WEBVTT 00:00:00.117 --> 00:00:04.720 JACK: Oh my gosh, oh my gosh, oh my gosh, I’m squealing over here. After years and 00:00:04.720 --> 00:00:11.280 years of trying to get today’s guest on the show, he finally said yes. I’m so excited 00:00:11.280 --> 00:00:17.360 for this one. I’ve been sliding into his DMs for years; hey, can I interview you? I swear, 00:00:17.360 --> 00:00:24.000 he always has the same answer every time. He’s like, who are you? I say something like, oh, 00:00:24.000 --> 00:00:29.440 I’m a podcaster and I really want to hear your story. He’s like, no thank you. Fair answer. 00:00:29.440 --> 00:00:36.240 I wouldn’t want to talk to me either if I was in his position. Then I saw him at a party at Defcon, 00:00:36.240 --> 00:00:41.080 and when I first approached him in person, he was hiding behind a sign, trying not to be seen. 00:00:41.080 --> 00:00:46.640 MALWARETECH: So, I stand out in a crowd, so I’ve learned that signs are my best friend. We can hide 00:00:46.640 --> 00:00:51.280 behind a lamp post, we can hide behind a tree, we can hide behind a sign. But if I stand in 00:00:51.280 --> 00:00:58.080 the middle of the room, it’s gonna draw a lot more attention than I necessarily maybe want, 00:00:58.080 --> 00:01:01.680 although I’ve got to the point now where I think I can just handle it. 00:01:01.680 --> 00:01:07.120 But I do remember our first interactions. I think part of the awkwardness was I’m 00:01:07.120 --> 00:01:11.800 very bad at recognizing faces, and you were wearing a mask the first time you saw me. 00:01:11.800 --> 00:01:16.000 JACK: It’s true; I had a disguise on, and yeah, I asked to interview him, 00:01:16.000 --> 00:01:19.800 and he had no idea who I was. He’s just like, who are you? 00:01:19.800 --> 00:01:23.040 MALWARETECH: In my defense, there is no photos of you online, 00:01:23.040 --> 00:01:27.280 and I have checked. So, there is no way I could have known. 00:01:27.280 --> 00:01:31.120 JACK: It’s true. I try real hard not to have any photos of me on the internet. 00:01:31.120 --> 00:01:35.600 I’m a very private person. But I swear, every time I asked him for an interview, 00:01:35.600 --> 00:01:39.760 he just kept asking me the same thing; who are you? No thank you. 00:01:39.760 --> 00:01:44.400 MALWARETECH: So, I remember we had quite a long conversation, and then you went away and you came 00:01:44.400 --> 00:01:50.080 back without the mask. Then you came back and you sort of went to re-engage the conversation, 00:01:50.080 --> 00:01:54.946 and I had no idea who you were. I was like, who is this random guy? 00:01:54.946 --> 00:01:58.480 JACK: [Music] Okay, a fair point. I wear a lot of disguises. So, you’re right, some of 00:01:58.480 --> 00:02:05.840 this is on me. But I’m happy to announce that today, finally, I am interviewing MalwareTech. 00:02:05.840 --> 00:02:14.137 MALWARETECH: I’m MalwareTech and I’m an anonymous security researcher. 00:02:14.137 --> 00:02:16.560 (INTRO): [INTRO MUSIC] These are true stories from the dark side of 00:02:16.560 --> 00:02:37.600 the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] 00:02:37.600 --> 00:02:39.920 JACK: 00:02:39.920 --> 00:02:46.240 We’re gonna start this story in early 2017. As he said, his name is MalwareTech, and he’s an 00:02:46.240 --> 00:02:52.400 anonymous security researcher. He would research malware and then publish his findings anonymously 00:02:52.400 --> 00:02:57.600 under the name MalwareTech. He never posts his picture on the internet. His Twitter profile 00:02:57.600 --> 00:03:03.080 is just a picture of a cat wearing glasses. Nobody knew who he was or what he looked like. 00:03:03.080 --> 00:03:10.160 MALWARETECH: So, I’ve been a cybersecurity analyst since about 2016. I mostly specialized in 00:03:10.160 --> 00:03:15.120 a combination of malware, reverse engineering, and cyber threat intelligence. So, my job was 00:03:15.120 --> 00:03:23.200 basically to reverse-engineer botnet malware and then find ways to monitor their C2 infrastructure 00:03:23.200 --> 00:03:29.200 in a way that we could actually see who was being infected. So, our goal was to sort of 00:03:29.200 --> 00:03:34.240 do external threat intelligence. So, rather than being on someone’s network and saying, hey, look, 00:03:34.240 --> 00:03:39.680 there’s a sign that you’re infected with malware, our goal was to be on the bad guy’s network and 00:03:39.680 --> 00:03:44.280 be able to see all the victims of the malware and then alert them to the fact that they’re infected. 00:03:44.280 --> 00:03:47.600 JACK: Where were you living? Was it Cornwall at the time? 00:03:47.600 --> 00:03:51.280 MALWARETECH: So, I was Devon. So, just north of Cornwall. Pretty close to the border, actually. 00:03:51.280 --> 00:03:55.280 JACK: What is that? I think I watched a show. There’s TV shows based out of Cornwall, 00:03:55.280 --> 00:03:57.040 and I think it was — Doctor Martin, was it? 00:03:57.040 --> 00:04:01.280 MALWARETECH: Yeah, that was the one, yeah. I think that there were some episodes in Devon, 00:04:01.280 --> 00:04:05.840 but I remember my parents were very excited. They called me one time and they were like, 00:04:05.840 --> 00:04:09.760 there’s some famous people filming in our town. We live in the middle of nowhere, 00:04:09.760 --> 00:04:15.360 so there’s no famous people there. Any kind of filming is a huge deal. So, 00:04:15.360 --> 00:04:18.400 there’s — you’ve probably seen it on the TV once or twice. 00:04:18.400 --> 00:04:21.600 JACK: Yeah, I have. It’s a very picturesque place. It’s beautiful. 00:04:21.600 --> 00:04:27.280 MALWARETECH: Yeah, so where I live, which is in north Devon, we have this massive, long — I think 00:04:27.280 --> 00:04:34.000 it’s like three, four-mile-long beach. Beautiful golden sand. It picks up a nice Atlantic swell 00:04:34.000 --> 00:04:40.720 that we — I think comes from the hurricanes down in the Gulf. [Music] They’ll occasionally swing 00:04:40.720 --> 00:04:46.640 north towards the southwest coast of England. So, we actually get some really, really big surf down 00:04:46.640 --> 00:04:51.680 there. So, living so near the sea, I was like, well, what do I do for hobbies? ‘Cause we had 00:04:51.680 --> 00:04:56.640 moved from inland. So, I’m like, any new hobbies? What do people here do? The obvious answer was 00:04:56.640 --> 00:05:02.400 surfing. So, I took up surfing. It turned out it’s a really, really fun sport, but a lot 00:05:02.400 --> 00:05:07.920 of people don’t associate it with England. They think England is rock beaches, pebbles. Usually, 00:05:07.920 --> 00:05:12.800 they’re thinking of places like Blackpool. But there are some really, really good surf spots on 00:05:12.800 --> 00:05:21.440 the southwest coast, and I just happened to live right next to one. Basically, I wake up one day, 00:05:21.440 --> 00:05:26.560 and it’s all over the news that this ransomware is infecting lots and lots of British hospitals. 00:05:26.560 --> 00:05:30.960 REPORTER: We start with breaking news this hour. [Music] A number of procedures have been canceled 00:05:30.960 --> 00:05:37.000 or redirected to other NHS providers following a cyberattack on some of London’s major hospitals. 00:05:37.000 --> 00:05:44.240 JACK: The ransomware would soon be called WannaCry, and it was hitting tons of hospitals 00:05:44.240 --> 00:05:48.640 around the UK. Their computers would get infected and then completely encrypted. 00:05:48.640 --> 00:05:53.440 You couldn’t use it at all, and you had to pay Bitcoin to get it unlocked again. 00:05:53.440 --> 00:05:59.840 This infection forced hospitals to turn away patients and cancel procedures. It was awful. 00:05:59.840 --> 00:06:02.240 MALWARETECH: So, I think the consensus is that 00:06:02.240 --> 00:06:05.800 it was someone working on behalf of the North Korean government. 00:06:05.800 --> 00:06:12.160 JACK: It’s very interesting how this came about, too. We believe it was the NSA that developed the 00:06:12.160 --> 00:06:19.280 exploit, which they called EternalBlue. Which, by the way, the NSA found this exploit in Windows, 00:06:19.280 --> 00:06:24.320 Microsoft Windows, an American company, but didn’t tell Microsoft that they have this 00:06:24.320 --> 00:06:29.920 really bad vulnerability in Windows, and it absolutely flabbergasts me that NSA discovers 00:06:29.920 --> 00:06:33.840 vulnerabilities in US companies and then not tell those companies that their product is 00:06:33.840 --> 00:06:40.240 vulnerable to attack. But it gets worse. Then the NSA somehow lost control of this exploit, 00:06:40.240 --> 00:06:44.960 and it ended up in the hands of someone calling themselves the Shadow Brokers. 00:06:44.960 --> 00:06:50.000 MALWARETECH: Just the set of circumstances that led to WannaCry were so insane, 00:06:50.000 --> 00:06:54.800 ‘cause of course you had the Shadow Brokers leak, and the Shadow Brokers isn’t — they 00:06:54.800 --> 00:06:59.520 haven’t been attributed yet, but it’s widely believed to be Russian intelligence. So, 00:06:59.520 --> 00:07:06.160 Russian intelligence hacks the NSA, steals one of their most-prized vulnerabilities, 00:07:06.160 --> 00:07:10.080 leaks it onto the open internet, at which point North Korea pick it up and decide 00:07:10.080 --> 00:07:16.400 to make ransomware with it, and we’re not even to this day sure whether WannaCry was 00:07:16.400 --> 00:07:22.080 supposed to be released yet. There are a lot of signs in the code that it might have been 00:07:22.080 --> 00:07:26.960 a work in progress that accidentally leaked a little earlier than they had intended it to. 00:07:26.960 --> 00:07:31.440 JACK: We think the North Koreans unleashed ransomware on the world 00:07:31.440 --> 00:07:36.080 just to try to make some money, which is wild. Other nation states are not doing 00:07:36.080 --> 00:07:40.480 cyber-thug activity like this trying to make some money through ransomware, 00:07:40.480 --> 00:07:45.280 but North Korea does it. But one reason we think the exploit got released too soon was 00:07:45.280 --> 00:07:50.160 because it was discovered pretty early on that there’s no way to track who paid the ransom. 00:07:50.160 --> 00:07:55.120 MALWARETECH: Usually ransomware would generate a unique Bitcoin address for every single victim, 00:07:55.120 --> 00:07:59.680 and then they can tell if that victim paid by telling if there was a payment in that Bitcoin 00:07:59.680 --> 00:08:04.800 wallet. But there was a bug with the code where it only generated something like three Bitcoin 00:08:04.800 --> 00:08:09.040 wallets. So, all of the payments are going to these three Bitcoin wallets. They have no way 00:08:09.040 --> 00:08:14.480 to trace who paid and who didn’t. So, while I think it was intended to be ransomware or 00:08:14.480 --> 00:08:20.480 intended to at a later date be ransomware, at the time that it was released or got out, 00:08:20.480 --> 00:08:26.520 it was essentially a file shredder. There wasn’t really any realistic way to get your data back. 00:08:26.520 --> 00:08:32.640 JACK: What scumbags, you know? For one, for a country to extort hospitals to try to make a 00:08:32.640 --> 00:08:40.240 little bit of money? Come on. But two, to release ransomware so bad that it doesn’t even work right; 00:08:40.240 --> 00:08:44.240 it just cripples businesses with no way to undo it — so, 00:08:44.240 --> 00:08:49.640 North Korea didn’t make much money from this, and simply gave the world a black eye for no reason. 00:08:49.640 --> 00:08:56.000 MALWARETECH: I think a lot of what went into them not making much money was it came out very 00:08:56.000 --> 00:09:02.080 early that the files weren’t decryptable. Almost immediately when the first infections happened, 00:09:02.080 --> 00:09:04.640 analysts — they raised the alarm. They went to the press and they were like, 00:09:04.640 --> 00:09:07.480 don’t pay the ransom. You’re not going to get your data back. 00:09:07.480 --> 00:09:12.800 JACK: Of course, all this news is right up MalwareTech’s alley. Malware research 00:09:12.800 --> 00:09:15.320 is his bread and butter. He wants to know more. 00:09:15.320 --> 00:09:19.600 MALWARETECH: Now, the thing with ransomware is back then, it was mostly spread by phishing 00:09:19.600 --> 00:09:25.440 e-mail. So, if you see a organization or two infected, that’s pretty normal. [Music] But 00:09:25.440 --> 00:09:33.040 if you’re seeing ten, twenty, thirty different parts of the same organization being infected, 00:09:33.040 --> 00:09:37.920 that’s either a lot of people falling for phishing attempts or it’s not phishing. 00:09:37.920 --> 00:09:43.520 My first instinct was this isn’t phishing. This is hitting way too many organizations, way too 00:09:43.520 --> 00:09:50.160 many parts of the same organization. It has to be something bigger. So, I went and I asked my friend 00:09:50.160 --> 00:09:56.720 Cathy, can I have a sample of this? The second I looked at it, I was like, oh, this is bad. 00:09:56.720 --> 00:10:02.400 This isn’t your standard ransomware, ‘cause at that time, ransomware was purely spread 00:10:02.400 --> 00:10:09.920 by phishing or botnets. I didn’t think anyone had ever made wormable ransomware before. I was like, 00:10:09.920 --> 00:10:15.600 this ransomware spreads from computer to computer, completely unaided. It doesn’t 00:10:15.600 --> 00:10:19.840 need a user to click a malicious link or open a weird e-mail. It will literally 00:10:19.840 --> 00:10:24.320 just get onto a computer, look for other computers to hack, and then hack them and 00:10:24.320 --> 00:10:28.640 infect them and just repeat that process over and over. That was the point where 00:10:28.640 --> 00:10:34.386 I was realizing we are dealing with something that I don’t think has ever been seen before. 00:10:34.386 --> 00:10:38.240 JACK: [Music] This thing was spreading fast. Hundreds of networks were spreading it to 00:10:38.240 --> 00:10:42.160 hundreds more. Soon thousands were infected, all trying to spread it to 00:10:42.160 --> 00:10:50.400 thousands more. The internet was burning like an out-of-control wildfire that day. 00:10:50.400 --> 00:10:58.560 MALWARETECH: I was tasked with stopping the ransomware, and historically when I work with 00:10:58.560 --> 00:11:04.000 ransomware, it’s almost impossible to stop. Sometimes you can decrypt it retroactively. 00:11:04.000 --> 00:11:08.320 There’s flaws in the encryption, you can break the encryption and get people’s files back, 00:11:08.320 --> 00:11:14.160 but in terms of stopping actively-spreading ransomware, that is almost impossible. 00:11:14.160 --> 00:11:17.600 Sometimes there will be a vulnerability where we can hack into their command and 00:11:17.600 --> 00:11:23.480 control server and put a stop to it. So, that’s what we were looking for. 00:11:23.480 --> 00:11:28.240 JACK: But as he looked through the ransomware code, he noticed 00:11:28.240 --> 00:11:35.040 something. There’s a strange domain name in this code, a URL, just a long string 00:11:35.040 --> 00:11:42.800 of gibberish letters with .com at the end. He looked; the domain wasn’t registered. 00:11:42.800 --> 00:11:47.360 MALWARETECH: When I saw this unregistered domain in the WannaCry code, I was like, nice, 00:11:47.360 --> 00:11:52.800 this is probably a command and control server. So, I registered it and then I started looking; 00:11:52.800 --> 00:11:58.160 what can I do with this code? Like, what can I do with control of this domain? I’m thinking it’s a 00:11:58.160 --> 00:12:04.080 command and control server, and maybe we can exploit a vulnerability in the WannaCry code, 00:12:04.080 --> 00:12:09.280 maybe crash the malware or anything that could stop it from spreading. But it 00:12:09.280 --> 00:12:13.440 actually turned out, while we were trying to figure out what is the purpose of this domain, 00:12:13.440 --> 00:12:19.880 what does it actually do, we had already stopped WannaCry, because the domain was a kill switch. 00:12:19.880 --> 00:12:25.360 JACK: Without him even realizing it, the moment he made this domain active, 00:12:25.360 --> 00:12:33.320 the WannaCry malware stopped, just suddenly and surprisingly stopped spreading. 00:12:33.320 --> 00:12:37.920 MALWARETECH: Someone had basically just posted on Twitter that WannaCry has been stopped. Like, 00:12:37.920 --> 00:12:40.880 someone has activated a kill switch in WannaCry, 00:12:40.880 --> 00:12:45.760 and we actually didn’t know we had activated the kill switch until several hours later. 00:12:45.760 --> 00:12:51.200 JACK: The purpose of this domain in the code was before the malware spreads, it first checks to 00:12:51.200 --> 00:12:57.120 see if the domain is up and alive, and if it is, the malware stops everything it’s doing. Since 00:12:57.120 --> 00:13:01.760 MalwareTech just registered it and set it up, that triggered the kill switch to essentially 00:13:01.760 --> 00:13:07.760 deactivate one of the most brutal, devastating ransomware attacks the UK has ever seen. 00:13:07.760 --> 00:13:11.120 MALWARETECH: By the time we actually got around to looking at the code, 00:13:11.120 --> 00:13:15.600 it was like — it had already reached the media that we had stopped it. We were like, oh, okay. 00:13:15.600 --> 00:13:19.840 JACK: Yeah, the media was reporting that someone stopped WannaCry before 00:13:19.840 --> 00:13:24.880 he even knew he did it. But wait, if he’s got control of this domain, 00:13:24.880 --> 00:13:30.699 can he set some sort of monitoring tool up so that he can see what traffic is going to this domain? 00:13:30.699 --> 00:13:35.840 MALWARETECH: [Music] Yeah, so, we were actually very lucky in that we did this professionally. 00:13:35.840 --> 00:13:41.840 A lot of our work was about finding ways into botnets and then collecting these analytics. So, 00:13:41.840 --> 00:13:48.160 we actually already had the system set up to do that, which was great. So, I was like, awesome. 00:13:48.160 --> 00:13:53.600 We have this — all this analytics. We can see how many systems WannaCry was hitting. But while I was 00:13:53.600 --> 00:13:59.760 focusing on that, everyone’s like, who is this guy who stopped the world’s biggest ransomware attack? 00:13:59.760 --> 00:14:07.080 Meanwhile, I had no idea that that was going on until I checked Twitter, and I was like, oh, oh. 00:14:07.080 --> 00:14:13.280 JACK: The thing is is he was tweeting from his username, MalwareTech, all the analytics that were 00:14:13.280 --> 00:14:20.080 coming into this domain. This made people realize MalwareTech is the guy controlling the kill 00:14:20.080 --> 00:14:24.560 switch. He’s the one that stopped it since he had all these analytics and could see what was going 00:14:24.560 --> 00:14:30.960 to that domain. But the thing is, not everyone put those pieces together like that. Some people 00:14:30.960 --> 00:14:37.840 thought, well, if he controls that domain, then that must mean he’s the one who wrote the malware. 00:14:37.840 --> 00:14:41.280 MALWARETECH: So, as far as a lot of law enforcement and intelligence agencies are 00:14:41.280 --> 00:14:47.360 concerned at the time being, I am the one who created WannaCry. I’m the person responsible 00:14:47.360 --> 00:14:53.760 for WannaCry. [Music] That is my domain and I’m controlling it. So, it led to a very, 00:14:53.760 --> 00:14:59.440 very interesting scenario ‘cause everyone was kind of confused about — how did this happen, 00:14:59.440 --> 00:15:03.760 why is the domain there, and why did this random British teenager…? Well, 00:15:03.760 --> 00:15:06.720 I think I was twenty-two, actually, so not quite a teenager. But they’re like, 00:15:06.720 --> 00:15:11.440 why does this random British dude control the domain that is in this massive piece 00:15:11.440 --> 00:15:15.160 of ransomware that is destroying networks all across the world? 00:15:15.160 --> 00:15:19.920 JACK: Did you discover all this in your parents’ bedroom, by the way, or your parents’ house? 00:15:19.920 --> 00:15:26.800 MALWARETECH: Yeah, so the unfortunate stereotype of the nerd in his parents’ basement is true. 00:15:26.800 --> 00:15:31.600 It was technically not a basement ‘cause our house had multi levels. The 00:15:31.600 --> 00:15:38.160 front door was a level higher than the back door, so it was technically a basement but 00:15:38.160 --> 00:15:43.400 technically also not a basement. But I was basically in my parents’ basement. 00:15:43.400 --> 00:15:47.440 JACK: Once the news got out that this guy, MalwareTech, is the one 00:15:47.440 --> 00:15:54.560 who stopped the world’s biggest ransomware attack in history, his whole life changed. 00:15:54.560 --> 00:16:01.360 MALWARETECH: [Music] It went wrong in every way possible for me. I had set it up so the 00:16:01.360 --> 00:16:06.560 domain was registered through a proxy that shouldn’t have traced back to me, but I think 00:16:06.560 --> 00:16:12.960 my Twitter gave them enough to find me. My goal personally was to be an anonymous researcher. I 00:16:12.960 --> 00:16:18.320 had basically seen my whole career just being an anonymous researcher who — no one needs to know 00:16:18.320 --> 00:16:22.320 my name. They don’t need to know what I look like. I can just publish my blogs in peace, 00:16:22.320 --> 00:16:29.760 and no one needs to even know who I am. Then I got an e-mail from — I believe The Daily Telegraph, 00:16:29.760 --> 00:16:32.800 and they were like, we found your real name. We found your address. 00:16:32.800 --> 00:16:38.560 We found your parents’ name, and we’re gonna publish it tomorrow, and we’d like comment. 00:16:38.560 --> 00:16:46.640 I begged them, do not publish my name. Don’t publish my photo. Please just respect my privacy. 00:16:46.640 --> 00:16:53.440 But of course, they have the biggest story related to WannaCry so far. The Daily Telegraph was the 00:16:53.440 --> 00:16:59.280 first person to actually correctly identify me. So, they knew they had a story that would get a 00:16:59.280 --> 00:17:05.600 lot of eyes, and I kinda knew where this was going. I was like, I’m gonna beg them anyway, 00:17:05.600 --> 00:17:10.880 but I know they’re gonna publish this, and I know it’s all downhill from here. I believe this was 00:17:10.880 --> 00:17:17.520 the Monday. So, WannaCry happened on the Friday. I woke up Monday; they had published my name, 00:17:17.520 --> 00:17:23.360 they had published my photo. The Daily Mail had published my house address for some reason. I 00:17:23.360 --> 00:17:27.680 remember reaching out to journalists and being like, dude, what the hell is this? 00:17:27.680 --> 00:17:35.040 Why would you possibly need to publish my home address in the UK’s biggest newspaper after I’ve 00:17:35.040 --> 00:17:42.320 stopped a major criminal attack? This doesn’t make any sense. He apologized and he took it out, 00:17:42.320 --> 00:17:50.080 but I was like, dude, what goes through someone’s mind to think everyone needs to know where this 00:17:50.080 --> 00:17:56.640 person lives? But yeah, so, that day I woke up and my name was out there. Everyone knew 00:17:56.640 --> 00:18:03.280 it was me. I couldn’t walk down the street without being recognized by someone in town. I was like, 00:18:03.280 --> 00:18:07.680 this is it. This is the end of an era. I’m no longer MalwareTech, 00:18:07.680 --> 00:18:14.160 the anonymous researcher. I’m now Marcus Hutchins, and I remember just thinking, man, 00:18:14.160 --> 00:18:28.706 this is gonna be such a Earth-shattering change to the way I saw my life going. 00:18:28.706 --> 00:18:33.840 JACK: [Music] Once his name was out there, another paper, The Daily Mail, 00:18:33.840 --> 00:18:40.560 found a picture of him and published it. The headline read, ‘Surf dude saves the day’. 00:18:40.560 --> 00:18:43.680 MALWARETECH: I think that was the two-page spread with my face on it, right? 00:18:43.680 --> 00:18:44.800 JACK: Yeah, front cover. 00:18:44.800 --> 00:18:49.280 MALWARETECH: Yeah. So, before that, no one knew what I looked like because I ran an 00:18:49.280 --> 00:18:54.480 anonymous Twitter account with a cat avatar, and I believe they were the first ones to actually 00:18:54.480 --> 00:19:00.080 get a real photo of me. My mum, she reads The Daily Mail, so she came home and she 00:19:00.080 --> 00:19:08.080 handed me the newspaper, and there’s my face across a two-page spread. I’m like, oh my god. 00:19:08.080 --> 00:19:16.760 JACK: Marcus Hutchins was now world famous, and everyone wanted to talk with him, even me. 00:19:16.760 --> 00:19:22.160 MALWARETECH: There was this dude, this one dude; he kept ringing the doorbell every single hour. 00:19:22.160 --> 00:19:26.800 Then when we finally were like, look, you’ve gotta stop doing this, he just started calling 00:19:26.800 --> 00:19:33.040 instead. Somehow he had our phone number. There was — at one point there were several journalists 00:19:33.040 --> 00:19:38.160 just hanging around on the sidewalk outside my front door, waiting for me to come out of the 00:19:38.160 --> 00:19:44.480 house — of this funny story of me having to climb over the back fence to go and get food, because 00:19:44.480 --> 00:19:50.320 these journalists just would not leave the outside of my house. At the time I just didn’t understand 00:19:50.320 --> 00:19:57.680 why this was such a big deal, and as a very non-public person, it was actually quite scary. 00:19:57.680 --> 00:20:02.720 JACK: Marcus is a private person. He’s a bit awkward around people, very soft spoken. He 00:20:02.720 --> 00:20:09.120 does not want this kind of spotlight on him. This was agonizing for him. He’s tall and has huge, 00:20:09.120 --> 00:20:13.680 poofy hair. You can spot him easily in a crowd, and people were stopping him to 00:20:13.680 --> 00:20:18.640 talk with him everywhere he went. Are you the guy who stopped the ransomware? It wasn’t just 00:20:18.640 --> 00:20:23.760 random people and journalists. Foreign intelligence was curious about him, too. 00:20:23.760 --> 00:20:28.000 MALWARETECH: In the months after WannaCry while the investigation was still ongoing, 00:20:28.000 --> 00:20:32.800 before we knew that it was North Korea, there were a lot of foreign intelligence 00:20:32.800 --> 00:20:37.840 agencies. They weren’t really sure what my role was. There was actually one 00:20:37.840 --> 00:20:42.640 incident I remember quite clearly when I was traveling in a foreign country, and 00:20:42.640 --> 00:20:46.960 some researchers from a neighboring country had invited us out to lunch. [Music] They were like, 00:20:46.960 --> 00:20:52.000 hey, we’re really interested to hear about your research. Would you like to come to 00:20:52.000 --> 00:20:58.640 lunch with us? They gave us an address, and the address was across the border in their country. 00:20:58.640 --> 00:21:03.440 I didn’t see it as immediately suspicious because we were very close to the border 00:21:03.440 --> 00:21:07.040 of this country. So, I’m like, okay, they’re researchers from this country. 00:21:07.040 --> 00:21:10.640 They’re probably gonna know more good restaurants in this country. Let’s go 00:21:10.640 --> 00:21:17.200 meet them in their country for lunch. I got a tap on the shoulder by someone who I have 00:21:17.200 --> 00:21:21.520 no idea who they are or who they worked for, and they were like, just so you know, 00:21:21.520 --> 00:21:27.840 those are intelligence operatives of that country. Those people inviting you to lunch work for their 00:21:27.840 --> 00:21:34.480 foreign intelligence service. I would maybe go get McDonalds or just go anywhere else. 00:21:34.480 --> 00:21:37.040 JACK: So, you don’t know who tapped you on the shoulder. 00:21:37.040 --> 00:21:39.680 It was just a stranger from the crowd and then they disappeared after that. 00:21:39.680 --> 00:21:40.696 MALWARETECH: Yep. 00:21:40.696 --> 00:21:40.707 JACK: What? 00:21:40.707 --> 00:21:44.640 MALWARETECH: It was one of the weirdest experiences I had in my life. 00:21:44.640 --> 00:21:50.400 JACK: That must have been for — just to have some random person tell you that 00:21:50.400 --> 00:21:56.000 and then suddenly the camera’s zooming way out. Like, whoa, hold on, let me… 00:21:56.000 --> 00:22:00.240 MALWARETECH: I assume it was probably someone from my country. I don’t know… 00:22:00.240 --> 00:22:02.960 JACK: Why is someone from your country following you to another country while 00:22:02.960 --> 00:22:07.760 you’re on vacation? That is crazy. I think it was someone following those people around, 00:22:07.760 --> 00:22:10.560 and then they’re like, wait, who’s this guy they’re…? Oh, I see. 00:22:10.560 --> 00:22:16.160 MALWARETECH: It’s entirely possible. We ended up on a lot of people’s radars after 00:22:16.160 --> 00:22:20.720 WannaCry. My colleagues not so much, ‘cause they weren’t as in the public eye as me, 00:22:20.720 --> 00:22:26.960 whereas I was the one who got tracked down first, so I took most of the heat. But I ended 00:22:26.960 --> 00:22:32.400 up having to actually go into a few different countries and speak to their law enforcement and 00:22:32.400 --> 00:22:35.840 tell them my side of the story, ‘cause there was obviously a lot of suspicion. They’re like, 00:22:35.840 --> 00:22:41.520 no one knew where WannaCry came from, and I was the only tie to it. All they knew is 00:22:41.520 --> 00:22:46.960 that this worm just came from nowhere and there’s only a single domain in the code, 00:22:46.960 --> 00:22:51.760 and it’s linked to Marcus Hutchins in Great Britain. So, I basically ended up going on 00:22:51.760 --> 00:22:59.280 this sort of — almost like an apology tour but without an apology, because I’m not responsible. 00:22:59.280 --> 00:23:04.640 So, I had to sort of give them my side of the story, explain why we registered the domain, 00:23:04.640 --> 00:23:11.440 how it came to that, and eventually, obviously — I think it was — it might have been October. 00:23:11.440 --> 00:23:18.720 It was a good six or seven months after WannaCry that the NSA and GCHQ and I think the Australian 00:23:18.720 --> 00:23:24.240 intelligence services, they all came out and they pointed the finger at North Korea. So, after that, 00:23:24.240 --> 00:23:30.800 the heat kinda died down, but in that bit between stopping WannaCry and it being publicly attributed 00:23:30.800 --> 00:23:37.280 to North Korea, I spent a lot of my time dodging very — I don’t know how to describe it, 00:23:37.280 --> 00:23:44.080 but very suspicious situations. I suspected that people had nefarious attentions with 00:23:44.080 --> 00:23:49.360 either wanting to interview me or inviting me to their country to come speak at their conferences. 00:23:49.360 --> 00:23:55.160 There was a lot of that in that period, so it was a very, very strange time in my life. 00:23:55.160 --> 00:24:01.360 JACK: Man, how crazy is that, to be invited to speak at another country and then to wonder, 00:24:01.360 --> 00:24:06.960 is this a ploy for some foreign intelligence operatives to arrest me? Or even worse, 00:24:06.960 --> 00:24:11.360 is North Korea mad at me and they want to pay me back for screwing up their ransomware and 00:24:11.360 --> 00:24:15.680 they’re inviting me to this thing just so they can kidnap me? Marcus has to be very 00:24:15.680 --> 00:24:22.640 careful from now on. This sudden fame was attracting a lot of strange people. WannaCry 00:24:22.640 --> 00:24:30.880 hit in May of 2017. Three months after that was Defcon, [music] the annual hacker conference in 00:24:30.880 --> 00:24:37.600 Las Vegas in the US. Marcus had been there once before in 2016, and he liked it, so he flew out 00:24:37.600 --> 00:24:46.240 again in 2017. But little did he know that this Defcon was going to radically change his life. 00:24:46.240 --> 00:24:54.720 MALWARETECH: So, it was insane. I cannot even accurately describe the feeling of it. 00:24:54.720 --> 00:24:57.960 JACK: Try, though. Try. Let’s hear it. 00:24:57.960 --> 00:25:03.840 MALWARETECH: Yeah, so, there’s what we did personally and then there’s what we did within the 00:25:03.840 --> 00:25:10.480 conference. So, personally, what my friends had found out is that hotels in Vegas are ridiculously 00:25:10.480 --> 00:25:16.960 expensive. They basically calculated what could we afford if we just put all our individual hotel 00:25:16.960 --> 00:25:25.040 room costs together and got an Airbnb instead? We found we could get one of the biggest mansions 00:25:25.040 --> 00:25:31.840 in Las Vegas with the largest private hall in, I believe, the entire state. So, we went and we got 00:25:31.840 --> 00:25:38.480 this insane mansion. Then we’re like, well, the mansion’s not complete without supercars, right? 00:25:38.480 --> 00:25:44.160 There’s a car dealer in Vegas that — they let you rent supercars for like, a day, two days, three 00:25:44.160 --> 00:25:49.600 days a week. So, my friends, they went out and they rented supercars. So, we had this driveway 00:25:49.600 --> 00:25:55.760 full of supercars, and they’re not particularly expensive to rent for short periods of time. 00:25:55.760 --> 00:26:00.960 But of course, I didn’t realize that in the background I was setting up this 00:26:00.960 --> 00:26:08.240 scene of me being this very, very wealthy person, when in reality the costs were split between 00:26:08.240 --> 00:26:14.640 about — I think eight to twelve people. So, we had this crazy Vegas trip. We stayed in this massive 00:26:14.640 --> 00:26:21.920 mansion. We were driving around in supercars. We were shooting automatic weapons. We just went all 00:26:21.920 --> 00:26:29.680 out on Vegas. Now, the conference itself was very, very different. Now, I had suspected I would get 00:26:29.680 --> 00:26:36.000 a fair amount of attention at the conference given how recent WannaCry was. It was only, 00:26:36.000 --> 00:26:42.720 I think, three months ago. [Music] But I had no idea the level that I was going to experience. I 00:26:42.720 --> 00:26:50.480 remember this was back when it was in Caesar’s Palace, the actual casino, before the forum. 00:26:50.480 --> 00:26:57.200 Anyone who’s been will remember there’s these hallways that are maybe twenty, forty feet wide, 00:26:57.200 --> 00:27:02.400 and it’s just shoulder-to-shoulder people all the way down the hallway. 00:27:02.400 --> 00:27:09.440 I could not walk through the hallway because the traffic was moving so slowly that I would take a 00:27:09.440 --> 00:27:14.080 step, someone would recognize me; they’d come over and talk to me, and by the time I got to 00:27:14.080 --> 00:27:20.800 take my next step, someone else would come over. I had to get to this one event, and it took me 00:27:20.800 --> 00:27:30.000 two hours and fifteen minutes to walk a — maybe a hundred feet down the hallway. I was just like, 00:27:30.000 --> 00:27:37.600 I need to go to my hotel room and hide. There’s like — an average fifteen-minute 00:27:37.600 --> 00:27:41.600 conversation will drain my social battery to the point where I need to sleep, 00:27:41.600 --> 00:27:47.760 and I’m now at a level where I physically feel like I’m gonna pass out. It was one of the most 00:27:47.760 --> 00:27:55.440 crazy experiences I’ve ever had. I just remember feeling so overwhelmed, ‘cause I knew there was 00:27:55.440 --> 00:28:00.240 gonna be people who would want to come up and talk to me. I just didn’t think it would be that many. 00:28:00.240 --> 00:28:02.440 JACK: What was some of the stuff they were saying to you? 00:28:02.440 --> 00:28:07.840 MALWARETECH: Oh, it was all overwhelmingly positive, like super heartwarming stuff. 00:28:07.840 --> 00:28:13.760 Everyone was just really, really positive. They were all very kind, very polite. I don’t think 00:28:13.760 --> 00:28:20.960 I had, in the entire Defcon, a single negative interaction. People make out the hacking community 00:28:20.960 --> 00:28:28.480 to be all these bad people and evil, but generally speaking, I cannot think of a single negative 00:28:28.480 --> 00:28:34.560 interaction I had. Everyone was so polite and so wonderful, but then on the other side of this, 00:28:34.560 --> 00:28:39.680 I’m just an introvert, so I’m not used to this level of attention. So, inside I’m like, this 00:28:39.680 --> 00:28:47.600 is really, really heartwarming and supportive, but also, I feel like my entire body is on fire. 00:28:47.600 --> 00:28:56.000 JACK: Yeah. Wow, so what a weekend. You gotta fly back to the UK after that, right? 00:28:56.000 --> 00:29:02.000 MALWARETECH: Yeah, so, I believe the second of August. We spent ten days there. So, 00:29:02.000 --> 00:29:05.200 second of August I was due to fly back to the UK. 00:29:05.200 --> 00:29:10.320 JACK: Mm-hm. So, you have to go through the McCarran Airport in 00:29:10.320 --> 00:29:14.720 Vegas. You get through security just fine? 00:29:14.720 --> 00:29:20.320 MALWARETECH: No. So, security was a little weird, ‘cause usually when you go through security, 00:29:20.320 --> 00:29:26.800 they make you take any big items out of your bag; laptops, iPads, phones. That is my experience 00:29:26.800 --> 00:29:32.880 with that airport. They always make you take your laptop out of your bag, whereas with me, 00:29:32.880 --> 00:29:40.720 they didn’t. It seemed like they were speaking to me specifically and not the guests in general. 00:29:40.720 --> 00:29:46.000 They — as I went to put my bag — like to unpack my bag, they said, oh, just leave everything in 00:29:46.000 --> 00:29:51.760 there and put it through. It felt very weird at the time. I was like, it didn’t look like 00:29:51.760 --> 00:29:59.520 they said that to anyone else other than me. It looked like they specifically singled me out. 00:29:59.520 --> 00:30:05.680 I had a feeling I knew what was coming. I had a feeling that it was actually gonna be related to 00:30:05.680 --> 00:30:11.600 WannaCry, that the FBI had some questions for me and they were gonna pull me aside, 00:30:11.600 --> 00:30:17.840 but I was actually — I wasn’t sure. So, my bag goes through security just fine in the weirdest 00:30:17.840 --> 00:30:26.080 way possible. I go to the lounge, and I think maybe an hour before my flight, a bunch of people 00:30:26.080 --> 00:30:35.520 in CPP uniforms approach me. [Music] I’m like, huh, ‘cause CPP is customs. I’m trying to think, 00:30:35.520 --> 00:30:41.360 what would I have done that would get me on the wrong side of customs? The only thing I could 00:30:41.360 --> 00:30:48.800 think of is this was the year that they had legalized recreational cannabis in Las Vegas. 00:30:48.800 --> 00:30:52.960 So, I was like, did I forget to take some drugs out of my bag? So, 00:30:52.960 --> 00:30:56.640 I’m thinking they’re pulling me aside because I had forgot to take some weed out of my bag; 00:30:56.640 --> 00:31:03.600 they found it, whatever. They take me to this back room, and they take off their jackets 00:31:03.600 --> 00:31:12.800 and they unroll these badges, and it’s FBI. I’m like, oh, okay. So, I did not know that 00:31:12.800 --> 00:31:17.440 was even something you were allowed to do, to pretend to just be a different agency, or if 00:31:17.440 --> 00:31:23.760 the people who took me were genuinely also CPP. But I get to this back room in the airport and 00:31:23.760 --> 00:31:31.520 they identify themselves as FBI. At this point I still am not exactly sure why I’m being detained. 00:31:31.520 --> 00:31:36.080 JACK: I’m sorry, but I have to take a quick ad break here. But stay with us because Marcus is 00:31:36.080 --> 00:31:43.680 about to be very surprised about why the FBI is talking with him. You have such a 00:31:43.680 --> 00:31:48.000 happy demeanor to you, so I imagine even in those first fifteen minutes or so of like, 00:31:48.000 --> 00:31:52.640 oh, okay, we’re actually the FBI, I still imagine you smiling and being like, oh yeah, 00:31:52.640 --> 00:31:55.360 you know what? There were a thousand people who wanted to ask me about 00:31:55.360 --> 00:31:59.760 WannaCry. I’m sure you’re just another one. What do you want to know? Did you 00:31:59.760 --> 00:32:02.400 have that kind of attitude, or what was that first fifteen minutes like? 00:32:02.400 --> 00:32:05.600 MALWARETECH: So, I believe I was a bit hungover, but you are right; 00:32:05.600 --> 00:32:10.960 I always just have this happy demeanor. So, I’m like, even when things are generally really, 00:32:10.960 --> 00:32:15.920 really bad, I always just am chill and happy to be there. So, I — yeah, 00:32:15.920 --> 00:32:20.720 I think I was a bit hungover but otherwise I was like, oh, okay, it’s the FBI. Whatever, 00:32:20.720 --> 00:32:26.080 I’ll talk to them. But I hadn’t quite yet figured out why they wanted to talk to me. 00:32:26.080 --> 00:32:31.360 JACK: Okay, and what were the questions they were asking you? 00:32:31.360 --> 00:32:36.880 MALWARETECH: So, they started off with a bunch of random questions. It felt like 00:32:36.880 --> 00:32:41.920 they were deliberately trying to confuse me. They themselves were trying to obscure the 00:32:41.920 --> 00:32:46.240 reason why they had pulled me aside. So, it felt like they were basically just fishing 00:32:46.240 --> 00:32:52.960 for information in a way that was designed to prevent me from realizing that I’m in 00:32:52.960 --> 00:32:59.040 trouble and I need a lawyer. So, they kinda presented themselves as these very — just, 00:32:59.040 --> 00:33:05.040 we’re asking questions. We’re just some friendly FBI agents asking questions. 00:33:05.040 --> 00:33:11.480 I thought it was about WannaCry until a good thirty minutes, I think, into the interview. 00:33:11.480 --> 00:33:16.800 [Music] So, you know in the movies when they slide the document across the table and they ask you, do 00:33:16.800 --> 00:33:23.120 you know what this is? Usually it’s a photo of a murderer or whatever. So, they did that. I didn’t 00:33:23.120 --> 00:33:29.200 think that was a real thing they did, but they did that. Except, in my case, they had basically 00:33:29.200 --> 00:33:36.960 printed off complied code. So, it was basically just fifteen pages of just straight gibberish. So, 00:33:36.960 --> 00:33:42.640 I’m going through these pages and they’re like, do you know what this is? I’m like, no — like, 00:33:42.640 --> 00:33:51.520 honestly, no. This is literal gibberish. But then one of the things with compiled code is 00:33:51.520 --> 00:33:58.160 any text that is present in the code is present in the — however you were to print it off. 00:33:58.160 --> 00:34:02.720 So, I get to the text section of the code and I start recognizing the strings. I’m like, 00:34:02.720 --> 00:34:09.280 oh, they printed off the Kronos executable. They’ve taken the compiled Kronos malware, 00:34:09.280 --> 00:34:14.880 opened it in Notepad or something, hit Print, and this is what I’m looking at. That was kinda 00:34:14.880 --> 00:34:20.720 the point where I realized, oh, I’m in some serious trouble. But then I’m also trying 00:34:20.720 --> 00:34:26.560 not to laugh because someone has just tried to print an executable and hand it to me. Yeah, so, 00:34:26.560 --> 00:34:33.000 I’m toggling between almost smiling and oh shit, I’ve really messed up. 00:34:33.000 --> 00:34:37.920 JACK: It is absolutely ridiculous that they printed off a program and handed it to him. 00:34:37.920 --> 00:34:44.080 It wasn’t readable code. It was compiled. Only a computer could read it. There’s no way that 00:34:44.080 --> 00:34:49.840 anyone can read this gibberish. Except, there was one word in there which made Marcus realize what 00:34:49.840 --> 00:34:58.320 he was looking at; the Kronos malware. Kronos was a devastating banking malware. It was designed to 00:34:58.320 --> 00:35:03.680 get access into a victim’s bank account, and then the person operating the malware can siphon funds 00:35:03.680 --> 00:35:09.520 out of the victim’s bank. The FBI agents handed it to Marcus and asked him if he recognized it, 00:35:09.520 --> 00:35:18.240 and he did recognize it. Because before the world knew who Marcus Hutchins was, he was only known as 00:35:18.240 --> 00:35:26.000 MalwareTech, an anonymous security researcher. But before that, he was a malware developer. 00:35:26.000 --> 00:35:33.040 MALWARETECH: [Music] I started out as a malware writer. I specialized in writing rootkits. So, 00:35:33.040 --> 00:35:38.880 that’s malware that hides malware. So, I mostly did stuff like Trojans that would do Bitcoin 00:35:38.880 --> 00:35:46.080 mining, stuff that’s not super harmful but also not really very great, either. It’s like the — not 00:35:46.080 --> 00:35:51.400 the worst of the worst, but obviously not something that I didn’t deserve to go to jail for. 00:35:51.400 --> 00:35:56.000 JACK: Basically, he would write malware, which in itself is not so bad. It all depends on what 00:35:56.000 --> 00:35:59.920 you do with the malware, right? But he was working with someone who wanted to 00:35:59.920 --> 00:36:05.920 take his malware and sell it so they could make money. So, now his malware was being 00:36:05.920 --> 00:36:12.400 offered to criminals for sale. But still, by itself, his malware wasn’t making any sales. 00:36:12.400 --> 00:36:16.720 MALWARETECH: Basically, we had a seller. So, his job was to sell the malware. I would write 00:36:16.720 --> 00:36:22.720 the malware for him and then he would sell it. Then he announced to me that he had contracted 00:36:22.720 --> 00:36:29.040 this other programmer to combine my code with the banking code to make banking malware that 00:36:29.040 --> 00:36:34.400 he wanted to sell. So, essentially, I had a choice. I was like, okay, so, 00:36:34.400 --> 00:36:42.320 my code has just been made into banking malware. I am already implicated in this. What do I do? So, 00:36:42.320 --> 00:36:48.480 I was like, I don’t really want to have anything to do with this. I specifically 00:36:48.480 --> 00:36:54.400 said that any kind of credit card fraud or any kind of theft of money was over my moral line. 00:36:54.400 --> 00:37:00.640 I don’t want anything to do with this. That was the point when he basically hinted that 00:37:00.640 --> 00:37:06.320 if I didn’t continue to maintain the code, he would drop my name and address to the FBI. So, 00:37:06.320 --> 00:37:14.000 at that point, I was like, I am in too deep. There is nothing I can do at this point. 00:37:14.000 --> 00:37:19.840 JACK: So, as a teenager he developed part of this Kronos malware, 00:37:19.840 --> 00:37:26.160 and now it was being bought by criminals and actively used to rob people’s bank accounts, 00:37:26.160 --> 00:37:32.859 and he’s actively supporting the code, adding in features, fixing issues. This made him worry. 00:37:32.859 --> 00:37:36.800 MALWARETECH: [Music] The second he told me that he had combined it with the banking malware, 00:37:36.800 --> 00:37:41.760 I was like, yeah, this is going to come back and bite me. There is no way that 00:37:41.760 --> 00:37:47.520 I am — I knew this was gonna come. I am going to be picked up by the FBI at some 00:37:47.520 --> 00:37:54.480 point. This is gonna come back to bite me. Even then as — I think I was maybe 00:37:54.480 --> 00:38:00.240 nineteen when this happened. I knew the repercussions. I was like, this is bad. 00:38:00.240 --> 00:38:05.760 JACK: He kept looking for a way out of this deal to stop working on the Kronos banking malware, 00:38:05.760 --> 00:38:09.040 but he feared that the guys he was working with were gonna turn him in if he quit. 00:38:09.040 --> 00:38:15.200 MALWARETECH: So, I kept maintaining the code for about — I want to say six months, a year, until 00:38:15.200 --> 00:38:22.560 I found a way to get out in a way that wouldn’t result in him sort of doing anything to me, like 00:38:22.560 --> 00:38:28.640 he wouldn’t report me to the FBI or do anything that would harm me other than the harm that has 00:38:28.640 --> 00:38:35.120 already been done. So, eventually, about a year later, I find him out and I completely distance 00:38:35.120 --> 00:38:41.360 myself from the project. I think I spend about a year just doing blogging, and then I get a job in 00:38:41.360 --> 00:38:47.760 cybersecurity. So, I basically — I leave the life behind. I go into a professional cybersecurity 00:38:47.760 --> 00:38:55.200 role, and that’s when I started doing this malware reverse-engineering and cyber threat intelligence. 00:38:55.200 --> 00:39:02.560 JACK: [Music] So, in August 2017, on his way back from the most epic Defcon ever, about to step foot 00:39:02.560 --> 00:39:10.880 on the plane, the FBI grabbed him and handed him a copy of his malware. He knew exactly what 00:39:10.880 --> 00:39:18.720 that was, and he feared this day would someday come. At this point he’s missed his flight. His 00:39:18.720 --> 00:39:24.480 friends are worried about what happened to him, and he’s starting to sober up. The smile faded. 00:39:24.480 --> 00:39:28.160 MALWARETECH: So, yeah, they took me to overnight holding, 00:39:28.160 --> 00:39:33.680 which is basically — it’s like actual jail. So, it’s the jail you go to 00:39:33.680 --> 00:39:37.720 when you get arrested by the police for being drunk and disorderly or whatever. 00:39:37.720 --> 00:39:40.000 JACK: Man, to be in jail with all the drunk and 00:39:40.000 --> 00:39:44.000 disorderly people from Las Vegas, that’s gotta be a real nightmare. 00:39:44.000 --> 00:39:50.400 MALWARETECH: Yeah, from the nice, fancy mansion and driving around in Lamborghinis 00:39:50.400 --> 00:39:55.040 to the concrete cell in county jail — well, I don’t know if it was even 00:39:55.040 --> 00:40:00.800 called county jail. But yeah, that was a very, very high high to a very low low. 00:40:00.800 --> 00:40:04.560 JACK: Now, the FBI needed to process him in order to charge him for these federal crimes, 00:40:04.560 --> 00:40:09.200 but it was getting late and the FBI agents were tired. So, they just needed to dump 00:40:09.200 --> 00:40:12.240 Marcus somewhere for the night, and then the FBI would pick it up again 00:40:12.240 --> 00:40:16.000 in the morning and finish processing him. So, they take him to the jail. 00:40:16.000 --> 00:40:24.320 MALWARETECH: The jail was full. There were no free cells. So, the police handcuffed me to a chair for 00:40:24.320 --> 00:40:28.480 the entire night. They were like, you’re just gonna be handcuffed to this chair in the lobby 00:40:28.480 --> 00:40:36.720 for the next twelve hours. I was like, great, that’s very comfortable. As a six-foot-four guy, 00:40:36.720 --> 00:40:42.960 I can think of no more comfortable way to sleep than in a lobby chair. So, 00:40:42.960 --> 00:40:48.560 I was a little upset at that point. I was like, okay, I can understand the rest of the stuff, 00:40:48.560 --> 00:40:55.200 but you’re gonna handcuff me to this tiny chair for twelve hours? But then I found a 00:40:55.200 --> 00:40:59.680 solution. I needed to go to the bathroom, so I asked to go to the bathroom. It turns out, 00:40:59.680 --> 00:41:05.520 the bathroom is just a cell that they leave vacant for people to use, ‘cause each cell has its own 00:41:05.520 --> 00:41:10.400 toilet in it. So, they have a spare one which is like the visitor toilet. 00:41:10.400 --> 00:41:16.080 So, I asked to go to the bathroom, and they throw me in that cell; they lock the door. I’m like, 00:41:16.080 --> 00:41:22.320 well, how do I get back out? I realized that you don’t. You basically just stay locked in the 00:41:22.320 --> 00:41:29.120 bathroom until the next person uses the bathroom. So, my plan for the night ended up becoming — I 00:41:29.120 --> 00:41:34.000 asked to go to the bathroom. The bathroom is just a normal cell, so it has a concrete bench. I sleep 00:41:34.000 --> 00:41:39.200 on the nice, comfy concrete bench. Then when someone else next needs to use the bathroom, 00:41:39.200 --> 00:41:44.080 they take me out, they handcuff me back to my chair. I ask to use the bathroom again, 00:41:44.080 --> 00:41:48.560 and that was basically my night, is I just slept on the concrete bench in 00:41:48.560 --> 00:41:55.280 the designated public toilet cell. Oh yeah, so, in overnight holding, 00:41:55.280 --> 00:42:01.840 because a lot of the drunk people might pass out and end up in a state where they need medical 00:42:01.840 --> 00:42:07.840 attention, the guards are supposed to do a round every twenty minutes and check on all the cells. 00:42:07.840 --> 00:42:13.840 So, there’s a very loud audible alarm that goes off to signal the guards to start their check, 00:42:13.840 --> 00:42:17.680 and it goes off every twenty minutes. Basically, you’re just sleeping for twenty 00:42:17.680 --> 00:42:22.480 minutes at a time, ‘cause you cannot sleep through that loud of an alarm. 00:42:22.480 --> 00:42:28.240 I would put that as the rock bottom of my life, basically just sleeping on a concrete bench in 00:42:28.240 --> 00:42:37.360 a public toilet. So, I think I get woken up at 4:00 a.m. in the holding facility. They 00:42:37.360 --> 00:42:42.240 wanted to process me, which I’m like, why are you processing me? You’re not keeping me. The 00:42:42.240 --> 00:42:48.160 FBI just left me here for you to deal with overnight, but I’m not staying. I remember 00:42:48.160 --> 00:42:53.120 I was in a really bad mood because I had been woken up every twenty minutes for the entire 00:42:53.120 --> 00:42:59.680 night. My back hurt. My side hurt. Every surface of my body hurt from trying to sleep on concrete. 00:42:59.680 --> 00:43:04.800 Then this guy’s asking me all these questions, like what’s your sexuality? I’m like, dude, 00:43:04.800 --> 00:43:11.520 you’re not — I’m not doing this. So, I told him, I’m not doing your intake form. I’m not 00:43:11.520 --> 00:43:16.320 going to be in prison here. There is no reason for me to be up at four in the morning doing 00:43:16.320 --> 00:43:21.920 prison intake. I remember him saying to me, you’re not leaving here without it. I wanted 00:43:21.920 --> 00:43:28.080 to be snarky and I wanted to be like, how much money do you want to bet on that? Of course, 00:43:28.080 --> 00:43:31.680 a couple hours later, the FBI just came and they’re like, we don’t care whatever he did 00:43:31.680 --> 00:43:38.480 here. He’s ours. They take me off to the local — I think it’s like a field office or maybe 00:43:38.480 --> 00:43:45.040 some kind of satellite office. They spend a hour processing me, like fingerprints, hair sample, 00:43:45.040 --> 00:43:51.520 saliva sample, you name it, photos. Then they — you get handed over to the US marshals. 00:43:51.520 --> 00:43:56.640 JACK: He gets taken to a federal detention center, basically a prison. He was locked up 00:43:56.640 --> 00:44:00.400 for the banking malware that he wrote when he was nineteen. So, 00:44:00.400 --> 00:44:08.720 there was nothing he could do but just sit there and see what fate has in store for him next. 00:44:08.720 --> 00:44:14.160 MALWARETECH: [Music] Someone who I actually didn’t know at the time — her name is Tarah Wheeler 00:44:14.160 --> 00:44:19.200 and Deviant Ollam, who — they’re pretty well known in the hacking community, but I didn’t 00:44:19.200 --> 00:44:24.320 know them and I had never met them. But they ran down to the courthouse and they posted my 00:44:24.320 --> 00:44:30.320 bail. They put up their own money. This was cash bail. If you’re not familiar with the bail system, 00:44:30.320 --> 00:44:36.320 typically if they set you a bail at 30k, you can go and borrow the money from a bail bondsman, 00:44:36.320 --> 00:44:42.560 and it’s usually — I think it’s a 10% deposit. So, you would just pay 3k and they’d put up the 00:44:42.560 --> 00:44:49.840 30k for you. But when you have a cash bail, you have to pay the entire amount yourself. So, they 00:44:49.840 --> 00:44:56.800 put up 30k of their own money to bail me out of jail. That was just — that truly just blew my mind 00:44:56.800 --> 00:45:02.400 that a stranger, someone I’ve never met, would be kind enough to do something like that for me. 00:45:02.400 --> 00:45:08.240 JACK: Tarah and Deviant simply saw Marcus as someone who helped the world by disabling 00:45:08.240 --> 00:45:12.000 WannaCry, so they asked the hacker community to all pitch in and help bail out Marcus, 00:45:12.000 --> 00:45:19.280 and people did. Honestly, this is gonna sound crazy, but it’s true; I randomly ran into Tarah 00:45:19.280 --> 00:45:25.440 myself at that time. We were on a remote island deep in the woods of all places, and in the first 00:45:25.440 --> 00:45:30.480 few minutes of meeting her, she asked me, hey, we’re raising money to help Marcus. Are you in? 00:45:30.480 --> 00:45:34.800 I actually gave her some of my money myself. She made a good case on why it was important 00:45:34.800 --> 00:45:39.600 to help people in situations like this, and they raised enough money to spring them out of jail. 00:45:39.600 --> 00:45:44.800 MALWARETECH: I came into the US on what’s called an ESTA, which is — a lot of countries 00:45:44.800 --> 00:45:49.840 have Visa-free travel programs that allow you to visit as a tourist for 00:45:49.840 --> 00:45:53.920 thirty to ninety days without needing a Visa. But you’re not allowed to work on 00:45:53.920 --> 00:45:58.080 those and you’re not allowed to stay longer than the thirty to ninety-day period. So, 00:45:58.080 --> 00:46:02.960 I’m in the US on a temporary Visa, but my bail condition is I’m not allowed to leave 00:46:02.960 --> 00:46:08.160 the country until the case is over. [Music] Federal court cases go on for a long time. 00:46:08.160 --> 00:46:14.000 It’s very, very rare for a federal court case to go on for less than a year. So, 00:46:14.000 --> 00:46:19.120 I’m now in this sticky position where I need money to survive, 00:46:19.120 --> 00:46:23.120 but I’m also legally not allowed to be in the country, but I’m also legally not allowed to 00:46:23.120 --> 00:46:30.880 leave the country. So, I’m like, huh. Do you guys have a protocol for this? They’re like, 00:46:30.880 --> 00:46:36.400 no. Usually we don’t arrest foreign nationals like this. Or if you — when we do, you would 00:46:36.400 --> 00:46:43.920 be in jail. We’ve actually not had anyone be granted bail in this way. So, I’m like, okay, 00:46:43.920 --> 00:46:48.520 so I guess I’m just on my own here. I’m just gonna have to figure it out myself. 00:46:48.520 --> 00:46:54.240 JACK: He was stuck; can’t leave, can’t work. Lucky for him, 00:46:54.240 --> 00:46:57.080 a few good lawyers heard about his case and wanted to help him. 00:46:57.080 --> 00:47:04.640 MALWARETECH: Yeah, so, one of my lawyers lived in LA, and my case was out of Milwaukee. As much as 00:47:04.640 --> 00:47:11.920 I love the people of Milwaukee, Milwaukee’s not my scene. I’m a West Coast kind of surfer vibe, 00:47:11.920 --> 00:47:18.640 so I want to be near the coast. I want to be surfing. I want the nice, warm weather. Basically, 00:47:18.640 --> 00:47:25.520 one of my lawyers made the argument that, well — one of my lawyers is from LA and the 00:47:25.520 --> 00:47:32.240 other’s from San Francisco. So, if I’m stranded in Milwaukee, any time we need to do legal meetings, 00:47:32.240 --> 00:47:36.000 they’re both going to have to fly to me or I’m going to have to fly to one of them, 00:47:36.000 --> 00:47:40.800 and the other is going to have to fly to one of them. It’s a logistical nightmare. So, 00:47:40.800 --> 00:47:45.040 my lawyers were like, well, wouldn’t it make sense if he lived near one of his lawyers? 00:47:45.040 --> 00:47:50.320 The judge was like, yeah, that’s actually the more sane way to do this. So, 00:47:50.320 --> 00:47:55.040 they basically agreed that I could go and live with — in the same city as one of my 00:47:55.040 --> 00:48:02.480 lawyers. I don’t remember how or who chose it, but it ended up being LA. So, I get moved to LA, 00:48:02.480 --> 00:48:06.640 and I had never been to LA before. I didn’t know what it was like. I didn’t know what to expect, 00:48:06.640 --> 00:48:13.040 and I remember just kind of falling in love with the city within two weeks, which was pretty funny, 00:48:13.040 --> 00:48:19.440 ‘cause a lot of governments, their strategy was give us what we want and we’ll let you go home. 00:48:19.440 --> 00:48:24.480 But after two weeks in LA, I’m like, actually, you know, I’m kinda good. I like it here. 00:48:24.480 --> 00:48:28.320 They’re like, give us what we want and you can go home. I’m like, no. They’re like, 00:48:28.320 --> 00:48:32.960 okay, give us what we want and — or we will deport you. I’m like, but you can’t deport 00:48:32.960 --> 00:48:38.160 me until the case is over. It just — it made things a little bit tricky for them because 00:48:38.160 --> 00:48:44.800 they had angled their whole case on this idea that I desperately wanted to go home to the UK, 00:48:44.800 --> 00:48:50.160 which was no longer the case. I actually — I made a lot of new friends in LA. I found a 00:48:50.160 --> 00:48:53.360 lot of cool stuff to do, and I was like, you know what? I’m actually pretty happy here. 00:48:53.360 --> 00:48:57.280 JACK: So, he became a bit of a beach bum. He couldn’t work or leave, 00:48:57.280 --> 00:49:01.760 so surfing just became the thing he’d do, right there on Venice Beach. Okay, 00:49:01.760 --> 00:49:06.720 so what charges did they have on you at this point? What is the — what are you facing? 00:49:06.720 --> 00:49:12.240 MALWARETECH: I actually don’t know. This is gonna sound absolutely insane, but I 00:49:12.240 --> 00:49:19.600 regularly have to Google what I was convicted of, because it was very obscure. Because in the US, 00:49:19.600 --> 00:49:25.040 it is not illegal to write malware. You might intuitively think, malware bad; surely it’s 00:49:25.040 --> 00:49:31.120 illegal. It’s not. There is actually no federal law against writing malware. So, what they tend 00:49:31.120 --> 00:49:37.920 to do is they tend to find other laws that can be interpreted in such a way as to charge you with 00:49:37.920 --> 00:49:44.960 malware. Now, initially I think they hit me with six charges and then they later upped it to ten, 00:49:44.960 --> 00:49:50.160 but they were all very obscure. They were things like conspiracy to commit wire tapping, 00:49:50.160 --> 00:49:56.320 conspiracy to sell a wire-tapping device, conspiracy to advertise a wire-tapping device. 00:49:56.320 --> 00:50:02.080 Their basic argument was that malware listens to keystrokes. Like, it’s like a key-logger, 00:50:02.080 --> 00:50:07.440 and a key-logger is like listening in on telephone calls, therefore we can use the 00:50:07.440 --> 00:50:15.280 wire-tapping act to charge him with what I would not call wire tapping, but they had argued is. 00:50:15.280 --> 00:50:18.880 So, I’m being charged with a statute that was originally made for stopping people 00:50:18.880 --> 00:50:24.080 from listening in on telephone calls. I’m also being charged with conspiracy to commit computer 00:50:24.080 --> 00:50:31.760 hacking. The way that works is if I am in any way involved with someone else doing hacking, 00:50:31.760 --> 00:50:37.200 they can charge me with conspiracy, being a part of a conspiracy. So, they basically argued 00:50:37.200 --> 00:50:43.680 because someone used my malware to hack people and I wrote the malware and then it was sold to 00:50:43.680 --> 00:50:49.600 that someone, I am therefore a conspirator in the — in whatever hacking happened. 00:50:49.600 --> 00:50:55.600 So, although I had never used my malware to hack anyone and I had never hacked any systems, 00:50:55.600 --> 00:51:00.560 they got me on conspiracy to commit computer hacking. I remember my lawyers explaining all 00:51:00.560 --> 00:51:05.760 this to me for the first time, and I was just insanely confused because in England, 00:51:05.760 --> 00:51:09.120 it’s just illegal to write malware. So, if I was charged in England, they’d be like, 00:51:09.120 --> 00:51:13.840 this is the no-writing-malware law. You’re being convicted of the no-writing-malware. 00:51:13.840 --> 00:51:18.800 But in the US, it was just so obscenely complicated that I couldn’t even wrap my head 00:51:18.800 --> 00:51:25.440 around what I was actually being charged with. I’m like, telephone wire tapping? This makes no sense. 00:51:25.440 --> 00:51:31.920 JACK: Here’s the thing; Marcus knew that by creating the Kronos malware, what he did was 00:51:31.920 --> 00:51:39.040 wrong. He knew he should face charges for that, but these charges? No. These were not the right 00:51:39.040 --> 00:51:45.440 charges. I’ve heard this time and time again from hackers on this show. They knew they did something 00:51:45.440 --> 00:51:50.560 bad. They were ready to face the consequences for it, but the charges that they were facing were 00:51:50.560 --> 00:51:56.400 for something else entirely, and that doesn’t feel right. Like, if you steal a thousand dollars from 00:51:56.400 --> 00:52:00.000 someone and get caught, you know you’re guilty, right? So, when the police say, 00:52:00.000 --> 00:52:04.240 did you do it? Yep. Okay, great, here are your charges. We know you worked with five 00:52:04.240 --> 00:52:09.760 other guys and together you all sold $200,000, so you’re facing ten crimes total. Whoa, whoa, whoa, 00:52:09.760 --> 00:52:15.360 hold on. I only stole a thousand dollars. This is not right. You know you’re guilty of stealing, 00:52:15.360 --> 00:52:22.160 but not guilty of all the other stuff. So, you feel like you have to say ‘not guilty’ to all 00:52:22.160 --> 00:52:27.040 of the charges since none of them match the actual crime you did. It’s a broken system. 00:52:27.040 --> 00:52:31.280 MALWARETECH: At that point I think I had decided to fight the case, 00:52:31.280 --> 00:52:36.560 because what had basically happened is they had made it very clear to me that they did 00:52:36.560 --> 00:52:42.160 not care that I committed crimes. This was not ‘you’ve done something wrong and we’re 00:52:42.160 --> 00:52:48.000 bringing you to justice’. They were very, very clear that they were only charging me 00:52:48.000 --> 00:52:53.840 to leverage me into becoming an informant and giving them up someone that they wanted. At 00:52:53.840 --> 00:52:58.000 that point I was kind of annoyed, because in my mind that’s not how the justice system works, 00:52:58.000 --> 00:53:03.200 right? You do a bad thing; you go to jail because you did a bad thing. Whereas they were saying, 00:53:03.200 --> 00:53:12.000 we don’t actually care what you did. We just want this other guy. I’m like, what? ‘Cause 00:53:12.000 --> 00:53:18.160 this isn’t — I guess for the American listeners out there, this is not how the UK system works. 00:53:18.160 --> 00:53:22.880 In the UK, you don’t have plea deals and it’s very, very hard for prosecutors to 00:53:22.880 --> 00:53:27.520 do cases in this way. The UK system is a lot more clear cut. You do a bad thing, 00:53:27.520 --> 00:53:31.200 you get charged with the bad thing, and you go to jail for doing the bad thing, 00:53:31.200 --> 00:53:36.000 whereas the US is a lot more geared towards — there’s always a bigger fish. They just — they 00:53:36.000 --> 00:53:40.800 want the bigger fish. They don’t really care about you or what you did. This was, of course, my first 00:53:40.800 --> 00:53:46.320 experience with the US justice system. So, I’m confused. I’m a bit frustrated. I’m annoyed. So, 00:53:46.320 --> 00:53:51.520 I ended up kind of deciding to fight the case because I also noticed that these charges don’t 00:53:51.520 --> 00:53:57.600 really make any sense. There is no law against writing malware, so you’re just charging me with 00:53:57.600 --> 00:54:05.506 these weird crimes. So, I’m like, okay, let’s just fight it and see what happens. 00:54:05.506 --> 00:54:11.520 JACK: [Music] Okay, so you had two lawyers at the time. That must have been costly. 00:54:11.520 --> 00:54:16.560 MALWARETECH: No. So, I was actually very lucky. These two great, great lawyers, 00:54:16.560 --> 00:54:20.800 Marcia Hofmann and Brian Klein, they reached out to me and they were like, we would like to 00:54:20.800 --> 00:54:27.600 take your case pro bono. These are like top, top lawyers, the kind that you would want on your side 00:54:27.600 --> 00:54:33.840 in a cyber-crime case. I remember they reached out to me and they were just like, we want to take 00:54:33.840 --> 00:54:40.000 your case free of charge. You’ll obviously have to pay court fees and filing fees and for your 00:54:40.000 --> 00:54:46.480 flights to and from the courthouse, but other than that, we’re not gonna charge you for our services. 00:54:46.480 --> 00:54:55.760 It just felt like a gift from the heavens. It was like, so much of the theme behind this story was 00:54:55.760 --> 00:55:02.080 just random people I had never met just sort of going out of their way to help me, and it was just 00:55:02.080 --> 00:55:10.720 such a surreal experience to have all of these people coming to my aid out of seemingly nowhere. 00:55:10.720 --> 00:55:19.200 JACK: Okay, the fight is on. Two powerhouse lawyers ready for action, 00:55:19.200 --> 00:55:24.400 Marcus unhappy with the way the justice system is acting and wants to make things right. But 00:55:24.400 --> 00:55:29.760 it’s a federal case. Federal cases are extremely slow. We’re talking years for them to finish. 00:55:29.760 --> 00:55:35.600 He’s gotta fly back and forth between Wisconsin where the trial is and California where he lives. 00:55:35.600 --> 00:55:39.920 Flying gets more and more tricky since his Visa expired and he’s not supposed to be in the country 00:55:39.920 --> 00:55:44.000 anymore, but he’s also not allowed to leave the country, and he can’t work in the US, either. 00:55:44.000 --> 00:55:48.240 MALWARETECH: So, for a lot of the time, I was kinda wrestling with this internal conflict of 00:55:48.240 --> 00:55:54.880 like, A) I’m guilty and I did everything they say I did, but B) I’m also kind of really just 00:55:54.880 --> 00:56:01.280 fighting not because I believe I’m innocent but because I don’t feel like this is how the justice 00:56:01.280 --> 00:56:09.920 system should work. But what really kind of wore me down is just the time. We’re talking a year, 00:56:09.920 --> 00:56:16.640 two years into the case, and I’m — this is — it’s very, very hard to explain how stressful 00:56:16.640 --> 00:56:25.200 being in a federal case is. It is a level of stress that goes way beyond even the worst 00:56:25.200 --> 00:56:30.080 incident response cases I’ve ever worked, and it’s daily. Every day you just wake up 00:56:30.080 --> 00:56:34.880 and you’re just like, is today the day I go to jail? What’s happening in my case? Blah, 00:56:34.880 --> 00:56:41.280 blah, blah. It just — it wears you down so fast. I mean, people have committed suicide. 00:56:41.280 --> 00:56:48.160 There are people in the hacking community who have committed suicide from the just sheer constant 00:56:48.160 --> 00:56:56.800 stress of going through that system. I don’t think there is anyone who is set up to actually see 00:56:56.800 --> 00:57:01.120 that through to the end. At some point it just gets you to the point where you’re just like, 00:57:01.120 --> 00:57:09.200 I just — I give up. For me, I think that was about a year and a half, maybe a bit more in. 00:57:09.200 --> 00:57:15.600 We had fought a bunch of motions with the judge to get certain pieces of evidence dismissed and 00:57:15.600 --> 00:57:23.280 arguing that certain charges weren’t correct, and all of the motions were denied. So, 00:57:23.280 --> 00:57:27.200 at that point we’re basically starting from zero. We’ve got to find a new strategy. We’ve 00:57:27.200 --> 00:57:30.800 got to — we’re gonna be going for at least another year. At that point I was like, 00:57:30.800 --> 00:57:38.546 you know what? I just — I can’t do this anymore. So, I ended up just pleading guilty. 00:57:38.546 --> 00:57:44.880 JACK: [Music] After fighting it for almost two years, he switched and gave in and said, 00:57:44.880 --> 00:57:49.280 fine, charge me with whatever stupid stuff you want. I’m tired of this. 00:57:49.280 --> 00:57:54.240 MALWARETECH: Honestly, at that point, I was like, if I had just gone to jail from the start 00:57:54.240 --> 00:57:59.920 and spent a year or two in jail, it would have been infinitely easier on my mental health than 00:57:59.920 --> 00:58:09.120 going through this case. So, it was a lot and I just couldn’t take it anymore, so I folded. 00:58:09.120 --> 00:58:17.040 JACK: Okay then, guilty on all charges. Well, the case can be closed now, 00:58:17.040 --> 00:58:22.800 except for one last thing. The court now has to decide what his punishment is. So, 00:58:22.800 --> 00:58:26.720 a sentencing hearing was scheduled. Some early calculations were saying 00:58:26.720 --> 00:58:30.960 that he could get anywhere from two to eight years in prison. But of course, 00:58:30.960 --> 00:58:34.320 his lawyers were trying to fight for him to get the least amount of prison time as possible. 00:58:34.320 --> 00:58:39.200 MALWARETECH: In my case, their argument was the FBI actually couldn’t produce 00:58:39.200 --> 00:58:44.560 any evidence of Kronos having damaged systems. That’s not to say it didn’t; I’m sure it did, 00:58:44.560 --> 00:58:51.360 but they had not produced any evidence. Part of their argument was that we estimate it caused X 00:58:51.360 --> 00:58:56.240 tens of — I think it was hundreds of thousands in damages, and they could not produce any 00:58:56.240 --> 00:59:02.560 evidence to back that up. Their sentencing recommendation was based on their claim 00:59:02.560 --> 00:59:07.280 that I had caused these hundreds of thousands of dollars in damages, which they couldn’t prove. So, 00:59:07.280 --> 00:59:13.760 my lawyers had a argument there of, well, if there is damages, where are they? 00:59:13.760 --> 00:59:18.240 JACK: [Music] So, his sentencing day comes. He heads into the courtroom. 00:59:18.240 --> 00:59:24.160 MALWARETECH: So, I had basically convinced myself from the start that I was going to jail. So, 00:59:24.160 --> 00:59:28.880 I went into that hearing with the belief that I was going to jail, and… 00:59:28.880 --> 00:59:30.400 JACK: I think you tweeted something, too, 00:59:30.400 --> 00:59:34.800 like, okay, I’m going to jail and whatever happens, I love you all. 00:59:34.800 --> 00:59:40.960 MALWARETECH: Yeah, pretty much. I was sure that I was not leaving that courtroom. 00:59:40.960 --> 00:59:44.320 JACK: The prosecution gave their arguments. His side gave 00:59:44.320 --> 00:59:49.080 his arguments. The judge listened to it all and came to a decision. 00:59:49.080 --> 00:59:55.040 MALWARETECH: Basically, my punishment was sentencing me to time served. Even when the 00:59:55.040 --> 01:00:00.800 judge said ‘time served’, it didn’t register, ‘cause they don’t — it’s not like in the movies 01:00:00.800 --> 01:00:04.720 where they bang the gavel and they’re like, this is your sentence. There’s usually — they 01:00:04.720 --> 01:00:09.440 say the sentence and they’ll talk a bit about why, and then they’ll talk about what happens 01:00:09.440 --> 01:00:15.360 next and blah, blah, blah. So, he sort of said the sentence and he kept talking. I’m like, 01:00:15.360 --> 01:00:19.920 okay, so — I actually didn’t really know what time served means. So, I’m like, 01:00:19.920 --> 01:00:23.760 is that the sentence? I don’t know. Then he’s still talking and I’m like, 01:00:23.760 --> 01:00:30.000 I’m waiting for him to say how much jail time, and it’s not coming. Then I think the 01:00:30.000 --> 01:00:35.840 hearing went on for maybe thirty, forty more minutes, and I was still confused at the end. 01:00:35.840 --> 01:00:40.560 I was like, I don’t actually understand how this system works or what time served 01:00:40.560 --> 01:00:44.960 means. I remember my lawyer just being like, you’re going home. I’m like, 01:00:44.960 --> 01:00:49.840 what? It just — it never registered. It didn’t register in the courtroom, 01:00:49.840 --> 01:00:55.040 it didn’t register when I went home, and it still doesn’t register now. In the back of my mind, 01:00:55.040 --> 01:01:00.880 I still feel like I have this thing hanging over me, and any minute now I’m going to go to jail. 01:01:00.880 --> 01:01:05.920 It was because I had just convinced myself since the beginning of the case that this 01:01:05.920 --> 01:01:12.480 ends in me going to jail, and because there was never any jail, it hasn’t ended in my mind. So, 01:01:12.480 --> 01:01:18.480 I’ve always — I’ve never been able to fully kind of clear that period of my life from my mind. 01:01:18.480 --> 01:01:22.320 JACK: Well, you should take a trip out to Alcatraz, hang out there for an hour, 01:01:22.320 --> 01:01:29.600 and do some sort of mental cleansing of, okay, I’m here, I did it, now I’m leaving. It’s over. 01:01:29.600 --> 01:01:36.386 MALWARETECH: It sounds funny, but that actually might not be a bad idea. 01:01:36.386 --> 01:01:41.600 JACK: [Music] The judge seemed to understand all aspects of this case even before the defense gave 01:01:41.600 --> 01:01:47.440 their side. People sent in tons of letters saying why Marcus should be free and serve no jail time. 01:01:47.440 --> 01:01:52.160 The judge read newspaper clippings of how Marcus is a hero in the UK for stopping 01:01:52.160 --> 01:01:56.960 one of the world’s biggest cyber-attacks, and one thing the judge had to think about was… 01:01:56.960 --> 01:02:02.400 MALWARETECH: What is gained by putting him in jail? Because he’s already on the good side. He’s 01:02:02.400 --> 01:02:10.160 doing good work and you’re just taking him away from doing the good work. What do you seek to gain 01:02:10.160 --> 01:02:18.640 for putting him in jail? That’s actually what the judge’s own argument was. I think — I suspect the 01:02:18.640 --> 01:02:23.760 judge had actually made up his mind about the sentence before any of us had made our 01:02:23.760 --> 01:02:29.520 arguments. He had looked at the case, he had looked at the totality of the circumstances, 01:02:29.520 --> 01:02:35.360 and he had been like, this just doesn’t make any sense. So, I strongly suspect the judge 01:02:35.360 --> 01:02:40.640 had already decided to sentence me to no jail time before we even got into the courtroom. 01:02:40.640 --> 01:02:46.720 He basically said that, yeah, he’s being — he’s self-rehabilitated, so there’s no 01:02:46.720 --> 01:02:53.200 ‘he needs rehabilitation’ angle. He’s stopped one of the largest ransomware attacks in history, 01:02:53.200 --> 01:02:56.880 and he’s been doing all of this great cybersecurity work. He’s got all of 01:02:56.880 --> 01:03:03.440 these letters from various people in the cyber community. They wrote in letters 01:03:03.440 --> 01:03:07.600 explaining why they think I shouldn’t go to jail, and I think all of that 01:03:07.600 --> 01:03:13.320 just put together made a really strong case for sentencing me to time served. 01:03:13.320 --> 01:03:17.200 JACK: Time served simply means whatever time you’ve spent on this case already 01:03:17.200 --> 01:03:22.800 is enough punishment. You’re done. You can go home now. Case closed. You might 01:03:22.800 --> 01:03:27.280 think he got the best possible outcome here, but the stress of not knowing 01:03:27.280 --> 01:03:31.240 what’s going to happen to you for two years is a lot harder than you realize. 01:03:31.240 --> 01:03:39.680 MALWARETECH: To be honest, I’m being 100% real when I say this; if I could have taken a year 01:03:39.680 --> 01:03:44.840 or two in jail instead of going through all of that stress, I would have taken it. 01:03:44.840 --> 01:03:49.840 JACK: So, WannaCry was one of the worst things that happened to him, 01:03:49.840 --> 01:03:53.520 yet seemed to also be the very thing that saved him. 01:03:53.520 --> 01:03:59.040 MALWARETECH: It’s obviously hard to speculate what would have happened had WannaCry not happened, 01:03:59.040 --> 01:04:04.080 but there is a chance that I would have got sentenced to jail time if it was not for WannaCry. 01:04:04.080 --> 01:04:10.160 I don’t know that for sure, but yeah, I do think WannaCry was the silver lining of — at the time 01:04:10.160 --> 01:04:14.960 it felt horrible. It was like, my anonymity is gone. My life has been turned upside down, 01:04:14.960 --> 01:04:21.280 but then it most likely helped me out in the court case and it helped me come to turns with learning, 01:04:21.280 --> 01:04:25.280 I guess, better social skills and how to do public speaking. 01:04:25.280 --> 01:04:31.040 So, while at the time when it happened, I would say this was the most terrible thing that happened 01:04:31.040 --> 01:04:36.160 that far in my life, and I had gone through a lot of terrible things. But now when I look back, 01:04:36.160 --> 01:04:41.840 I think it was — it led to a lot of important growth that was needed and it helped me out in 01:04:41.840 --> 01:04:47.520 a lot of scenarios that would have made my life a lot worse had it not happened. So, 01:04:47.520 --> 01:04:53.760 I’m not saying — I’m not changing my answer, but I’m saying versus when it was happening, 01:04:53.760 --> 01:05:00.880 I was very adamant that this was the worst thing to happen to me, but now in hindsight, having had 01:05:00.880 --> 01:05:07.200 years and years of personal development, I think it turned out for the better. I think it improved 01:05:07.200 --> 01:05:14.160 me as a person and it bailed me out of potentially going to jail, potentially. 01:05:14.160 --> 01:05:21.760 (Outro): [Outro music] 01:05:21.760 --> 01:05:27.120 Thank you so much to Marcus Hutchins for coming on the show and finally sharing this story with us. 01:05:27.120 --> 01:05:32.000 This is such an incredible story. I’m so glad you finally said ‘yes’ to it. I started this 01:05:32.000 --> 01:05:37.200 show the year he got arrested and have dreamed about having him on this whole time. I get it; 01:05:37.200 --> 01:05:41.040 he was busy fighting for his life the whole time and was constantly being 01:05:41.040 --> 01:05:45.360 bombarded with interview requests. But that’s the thing about me; I don’t mind waiting eight 01:05:45.360 --> 01:05:51.360 years to get the story. Take your time. Unwind. Decompress from the craziest time of your life, 01:05:51.360 --> 01:05:55.600 and then let’s talk. It’ll still be a really good story when you’re ready. 01:05:55.600 --> 01:06:00.880 This episode was created by me, Ctrl + Alt + Deluxe, Jack Rhysider. Our editor 01:06:00.880 --> 01:06:06.320 is the zero-day dreamer, Tristan Ledger. Mixing done by Proximity Sound, and our intro music is 01:06:06.320 --> 01:06:12.560 by the mysterious Breakmaster Cylinder. The romantic bedroom scene often mimics 01:06:12.560 --> 01:06:14.327 what a hacker does. There’s gaining initial access, lateral movement, navigating trust levels, 01:06:14.327 --> 01:06:15.348 privilege escalation, putting things into memory, but just make sure you don’t get 01:06:15.348 --> 01:06:31.120 root access and then realize you’re in the wrong environment. This is Darknet Diaries.