point now where I think I can just handle it.
But I do remember our first interactions, I think, Part of the awkwardness was I'm very bad at recognizing faces and you were wearing a mask the first time you saw me. It's true. I had a disguise on and yeah, I asked to interview him and he had no idea who I was. He's just like, who are you?
In my defense, there is no photos of you online and I have checked. It's true. There is no way I could have known. It's true. I try real hard not to have any photos of me on the internet. I'm a very private person. But I swear every time I asked him for an interview, he just kept asking me the same thing. Who are you? No, thank you. So I remember we had like quite a long conversation and then you went away and you came back without the mask and then you came back and you. sort of
went to re-engage the conversation and I had no idea who you were. I was like, Who is this random guy? Okay, fair point. I wear a lot of disguises, so you're right. Some of this is on me. But I'm happy to announce that today, finally, I am interviewing. I'm malware tech and I'm an anonymous security researcher. These are true stories from the dark side of the internets. I'm Jack Recider. This is Dark Knight Diary.
This episode is sponsored by Threat Locker. Ransomware, supply chain attacks, and zero-day exploits can strike without warning. leaving your businesses' sensitive data and digital assets vulnerable. But imagine a world where your cybersecurity strategy could prevent these threats. That's the power of ThreatLocker's Zero Trust Endpoint Protection Platform. Robust cybersecurity is a non-negotiable to safeguard organizations from cyber attacks.
ThreatLocker implements a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team. This least privileged strategy mitigates the exploitation of trusted applications. and ensures 24-7, 365 protection of your organization. The core of ThreatLocker is its Protect Suite, including application allow listing, ring fencing, and network control.
Additional tools like the ThreatLocker detect EDR, storage control, elevation control, and configuration manager enhance your cybersecurity posture and streamline internal IT and security operations. To learn more about how Threat Locker can help mitigate unknown threats in your digital environments and align your organization with respected compliance frameworks, visit ThreatLocker.com. That's ThreatLocker.com.
This episode is sponsored by Drada. Let's face it, if you're leading GRC at your organization, chances are you're drowning in a sea of spreadsheets every day, balancing security, risk, and compliance in an ever-changing landscape of threats and regulatory frameworks. that can feel like running a never-ending marathon. Enter Drada, the modern GRC solution designed for leaders like you. Drada automates the tedious task.
security questionnaire responses, continuous evidence collection, and much more, saving you hundreds of hours. But it's more than just a time saver. It's a scalable platform that adapts to your organization's needs, whether you're a startup or a global enterprise. Drada gives you one centralized platform to manage your risk and compliance program. Drada empowers you with a holistic view of your GRC program.
and real-time reporting capabilities. With Drada, you also get access to their powerful Trust Center, a live, customizable tool that supports you in expediting your never-ending security review questions in the deal process. It's perfect for sharing your security posture with stakeholders or potential customers Ready to modernize your GRC program and take back your time? Visit drata.com forward slash darknightdiaries. That's drata, spelled D-R-A-T-A, drata.com slash darknightdiaries.
We're going to start this story in early 2017. As he said, his name is Malware Tech and he's an anonymous security researcher. He would research malware and then publish his findings anonymously under the name Malware Tech. He never posts his picture on the internet. His Twitter profile is just a picture of a cat wearing glasses. Nobody knew who he was or what he looked like.
So I've been a cybersecurity analyst since about 2016. I mostly specialized in a combination of malware reverse engineering and cyber threat intelligence. So my job was basically to reverse engineer botnet malware and then find ways to monitor their C2 infrastructure in a way that we could actually see who was being infected.
So our goal was to sort of do external threat intelligence. So rather than being on someone's network and saying, hey, look, there's a sign that you're infected with malware, our goal was to be on the bad guy's network. and be able to see all the victims of the malware and then alert them to the fact that they're infected. Where were you living? Was it Cornwall at the time? As far as Devon, so just north of Cornwall, pretty close to the border, actually. What is that? I think I watched a show.
TV shows based out of Cornwall, and I think it was Dr. Martin, was it? Yeah, that was the one, yeah. I think that there was some episodes in Devon, but... I remember my parents were very excited. They called me one time and they were like, there's some famous people filming in our town. And we live in the middle of nowhere, so there's no famous people there. Any kind of filming is a huge deal.
So you've probably seen it on the TV like once or twice. Yeah, I have. It's a very picturesque place. It's beautiful. Yeah, so where I live, which is in North Devon, we have this massive long, I think it's like three, four mile long beat. beautiful golden sand. It picks up a nice Atlantic swell that I think comes from the hurricanes down in the Gulf. They'll occasionally swing north towards the southwest coast of England. So we actually get some really, really big surf down there.
So living so near the sea, I was like, well, what do I do for hobbies? Because we had moved from inland. So I'm like, I need new hobbies. What do people here do? And the obvious answer was surfing. So I took up surfing. Turned out it's a really, really fun sport.
but a lot of people don't associate it with England. They think England is like rock beaches, pebbles. Usually they're thinking of places like Blackpool, but there are some really, really good surf spots on the southwest coast, and I just happen to live right next to one. Especially, I wake up one day and it's all over the news that this ransomware is infecting lots and lots of British hospitals.
Let me start with breaking news this hour. A number of procedures have been cancelled or redirected to other NHS providers following a cyber attack on some of London's major hospitals. The ransomware would soon be called want to cry. And it was hitting tons of hospitals around the UK. Their computers would get infected and then completely encrypted. You couldn't use it at all. And you had to pay Bitcoin to get it unlocked again. This infection forced hospitals
to turn away patients and cancel procedures. It was awful. So I think the consensus is that it was someone working on behalf of the North Korean government. It's very interesting how this came about too. We believe it was the enemy NSA that developed the exploit, which they called Eternal Blue.
Which, by the way, the NSA found this exploit in Windows. Microsoft Windows, an American company, but didn't tell Microsoft that they have this really bad vulnerability in Windows. And it absolutely flabbergasts me that NSA discovers vulnerabilities in U.S. companies and then not tell those companies that their product is vulnerable to attack. But it gets worse. Then the NSA somehow lost control of this exploit and it ended up in the hands of someone calling themselves the Shadow Brokers.
And just the set of circumstances that led to WannaCry was so insane. Because, of course, you have the Shadow Brokers leak. And the Shadow Brokers, they haven't been attributed yet. But it's widely believed to be Russian intelligence. Russian intelligence hacks the NSA.
steals one of their most prized vulnerabilities, leaks it onto the open internet, at which point North Korea pick it up and decide to make ransomware with it. And we're not even to this day sure whether WannaCry was supposed to be released yet. and there are a lot of just signs in the code that it might have been a work in progress that accidentally leaked a little earlier than they had intended it to. We think the North Koreans unleashed ransomware on the world
to try to make some money, which is wild. Other nation states are not doing cyber thug activity like this, just trying to make some money through ransomware, but North Korea does it. But one reason we think the exploit got released too soon was because it was discovered
pretty early on that there's no way to track who paid the ransom. Usually ransomware would generate a unique Bitcoin address for every single victim and then they can tell if that victim paid by telling if there is a payment in that Bitcoin wallet. But that was a bug with the code where it only generated something like three Bitcoin wallets.
So all of the payments are going to these three Bitcoin wallets. They have no way to trace who paid and who didn't. So while I think it was intended to be ransomware or intended to at a later date be ransomware at the time that it was released or got out. it was essentially a file shredder. There wasn't really any realistic way to get your data back. What scumbags, you know? Like...
For one, for a country to extort hospitals to try to make a little bit of money, I mean, come on. But two, to release ransomware so bad that it doesn't even work right. It just cripples businesses with no way to undo it. So North Korea didn't make much money from this.
and simply gave the world a black eye for no reason. I think a lot of what went into them not making much money was it came out very early that the files weren't decryptable, like almost immediately when the first infections happened. Analysts, they raised the alarm. They went to the press and they were like, don't pay the ransom. You're not going to get your data back. Of course, all this news is right up Malware Tech's alley. Malware research is his bread and butter. He wants to know more.
Now, the thing with ransomware is back then, it was mostly spread by phishing email. So if you see an organization or two infected, that's pretty normal. But if you're seeing like 10, 20, 30 different parts of the same organization being infected, that's either a lot of people falling for phishing attempts or it's not phishing.
And my first instinct was this isn't phishing. This is hitting way too many organizations, way too many parts of the same organization. It has to be something bigger. So I went and asked my friend Caffeine, can I have a sample of this?
And the second I looked at it, I was like, oh, this is this is bad like this isn't your standard ransomware because at that time ransomware was purely spread by phishing or botnets I don't think anyone had ever made wormable ransomware before and I was like this ransomware spread from computer to computer completely unaided.
It doesn't need a user to click a malicious link or open a weird email. It will literally just get onto a computer, look for other computers to hack and then hack them and infect them and just repeat that process over and over. And that was the point where I was realizing we are dealing with something that I don't think has ever been seen before.
This thing was spreading fast. Hundreds of networks were spreading it to hundreds more. Soon thousands were infected, all trying to spread it to thousands more. The internet was burning like an out-of-control wildfire that day. I was tasked with stopping the ransomware. And historically, when I worked with ransomware, it's almost impossible to stop. Sometimes you can decrypt it retroactively. There's flaws in the encryption. You can break the encryption and get people's files back.
But in terms of stopping actively spreading ransomware, that is almost impossible. Sometimes there'll be a vulnerability where we can hack into their command and control server and put a stop to it. So that's what we were looking for. But as he looked through the ransomware code, he noticed something. There's a strange domain name in this code, a URL. Just a long string of gibberish letters with .com at the end.
The domain wasn't registered. And when I saw this unregistered domain in the WannaCry code, I was like, nice, this is probably a command and control server. So I registered it. And then I started looking, what can I do with this code? What can I do with control of this domain? I'm thinking it's a command and control server, and maybe we can exploit a vulnerability in the WannaCry code, maybe crash the malware.
or anything that could stop it from spreading. But it actually turned out while we were trying to figure out what is the purpose of this domain, what does it actually do, we had already stopped WannaCry because the domain was a kill switch. Without him even realizing it, the moment he made this domain active, the WannaCry malware stopped. Just suddenly and surprisingly.
stopped spreading. Someone had basically just posted on Twitter that WannaCry has been stopped, like someone has activated a kill switch in WannaCry. and we actually didn't know we had activated the kill switch until several hours later. The purpose of this domain in the code was Before the malware spreads, it first checks to see if the domain is up and alive. And if it is, the malware stops everything it's doing.
And since MalwareTech just registered it and set it up, that triggered the kill switch to essentially deactivate one of the most brutal, devastating ransomware attacks the UK has ever seen. By the time we actually got around to looking at the code, it was like it had already reached the media that we had stopped it and we were like, oh, okay. Yeah, the media was reporting that someone stopped WannaCry before he even knew he did it.
But wait, if he's got control of this domain, can he set some sort of monitoring tool up so that he can see what traffic is going to this domain? Yeah, so we're actually very lucky in the... We did this professionally like a lot of our work was about finding ways into botnets and then collecting these analytics. So we actually already had the system set up to do that, which was great.
So I was like, awesome, we have all this analytics, we can see how many systems WannaCry was hitting. But while I was focusing on that, everyone's like, who is this guy who's stopped the world's biggest ransomware attack? Meanwhile, I had no idea that that was... going on until i checked twitter and i was like oh oh
The thing is, is he was tweeting from his username MalwareTech all the analytics that were coming into this domain. And this made people realize MalwareTech is the guy controlling the kill switch. He's the one that stopped it. since he had all these analytics and could see what was going into that domain. But the thing is, not everyone put those pieces together like that. Some people thought, well, if he controls that domain, then that must mean...
He's the one who wrote the malware. So as far as a lot of law enforcement and intelligence agencies are concerned at the time being, I am the one who created WannaCry. I'm the person responsible for WannaCry. That is my domain, and I'm controlling it. So it led to a very, very interesting scenario because everyone was kind of confused about how did this happen? Why is the domain there?
And why does this random British teenager, well, I think I was 22 actually, so not quite a teenager, but why does this random British dude control the domain that is in this massive piece of ransomware that is destroying networks all across the world?
Did you discover all this in your parents' bedroom, by the way, or I mean in your parents' house? Yeah, so the unfortunate stereotype of the nerd in his parents' basement is true. It was technically not a basement because our house had multi-levels. The front door was a level higher than the back door. So it was technically a basement, but technically also not a basement.
but I was basically in my parents' basement. Once the news got out that this guy MalwareTack is the one who stopped the world's biggest ransomware attack in history, his whole life changed. It went wrong in every way possible for me. I had set it up so the domain was registered through a proxy that shouldn't have traced back to me.
But I think my Twitter gave them enough to find me. And my goal personally was to be an anonymous researcher. I had basically seen my whole career just being an anonymous researcher. who no one needs to know my name. They don't need to know what I look like. I can just publish my blogs in peace and no one needs to even know who I am. And then I got an email from, I believe, the Daily Telegraph.
and they were like, we found your real name, we found your address, we found your parents' name, and we're going to publish it tomorrow, and we'd like comment. And I begged them, like, do not publish my name, don't publish my photo, please, just like... respect my privacy. But of course, they had the biggest story related to WannaCry so far. The Daily Telegraph was the first person to actually correctly identify me. So they knew they had a story that would get a lot of eyes.
and I kind of knew where this was going. I was like, I'm going to beg them anyway, but I know they're going to publish this, and I know it's all downhill from here. I believe this was the Monday, so WannaCry happened on the Friday. I woke up
Monday. They had published my name. They had published my photo. The Daily Mail had published my house address for some reason. I remember reaching out to journalists and being like, dude, what the hell is this? Why would you possibly need to publish my home address in the uk's biggest newspaper after i've stopped a major criminal attack like this this doesn't make any sense and he like apologized and he took it out but i was like dude like What goes through someone's mind to think?
everyone needs to know where this person lives. But yeah, so that day I woke up and my name was out there. Everyone knew it was me. I couldn't walk down the street without being a... recognized by someone in town and i was like this is this is it this is the end of an era like I'm no longer malware tech, the anonymous researcher. I'm now Marcus Hutchins. And I remember just thinking, man, this is, This is going to be such an earth-shattering change to just the way I saw my life going.
Once his name was out there, another paper, the Daily Mail, found a picture of him and published it. The headline read, Surf Dude Saves the Day. i think that was the two page spread with my face on it right yeah front cover yeah So before that, no one knew what I looked like because I ran an anonymous Twitter account with a cat avatar and I believe they were the first ones to actually get a real photo of me.
And my mum, she reads the Daily Mail, so she came home and she handed me the newspaper, and there's my face across a two-page spread, and I'm like, oh, my God. Marcus Hutchence was now world famous, and everyone wanted to talk with him. Even me. There was this dude, this one dude, he kept ringing the doorbell like every single hour. And then when we finally were like, look, you've got to stop doing this. He just started calling instead, like somehow he had our phone number.
And there was at one point there was several, several journalists just like hanging around on the sidewalk outside my front door waiting for me to come out of the house. of this funny story of me having to climb over the back fence to go and get food because these journalists just would not leave the outside of my house. And at the time, I didn't understand why this was such a big deal. And as a very non-public person, it was actually quite scary.
Marcus is a private person. He's a bit awkward around people, very soft-spoken. He does not want this kind of spotlight on him. This was agonizing for him. He's tall and has huge, poofy hair. You can spot him easily in a crowd. And people were stopping him to talk with him everywhere he went. Are you the guy who stopped the ransomware? And it wasn't just random people and journalists.
Foreign intelligence was curious about him too. In the months after WannaCry, while the investigation was still ongoing, before we knew that it was North Korea, There were a lot of foreign intelligence agencies. They weren't really sure what my role was. And there was actually one incident I remember quite clearly when I was traveling in a foreign country. and some researchers from a neighboring country had invited us out to lunch. They were like, hey,
We're like really interested to hear about your research. Would you like to come to lunch with us? And they gave us an address and the address was across the border in their country. And I didn't see it as immediately suspicious because we were very close to the border of this country. So I'm like, okay, there are researchers from this country. They're probably going to know more good restaurants in this country. Let's go meet them in their country for lunch.
And I got a tap on the shoulder by... Someone who I have no idea who they are, who they worked for. And they were like, just so you know, those are intelligence operatives of that country. Those people inviting you to lunch work for their foreign intelligence service. I would maybe go get McDonald's or just go anywhere else. So you don't know who tapped you on the shoulder? It was just a stranger from the crowd and then they disappeared after that?
It was one of the weirdest experiences I had in my life. That must have been for just to have some random person tell you that and then suddenly you're, You know, the camera's zooming way out like, whoa, hold on, let me. I assume it was probably someone from my country. I don't know. Why is someone from your country following you to another country while you're on vacation? That is crazy.
I think there's someone following those people around and then they're like, wait, who's this guy they're talking? Oh, I see. It's entirely possible. We, um... We ended up on a lot of people's radars after WannaCry. My colleagues, not so much because they weren't as in the public eye as me, whereas I was the one who got tracked down first, so I took most of the heat.
But I ended up having to actually go into a few different countries and speak to their law enforcement and tell them my side of the story because there was obviously a lot of suspicion. They're like, no one knew where WannaCry came from and I was the only tie to it. All they knew is that this worm just came from nowhere and there's only a single domain in the code and it's linked to Marcus Hutchins in Great Britain. So I basically ended up going on this sort of almost like an apology tour.
without an apology because I'm not responsible. So I had to sort of give them my side of this story, explain why we registered as a main, how it came to that. And eventually, obviously, I think it was It might have been October. It was a good six or seven months after WannaCry that the NSA and GCHQ and I think the Australian Intelligence Services, they all came out.
and they pointed the finger at North Korea. So after that, the heat kind of died down, but in that bit between stopping WannaCry and it being publicly attributed to North Korea. I spend a lot of my time dodging very, I don't know how to describe it, but very suspicious situations. I suspected that people had inferior intentions with either wanting to interview me or inviting me to their country to come and speak at their conferences.
There was a lot of that in that period. So it was a very, very strange time in my life. Man, how crazy is that? To be invited to speak at another country and then to wonder. Is this a ploy for some foreign intelligence operatives to arrest me? Or even worse, is North Korea mad at me and they want to pay me back for screwing up their ransomware and they're inviting me to this thing just so they can kidnap me?
Marcus had to be very careful from now on. This sudden fame was attracting a lot of strange people. WannaCry hit in May of 2017. Three months after that, the annual hacker conference in Las Vegas in the US. Marcus had been there once before in 2016 and he liked it, so he flew out again in 2017. But little did he know that this DEF CON was going to radically change his life. So it was insane. Like, I cannot even accurately describe the feeling of it. Ah, I'm trying. I'm trying. Let's hear it.
Yeah, so there's what we did personally and then there's what we did within the conference. So personally, what my friends had found out is that hotels in Vegas are ridiculously expensive and they basically calculated what could we do.
could we afford if we just put all our individual hotel room costs together and got an Airbnb instead? And we found we could get one of the biggest mansions in Las Vegas with the largest private pool in i believe the entire state um so we went and we got this insane mansion and then we're like well the mansion's not complete without supercars right and there's a there's a car dealer in vegas uh that they let you rent supercar
supercars for like a day two days three days a week so my friends they went out and they they rented supercars so we had this driveway full of supercars and they're not particularly expensive to rent for like short periods of time but of course I didn't realize that in the background I was setting up this this scene of me being this very, very wealthy person.
when in reality the costs were split between about, I think, 8 to 12 people. So we had this crazy Vegas trip. We stayed in this massive mansion. We were driving around in supercars. We were shooting automatic weapons. We just went all out on Vegas. Now the conference itself was very, very different. Now, I had suspected I would get a fair amount of attention at the conference given how recent WannaCry was. It was only, I think, three months ago. But I had no idea the level.
that I was going to experience. I remember this was back when it was in Caesar's Palace, the actual casino before the forum. And anyone who has been will remember there's these hallways that are maybe like... 20 40 feet wide and it's just shoulder to shoulder people all the way down the hallway
And I could not walk through the hallway because the traffic was moving so slowly that I would take a step, someone would recognize me, they'd come over and talk to me. And by the time I got to take my next step, someone else would come over. And I had to get to this one event and it took me two hours and 15 minutes to walk maybe like 100 feet down the hallway. And I was just like, I need to go to my hotel room and hide. Like, there's like...
An average 15-minute conversation will drain my social battery to the point where I need to sleep. And I'm now at a level where I physically feel like I'm going to pass out. It was like one of the most crazy experiences I've ever had. I just remember feeling like so overwhelmed because I knew there was going to be people who would want to come up and talk to me. I just didn't think it would be that many. What was some of the stuff they were saying to you?
oh it was it was all overwhelmingly positive like super heartwarming stuff like everyone was just really really positive they were all very kind very polite i don't think i had in the entire DEF CON a single negative interaction. People make out the hacking community to be all these bad people and evil. But generally speaking, I cannot think of a single negative interaction I had. Everyone was so polite.
and so wonderful but then on the other side of this i'm just an introvert so i'm not used to this level of attention So inside, I'm like, this is really, really heartwarming and supportive. But also, I feel like my entire body is on fire. Wow, so what a weekend. You're going to fly back to the UK after that, right? Yeah, so I believe 2nd of August, we spent 10 days there. So 2nd of August, I was due to fly back to the UK.
And so you have to go through the McLaren airport in Vegas. You get through security just fine. No, so security was a little weird because usually when you go through security, they make you take any big items out of your bag, laptops, iPads, phones. And that is my experience with that airport. They always make you take your laptop out of your bag. Whereas with me, they didn't.
It seemed like they were speaking to me specifically and not the guests in general. As I went to unpack my bag, they said, I'll just leave everything in there and put it through. And it felt very weird at the time. It didn't look like they said that to anyone else other than me. It looked like they specifically singled me out.
And I had a feeling I knew what was coming. I had a feeling that it was actually going to be related to WannaCry, that the FBI had some questions for me and they were going to pull me aside. But I was actually... I wasn't sure. So my bag goes through security just fine in the weirdest way possible. I go to the lounge and I think maybe an hour before my flight. a bunch of people in CBP uniforms approached me. And I'm like, huh?
Because CBP is customs. And I'm trying to think what would I have done that would get me on the wrong side of customs. And the only thing I could think of is this was the year that they had legalized recreational cannabis in Las Vegas. So I was like, did I forget to take some drugs out of my bag? I'm thinking they're pulling me aside because I forgot to take some weed out of my bag, they found it, whatever.
And they take me to this back room and they take off the jackets and they unroll these badges and it's FBI. And I'm like, Oh, okay. So I did not know that was even something you were allowed to do to pretend to just be a different agency or if the people who took me were genuinely also CBP. But I get this back room in the airport and they identify themselves as FBI.
And at this point, I still am not exactly sure why I'm being detained. I'm sorry, but I have to take a quick ad break here. But stay with us because Marcus is about to be very surprised about why the FBI is talking with him. This episode is sponsored by Kinsta. I've launched a bunch of websites in the past and it's always a challenge. I mean, have you ever tried to configure a web server and then fine tune it
You might get it going, but then it just crashes like two months later and you have no idea why. Kinsta doesn't want you tearing your hair out trying to bring your site to life. No, Kinsta's team of experts are there to manage hosting your WordPress site. They've bundled up all the essentials to make sites stress-free with speeds that'll wow your visitors, enterprise-level security, and a dashboard so intuitive, you'll wonder why everything isn't this easy.
Kinsta knows that your site has to be up and performing smoothly for your SEO to work for the traffic visiting your site to stay around and see what you have to offer. Heard of TripAdvisor, NASA, Indeed? They are among the 120,000 businesses that trust Kinsta with their WordPress website. And that's why I like what Kinsta does. It's not that they just host WordPress sites. I can trust Kinsta to make sure they are fast, secure, and reliable. Tired of being your own hosting support team?
Switch to Kinsta to get your first month free. And don't worry about the move. They'll handle the migration for you. No tech expertise required. Just visit kinsta.com slash darknet to get started. That's spelled K-I-N-S-T-A. slash darkness. You have such a happy demeanor to you.
So I imagine even in those first 15 minutes or so, like, oh, okay, we're actually the FBI. I still imagine you smiling and being like, oh, yeah, you know what? There were a thousand people who wanted to ask me about it. You want to cry? I'm sure you're just another one. What do you want to know? Did you have that kind of attitude? What was that first 15 minutes like?
So I believe I was a bit hungover, but you are right. I always just have this happy demeanor. So I'm like, even when things are generally really, really bad, I always just am chill and happy to be there. So I think I was a bit hungover, but otherwise I was like, okay, it's the FBI, whatever, I'll talk to them. But I hadn't quite yet figured out why they wanted to talk to me. Okay. I mean, what were the questions they were asking you?
So they started off with a bunch of random questions. It felt like they were deliberately trying to confuse me. They themselves were trying to obscure the reason why they had pulled me aside. So it felt like they were basically just fishing for information in a way that was designed to prevent me from realizing that I'm in trouble and I need a lawyer. So they kind of presented themselves as these very, just, we're asking questions. We're just some friendly FBI agents asking questions.
And I thought it was about WannaCry until a good 30 minutes, I think, into the interview. So you know in the movies when they slide the document across the table and they ask you, do you know what this is? And usually it's like a photo of a murder or whatever. Yeah. So they did that. I didn't think that was a real thing they did, but they did that. Except in my case, they had basically printed off compiled code.
So it was basically just a like 15 pages of just straight gibberish So I'm like going through these pages and they're like, do you know what this is and I'm like No, I honestly know like this is literal gibberish But then one of the things with compiled code is any text that is present in the code is present in the however you were to print it off.
So I get to the text section of the code and I start recognizing the strings and I'm like, oh, they printed off the Kronos executable. Like they've taken the compiled Kronos malware, opened it in Notepad or something, hit print, and this is is what I'm looking at and that was kind of the point where I realized oh I'm in like some serious trouble but then I'm also trying not to laugh because someone has just tried to print an executable and hand it to me
Yeah, so I'm like I'm like toggling between Almost smiling and oh shit. I'm like I've really messed up It is absolutely ridiculous that they printed off a program and handed it to them. It wasn't readable code. It was compiled. Only a computer could read it. There's no way that anyone can read this gibberish except... There was one word in there which made Marcus realize what he was looking at. The Kronos malware.
Kronos was a devastating banking malware. It was designed to get access into a victim's bank account and then the person operating the malware can siphon funds out of the victim's bank. The FBI agents handed it to Marcus and asked him if he recognized it, and he did recognize it. Because before the world knew who Marcus Hutchins was, he was only known as malware tech, an anonymous security researcher. But before that, he was a malware developer.
I started out as a malware writer. I specialised in writing rootkits. So that's malware that hides malware. so i mostly did stuff like trojans that would do bitcoin mining stuff that's not super harmful but also not really very great either it's like the Not the worst of the worst, but obviously not something that I didn't deserve to go to jail for. Basically, he would write malware, which in itself is not so bad. It all depends on what you do with the malware, right?
but he was working with someone who wanted to take his malware and sell it so they could make money. And so now his malware was being offered to criminals for sale. But still, by itself, his malware wasn't making any sales. Basically, we had a shell. So his job was to sell the malware. I would write the malware for him and then he would sell it.
And then he announced to me that he had contracted this other programmer to combine my code with the banking code to make banking malware that he wanted to sell. So essentially, I had a choice. I was like, okay, so my code has just been made into banking malware. I am already implicated in this. What do I do?
So I was like, I don't really want to have anything to do with this. I specifically said that any kind of credit card fraud or any kind of theft of money was over my moral line. I don't want anything to do with it. And that was the point when he basically hinted that if I didn't continue to maintain the code, he would drop my name and address to the FBI. So at that point, I was like... I'm in too deep. There is nothing I can do at this point.
So as a teenager, he developed part of this Kronos malware, and now it was being bought by criminals and actively used to rob people's bank accounts. And he's actively supporting the code, adding in features, fixing issues. This made him worry. The second he told me that he had combined it with the banking malware, I was like, yeah, this is going to come back and bite me. There is no way.
that I am, like, I knew this was going to come. Like, I am going to be picked up by the FBI at some point. Like, this is going to come back to bite me. And even then, I think I was maybe 19 when this happened, I knew the repercussions. I was like, this is bad. He kept looking for a way out of this deal to stop working on the Kronos banking malware.
But he feared that the guys he was working with were going to turn him in if he quit. So I kept maintaining the code for about... I want to say like six months, a year, until I found a way to get out in a way that wouldn't. result in him sort of doing anything to me. He wouldn't report me to the FBI or do anything that would harm me other than the harm that has already been done.
So eventually, about a year later, I find an out and I completely distance myself from a project. I think I spend about a year just doing blogging and then I get a job in cybersecurity. So I basically, I leave the life behind. I go into a professional cybersecurity role. And that's when I started doing this sort of malware reverse engineering and cyber threat intelligence.
And so, in August 2017, on his way back from the most epic DEF CON ever, about to step foot on the plane, the FBI grabbed him and handed him a copy of his malware. And he knew exactly what that was. And he feared this day would someday come. At this point, he's missed his flight. His friends are worried about what happened to him, and he's starting to sober up. A smile faded. So yeah, they took me to Overnight Holding, which is basically
It's like actual jail. So it's the jail you go to when you get arrested by the police for being drunk and disorderly or whatever. Man, to be in jail with all the drunk and disorderly people from Las Vegas. That's gotta be a real nightmare. Yeah, from the nice fancy mansion and the driving around in Lamborghinis to the concrete cell in like County Jail. I don't know if it's even called county jail, but yeah, that was a very...
very high high to a very low low. Now the FBI needed to process him in order to charge him for these federal crimes, but it was getting late and the FBI agents were tired. So they just needed to dump Marcus somewhere for the night, and then the FBI would pick it up again in the morning and finish processing him. So they take him to the jail. And the jail was full. Like, there were no free cells. So the police handcuffed me to a chair.
for the entire night they were like you're just going to be handcuffed to this chair in the lobby for the next 12 hours And I was like, great, that's very comfortable. As a 6'4 guy, I can think of no more comfortable way to sleep than in a lobby chair. So I was a little upset at that point. I was like, okay, I can understand the rest of the stuff.
But like you're gonna handcuff me to this tiny chair for 12 hours But then I found a solution. I need to go to the bathroom. So I asked to go to the bathroom And it turns out the bathroom is just a cell that they leave vacant for people to use because each cell has its own toilet in it. So they have a spare one, which is like the visitor toilet. So my sister goes to the bathroom and they throw me in that cell. They lock the door.
And I'm like, well, how do I get back out? And I realized that you don't. You basically just stay locked in the bathroom until the next person uses the bathroom. So my plan for the night ended up becoming... I asked to go to the bathroom. The bathroom is just a normal cell, so it has a concrete bench. I sleep on the nice, comfy concrete bench. Then when someone else next needs to use the bathroom, they take me out. They handcuff me back to my chair.
I asked to use the bathroom again, and that was basically my night, is I just slept on a concrete bench in the designated public toilet cell. Oh yeah, so I'm in overnight holding. because a lot of the drunk people might like pass out and you know like end up in a state where they need medical attention, the guards are supposed to do around every 20 minutes and check on all the cells. So there's a very loud audible alarm that goes off to signal the guards to start their check.
and it goes off every 20 minutes. Basically, you're just sleeping for 20 minutes at a time because you cannot sleep through that loud of an alarm. And I would put that as the rock bottom of my life. Like basically just sleeping on a concrete bench in a public toilet.
so I think I I get woken up at 4 a.m. in the holding facility they wanted to like process me which I'm like why are you processing me like you're not keeping me the FBI just Left me here for you to deal with overnight, but I'm not staying And I remember I was in a really bad mood because I had been woken up every 20 minutes for the entire night. My back hurt, my side hurt, every surface of my body hurt from trying to sleep on concrete.
and then this guy's asking me all these questions like what's your sexuality and i'm like dude like You're not, like, I'm not doing this. So I told him, like, I'm not doing your intake form. Like, I'm not going to be in prison here. There is no reason for me to be up at four in the morning doing prison intake. And I remember him saying to me you're not leaving here without it And I wanted to be snarky and I wanted to be like, how much money do you want to bet on that?
And of course, like a couple of hours later, the FBI just came and they're like, we don't care whatever he did here. He's ours. They take me off to the local, I think it's like a field office or maybe like some kind of satellite office. They spent like an hour processing me like fingerprints, hair samples, saliva sample, like you name it, photos.
And then you get handed over to the U.S. Marshals. He gets taken to a federal detention center, basically a prison. He was locked up for the banking malware that he wrote when he was 19. And so there was nothing he could do but just sit there. and see what fate has in store for him next. Someone who I actually didn't know at the time, her name's Tara Wheeler and Deviant Olem, who, they're pretty well known in the hacking community, but I didn't know them and I had never met them, but they...
Ran down to the courthouse and they posted my bail like they put up their own money And this was cash bail. If you're not familiar with the bail system, typically if they set your bail at 30k you can go and borrow the money from a bail bondsman and it's usually i think it's like a 10 deposit so you would you would just pay 3k and they'd put up the 30k for you but when you have a cash bail you have to pay the entire amount yourself. So they put up 30k of their own money to bail me out of jail.
And that truly just blew my mind that a stranger, someone I've never met, would be kind enough to do something like that for me. Tara and Deviant simply saw Marcus as someone who helped the world by disabling WannaCry. So they asked the hacker community to all pitch in and help bail out Marcus, and people did. Honestly, this is going to sound crazy, but it's true. I randomly ran into Terra myself at that time. We were on a remote island, deep in the woods of all places.
And in the first few minutes of meeting her, she asked me, hey, we're raising money to help Marcus. Are you in? And I actually gave her some of my money myself. She made a good case on why it was important to help people in situations like this. And they raised enough money to spring them out of jail. I came into the US on what's called an Esther.
which is a lot of countries have visa-free travel programs that allow you to visit as a tourist for 30 to 90 days without needing a visa. But you're not allowed to work on those, and you're not allowed to stay longer than the 30 to 90-day period. So I'm in the US on a temporary visa, but my bail condition is I'm not allowed to leave the country until the case is over. And federal court cases go on for a long time. Like, it's very, very rare for a federal court case to go on for less than a year.
So I'm now in this sticky position where I need money to survive, but I'm also legally not allowed to be in the country, but I'm also legally not allowed to leave the country. So I'm like, huh. do you guys have a protocol for this? And they're like, no, usually we don't arrest foreign nationals like this. Or if you, when we do, you would be in jail. We've actually not had anyone be granted bail in this way.
So I'm like, okay, so I guess I'm just on my own here. I'm just going to have to figure it out myself. He was stuck. Can't leave. Can't work. Lucky for him, a few good lawyers heard about his case and wanted to help him. Yeah, so one of my lawyers lived in LA and my case was out of Milwaukee and As much as I love the people of Milwaukee, Milwaukee is not my scene. I'm a West Coast kind of surfer vibe, so I want to be near the coast. I want to be surfing. I want the nice warm weather.
And basically one of my lawyers made the argument that Wow, like One of my lawyers is from LA and the other is from San Francisco. So if I'm stranded in Milwaukee, anytime we need to do legal meetings, they're both going to have to fly to me or I'm going to have to fly to one of them and the other is going to have to fly to one of them. And it's like a logistical nightmare.
So my lawyers were like, well, wouldn't it make sense if he lived near one of his lawyers? And the judge was like, yeah, that's actually the more sane way to do this. So they basically agreed that I could go and live in the same city as one of my lawyers. And I don't remember how or who chose it, but it ended up being LA. So I got moved to LA and I'd never been to LA before. I didn't know what it was like. I didn't know what to expect.
And I remember just kind of falling in love with the city within like two weeks. which was pretty funny because a lot of the governments, their strategy was give us what we want and we'll let you go home. But after two weeks in LA, I'm like, actually, you know, I'm kind of good. Like, I like it here.
They're like, give us what you want and you can go home. And I'm like, no. And they're like, okay, give us what we want and we will deport you. And I'm like, but you can't deport me until the case is over. And it just made things a little bit tricky for them because they had angled their whole case on this idea that I desperately wanted to go home to the UK.
which was no longer the case. Actually, I made a lot of new friends in LA. I found like a lot of cool stuff to do. And I was like, you know, I'm actually pretty happy here. So he became a bit of a beach bum. I mean, he couldn't work or leave. So surfing just became the thing he'd do. Right there on Venice Beach. Okay, so what charges do they have on you at this point? What are you facing?
I actually don't know. This is going to sound absolutely insane, but I regularly have to Google what I was convicted of. because it was very obscure. Because in the US, it is not illegal to write malware. You might intuitively think malware bad, surely it's illegal. It's not. There is actually no federal law against writing malware. So what they tend to do is they tend to find other laws that can be interpreted in such a way as to charge you with malware.
Now, initially, I think they hit me with six charges, and then they later upped it to ten. But they were all very obscure. They were things like a conspiracy to commit wiretapping, conspiracy to sell a wiretapping device. conspiracy to advertise a wiretapping device. And her basic argument was that malware listens to keystrokes like it's like a keylogger, and a keylogger is like listening in on telephone calls.
Therefore, we can use the wiretapping act to charge him with what I would not call wiretapping, but they had argued it. So I'm being charged with a statute that was originally made for stopping people from listening in on telephone calls. I'm also being charged with conspiracy to commit computer hacking. And the way that works is if I am in any way involved with someone else doing hacking, they can charge me with being a part of a conspiracy. So they basically argued.
because someone used my malware to hack people and I wrote the malware and then it was sold to that someone. I am therefore a conspirator in whatever hacking happened. So although I had never used my malware to hack anyone, and I had never hacked any systems, they got me on conspiracy to commit computer hacking. And I remember my lawyers explaining all this to me for the first time, and I was just insanely confused.
Because in England, it's just illegal to write malware. So if I was charged in England, they'd be like, this is the no-writing malware law. You're being convicted of the no-writing malware. But in the US, it was just so obscenely complicated that I couldn't even wrap my head around what I was actually being charged with.
I'm like, telephone wiretapping? This makes no sense. And here's the thing. Marcus knew that by creating the Kronos malware, what he did was wrong. He knew he should face charges for that. But these charges? No. These were not the right charges. And I've heard this time and time again from hackers on this show. They knew they did something bad. They were ready to face the consequences for it. But the charges that they were facing were for something else entirely. And that doesn't feel right.
Like, if you steal a thousand dollars from someone and get caught, you know you're guilty, right? So when the police say, did you do it? Yep. Okay, great. Here are your charges. We know you worked with five other guys, and together you all stole $200,000, so you're facing 10 crimes total. Whoa, whoa, whoa, hold on. I only stole $1,000. This is not right. You know you're guilty of stealing, but not guilty of all the other stuff.
And so you feel like you have to say not guilty to all of the charges since none of them match the actual crime you did. It's a broken system. At that point, I think I had decided to fight the case because... What had basically happened is they had made it very clear to me that they did not care that I committed crimes. Like, this was not...
you've done something wrong, and we're bringing you to justice. They were very, very clear that they were only charging me to leverage me into becoming an informant and giving them up someone that they wanted. And at that point, I was kind of annoyed because in my mind, that's not how the justice system works, right? Like, you do a bad thing, you go to jail because you did a bad thing. Whereas they were saying, we don't actually care what you did. We just want this other guy. And I'm like...
What? Because this isn't, I guess, for the American listeners out there. This is not how the UK system works. In the UK, you don't have plea deals and it's very, very hard for prosecutors to do cases in this way.
The UK system is a lot more clear-cut. You do a bad thing, you get charged with the bad thing, and you go to jail for doing the bad thing, whereas the US is a lot more geared towards there's always a bigger fish. They want the bigger fish. They don't really care about you or what you did.
And this was, of course, my first experience with the US justice system. So I'm confused. I'm a bit frustrated. I'm annoyed. So I ended up kind of deciding to fight the case because I also noticed that these charges don't really make any sense. there is no law against writing malware, so you're just charging me with these weird crimes. So I'm like, okay, let's just fight it and see what happens. Okay, so you had two lawyers at the time.
That must have been costly. No, so I was actually very lucky, and these two great, great lawyers, Marsha Hoffman and Brian Klein, uh they reached out to me and they were like we would like to take your case pro bono and these are like top top lawyers um the the kind that you would want on your side in a cyber crime case and
I remember they reached out to me and they were just like, we just want to take your case for a charge. You'll obviously have to pay like court fees and filing fees and for your flights to and from the courthouse. But other than that, like we're not going to charge you for our services. And it just felt like a gift from the heavens. It was like... So much of the theme behind this story was just random people I'd never met.
just sort of going out of their way to help me. And it was just such a surreal experience to have all of these people just coming to my aid out of seemingly nowhere. Okay, the fight is on. Two powerhouse lawyers ready for action. Marcus unhappy with the way the justice system is acting and wants to make things right.
But it's a federal case. Federal cases are extremely slow. We're talking years for them to finish. He's got to fly back and forth between Wisconsin, where the trial is, and California, where he lives. Flying gets more and more tricky since his visa expired and he's not supposed to be in the country anymore, but he's also not allowed to leave the country and he can't work in the U.S. either.
so for a lot of time i was kind of wrestling with this internal conflict of like i'm guilty and i i did everything they say i did um but b i'm also kind of really just fighting not because i believe i'm innocent but because I don't feel like this is how the justice system should work. But what really kind of wore me down is just the time. Like we're talking...
A year, two years into the case, and I'm, this is like, it's very, very hard to explain how stressful being in a federal case is. Like, it is a level of stress. that goes way beyond even the worst incident response cases I've ever watched. And it's daily, like every day you just wake up and you're just like, Is today the day I go to jail, like what's happening in my case, blah, blah, blah. And it just, it wears you down so fast.
I mean, people have committed suicide. There are people in the hacking community who have committed suicide from the just sheer constant stress of going through that system. I don't think there is anyone who is set up to actually see that through to the end. At some point, it just gets you to the point where you're just like, I just, I give up. And for me, I think that was...
I think it was about like a year and a half, maybe a bit more. And we had filed a bunch of motions with the judge to get like certain pieces of evidence dismissed and arguing that certain charges won. weren't correct and all of the motions were denied. So at that point, we're basically starting from zero. We've got to find a new strategy. We're going to be going for at least another year. And at that point, I was like, you know, I can't do this anymore. So I ended up just pleading guilty.
After fighting it for almost two years, he switched and gave in and said, fine, charge me with whatever stupid stuff you want. I'm tired of this. Honestly, at that point, I was like, If I had just gone to jail from the start and spent a year or two in jail, it would have been infinitely easier on my mental health than going through this case. So it was a lot, and I just couldn't take it anymore, so I folded.
Okay, then. Guilty on all charges. Well, the case can be closed now. Except for one last thing. The court now has to decide what his punishment is. So a sentencing hearing was scheduled. Some early calculations were saying that he could get anywhere from two to eight years in prison. But of course, his lawyers were trying to fight for him to get the least amount of prison time as possible. In my case, their argument was the FBI actually couldn't produce
any evidence of Kronos having damaged systems. That's not to say it didn't. I'm sure it did. But they had not produced any evidence. And part of their argument was that we estimate it caused... tens of thousands, I think it was hundreds of thousands in damages. and they could not produce any evidence to back that up.
And their sentencing recommendation was based on their claim that I had caused these hundreds of thousands of dollars in damages, which they couldn't prove. So my lawyers had an argument there of, well, if there is damages, where are they? So his sentencing day comes, and he heads into the courtroom. So I basically convinced myself from the start that I was going to jail. So I went into that hearing with the belief that I was going to jail.
I think you tweeted something too, like, okay, I'm going to jail, and whatever happens, I love you all. Yeah, pretty much. I was sure that I was not leaving that courtroom. The prosecution gave their arguments. His side gave his arguments. The judge listened to it all and came to a decision. Basically, my punishment was sentencing me to time set. And even when the judge said, time served, it didn't register. Because, like, they don't...
It's not like in the movies where they bang the gavel and they're like, this is your sentence. There's usually, they say the sentence and they'll talk a bit about why and then they'll talk about like what happens next and blah, blah, blah. So he sort of said the sentence and then he kept talking and I'm like, okay, so...
I actually didn't really know what time served means. So I'm like, is that the sentence? I don't know. And then he's still talking, and I'm like, I'm waiting for him to say how much jail time, and it's not coming. And then I think... The hearing went on for maybe 30, 40 more minutes. I was still confused at the end. I was like, I don't actually understand how the system works or what time served means. And I remember my lawyer just being like, you're going home. And I'm like, what?
And it just, it never registered. Like, it didn't register in the courtroom. It didn't register when I went home. And it still doesn't register now. Like, in the back of my mind, I still feel like I have this thing hanging over me. And at any minute now, I'm going to go to jail. And it was because I had just convinced myself since the beginning of the case that this ends in me going to jail.
And because there was never any jail, it hasn't ended in my mind. So I've always like, I've never been able to like fully kind of clear that period of my life from my mind. well, you should take a trip out to Alcatraz, hang out there for an hour, and do some sort of mental cleansing of, okay, I'm here, I did it, now I'm leaving, it's over. That sounds funny, but that actually might not be a bad idea.
The judge seemed to understand all aspects of this case, even before the defense gave their side. People sent in tons of letters saying why Marcus should be free and serve no jail time. The judge read newspaper clippings of how Marcus is a hero in the UK for stopping one of the world's biggest cyber attacks.
And one thing the judge had to think about was what is gained by putting him in jail. Because he's already on the good side, he's doing good work, and you're just taking him away from doing the good work. what do you seek to gain for putting him in jail? And that's actually what the judge's own argument was. I think, I suspect the judge had actually made up his mind about the sentence before.
any of us had made our arguments like he had looked at the he'd looked at the case he'd looked at the totality of the circumstances and he had been like this just doesn't make any sense So I strongly suspect the judge had already decided to sentence me to no jail time before we even got into the courtroom. He basically said that Yeah, he's self-rehabilitated, so he needs a rehabilitation angle. He's stopped one of the largest ransomware attacks in history.
And he's been doing all of this great cybersecurity work. He's got all of these letters. from various people in the cyber community. They wrote in letters explaining why they think I shouldn't go to jail. And I think like all of that just put together just made a really strong case for sentencing me to time serve. Time served simply means whatever time you've spent on this case already is enough punishment. You're done. You can go home now. Case closed.
And you might think he got the best possible outcome here. But the stress of not knowing what's going to happen to you for two years is a lot harder than you realize. To be honest, like... I'm being 100% real when I say this. If I could have taken a year or two in jail instead of going through all of that stress, I would have taken it. So WannaCry was one of the worst things that happened to him.
yet seemed to also be the very thing that saved him. It's obviously hard to speculate what would have happened. had WannaCry not happened, but there is a chance that I would have got sentenced to jail time if it was not for WannaCry. I don't know that for sure, but... Yeah, I do think WannaCry was this silver lining of at the time it felt horrible. It was like my anonymity is gone. My life has been turned upside down. But then it most likely helped me out in the court case.
And it helped me come to terms with learning, I guess, better social skills and how to... how to do public speaking. So while at the time when it happened, I would say like, this was the most terrible thing that happened that far in my life. And I had gone through a lot of terrible things. But now when I look back, I think it was. Like it led to a lot of important growth that was needed and it helped me out in a lot of scenarios.
That would have made my life a lot worse had it not happened. So I'm not saying like, I'm not changing my answer, but I'm saying versus like when it was happening. I was very adamant that this was the worst thing to happen to me. But now in hindsight, having had years and years of personal development, I think it turned out for the better. I think it improved me as a person. And it bailed me out of potentially going to jail. Potentially. Thank you so much.
to Marcus Hutchins for coming on the show and finally sharing the story with us. This is such an incredible story. I'm so glad you finally said yes to it. I started this show the year he got arrested and I've dreamed about having him on this whole time. And I get it. He was busy fighting for his life the whole time. I was constantly being bombarded with interview requests.
But that's the thing about me. I don't mind waiting eight years to get the story. Take your time, unwind, decompress from the craziest time of your life. And then let's talk. It'll still be a really good story when you're ready. This episode was created by me. Control-Alt-Deluxe. Jack Recider, our editor is Zero Day Dreamer. Tristan Ledger, mixing done by Proximity Sound and our intro music is by the mysterious Breakmaster Cylinder.
There are two kinds of people in InfoSec. Those who have taken a production server down and liars. This is Darknet Diaries.