Backstory

Hutchins is the elder son of Janet, a Scottish nurse, and Desmond Hutchins. Around 2003, when Hutchins was nine years old, the parents moved the family from urban Bracknell, near London, to rural Devon. Hutchins had shown early aptitude with computers and learned simple hacking skills early on such as bypassing security on school computers to install video game software.

He became involved with an online forum that promoted malware development, more as a means to show off their skills to each other rather than for nefarious purposes. When he was about 14 years old, he created his own contribution, a password stealer based on Internet Explorer's AutoFill feature, which was met with approval by the forum. He spent much of his time with this community to the extent his school work began to fail. When the school's systems were compromised, the school authorities claimed Hutchins was the culprit. Though he denied any involvement, school authorities permanently suspended him from using the computers at school, which further pushed Hutchins to skip school more often and spend more time in the malware forums.

At around this time, the original malware forums had been closed, and Hutchins transferred to another hacker community, HackForums. In this new forum, members were expected to show more skill by demonstrating possession of a botnet. Hutchins, 15 years old at the time, successfully created an 8,000-computer botnet for HackForums by tricking BitTorrent users into running his fake files to take control of their machines. From this exploit, Hutchins saw financial opportunities for his hacking skills, though he states that, "at the time I did not feel these were tied to any type of cybercrime".

According to Hutchins, when he was around 16, having gained a reputation in hacking circles for his custom malware, he was approached by an online entity he knew only as "Vinny", who asked him to write a well-maintained, multifaceted rootkit that could be sold on multiple hacker marketplaces, with Hutchins to be paid half of the profits of each sale. Hutchins agreed, and by mid-2012, had completed writing UPAS Kit, named after the poisonous upas tree. During this period, Hutchins had once complained in his conversations with Vinny about the lack of good "weed" in the country. Vinny asked for his address, which Hutchins gave, and later on his 17th birthday, he received a package full of various recreational drugs. Sales of UPAS Kit earned Hutchins thousands of dollars through bitcoin, allowing him to drop out of school and live a comfortable life, though he kept the nature of his work secret from his family.

Vinny shortly came back to Hutchins to ask him to write UPAS Kit 2.0, specifically adding keylogging and web inject for browser form pages. At this point, Hutchins recognized these features were likely for targeting financial transactions on bank websites, and thus he would be enabling cybercrime if he wrote the update. Hutchins told Vinny that he refused to write such code, but Vinny held him over the fact he knew his name and address from his prior gift of recreational drugs and was willing to give that to the FBI if Hutchins' did not cooperate. Hutchins reached an agreement to add in the keylogging to UPAS Kit 2.0 but left out anything to do with web inject, which took another nine months to complete. After this, he learned from Vinny that Vinny had hired another programmer to update UPAS Kit with the web injects, and now wanted Hutchins and this programmer to work together to combine the code to a single package. Though he was ethically torn on the decision, Hutchins opted to continue working with Vinny to at least make sure he got paid for the work that he did already do. The new code was completed by June 2014, and as Vinny started selling it to the dark web he renamed UPAS Kit 2.0 to Kronos, based on the mythological Greek Titan.

MalwareTech and Kryptos Logic

After Kronos was released, around when Hutchins was 19, his family moved to Ilfracombe. Hutchins had entered community college prior to this and was struggling between completing his last year of work and the fixes to Kronos demanded by Vinny, further complicated with a drug addiction he gained while working on Kronos. During this time, he met a person he knew as "Randy" online through hacking forums. Randy, who was based in Los Angeles, had sought a banking rootkit like Kronos, which Hutchins did not mention, but led to longer talks to learn that Randy had more philanthropic goals. To help Randy, Hutchins offered to help him with trading bitcoin. However, a power failure one night caused Hutchins to lose more than US$5,000 of Randy's bitcoin, and in exchange, Hutchins revealed his connection to Kronos and offered a free copy to Randy. After they had completed that deal, Hutchins realized the mistake he had made in revealing this to a stranger, and started to fear he would be approached by law enforcement.

Hutchins graduated from college in 2015 and dropped his drug addiction cold turkey. He put off requests from Vinny for updates to Kronos claiming he was busy with schoolwork, until soon the requests stopped as well as any further payments from Vinny. After several months of dread, he decided to start an anonymously written blog on deep analysis of hacks that he called MalwareTech, based on what he had learned evaluating others' rootkits and his own work on UPAS Kit and Kronos, though he spoke nothing of his connection to these rootkits. As new rootkits appeared, Hutchins began reverse engineering those and writing the details on MalwareTech, such as the Kelihos and Necurs botnet, and wrote his own botnet tracking service that could join the botnet and monitor what operations the controllers of the botnets were doing. His writings drew the interest of Kryptos Logic's CEO Salim Neino, who offered the writer a job. Hutchins accepted; while still working from Ilfracombe, he would reverse engineer new botnets and provide the detailed information to Kryptos Logic while writing on the high-level functionality he had discovered to MalwareTech, while Kryptos Logic would monitor the botnets for ongoing cybersecurity threats. Through this relationship, Hutchins' reputation via his MalwareTech identity grew, being called a "reversing savant" by a former NSA hacker, though only a few associates at Krpytos knew of his true identity. Hutchins and Kryptos Logic were instrumental in stopping one offshoots of the Mirai botnet/distributed denial of service (DDoS) attack in 2016 that had hit Lloyds Bank, as Hutchins had been able to plead to the hacker behind it, once he had tracked him down, with his own experiences to convince him to stop the botnet.

Stopping WannaCry

The WannaCry cryptoworm attack had started around 12 May 2017; using an exploit in Microsoft Windows' Server Message Block, it quickly spread from its initial point of injection believed to be in Asia to over 230,000 computers in 150 countries within the day. Computers infected were seemingly locked out from use and could be unlocked only if the user sent a quantity of bitcoin to a given account.

Hutchins had become aware of WannaCry the afternoon of 12 May, and though he had been on vacation, he began reverse engineering the code from his bedroom. He discovered that the malware tied to an odd-looking domain name, suggesting the malware would be part of a command-and-control structure common to botnets, but to his surprise, the domain name was not registered. He quickly registered the domain and set up servers at Kryptos Logic within it to act as honeypots, allowing them to track the infected computers. While the WannaCry worm continued to spread over the next few hours, security researchers found that because Hutchins had registered the domain name when he did, WannaCry would not execute further, effectively the worm's killswitch. Hutchins and Kryptos, along with the UK's National Cyber Security Centre, spent the next several days maintaining the honeypot servers from additional DDoS attacks, some restarted by ongoing Mirai botnets as to make sure the killswitch remained active while Microsoft and other security workers rushed to patch the exploit in the Server Message Block and issue it to end users. A separate effort from French cybersecurity researches found a method to unlock and decrypt affected computers without having to pay the ransom.

Hutchins' work, as MalwareTech, to stop WannaCry, was highly praised, but this led to the press figuring out Hutchins' identity behind MalwareTech in the days that followed. Hutchins tried to avoid the press including the more-invasive tabloids who had published his name and address tied to the MalwareTech name, though did agree to a single Associated Press interview under his real name, trying to defuse the "hero" perception he had been given. In this coverage, he kept his past history quiet, simply stating that he got his job with Kryptos Logic based on his software skills and MalwareTech blog hobbies he developed during school. He gained a type of a celebrity status within the cybersecurity world for his actions against WannaCry, and plans were made for him to attend the 2017 DEF CON cybersecurity conference in Las Vegas that August.

Source: Wikipedia