Meet Marcus Hutchins, surfer who saved the world from WannaCry

Self-taught computer-security researcher, avid surfer was hired by Kryptos Logic

The 23-year-old who saved the world from a devastating cyberattack in May was asleep in his bed in the English seaside town of Ilfracombe last week after a night of partying when another online extortion campaign spread across the globe.

Around 6 pm on June 27, Marcus Hutchins, a self-taught computer-security researcher and avid surfer, was awakened by a phone call from a colleague telling him another attack was underway. Dreading a return of the virulent WannaCry malware that he stopped in its tracks the previous month, Hutchins logged on to his computer in the house he shares with his parents and younger brother to scan the latest reports.

By then, more than 80 Ukrainian banks, government agencies and multinational firms had been hit by a ransomware attack spreading like an electronic plague across their networks. Within 20 minutes, Hutchins later recounted, he got hold of a sample of the malware and was relieved to see it wasn’t another WannaCry, which infected hundreds of thousands of computers in more than 150 countries, but something less virulent.

Researchers like Hutchins and his colleagues at Los Angeles-based threat-intelligence firm Kryptos Logic are akin to seismologists, scanning the internet for electronic tremors that could signal the next attack. 

With a mop of curly hair, baggy jeans, T-shirt and sneakers, Hutchins is an unlikely hero. Hutchins started a blog under the pseudonym MalwareTech while still a teenager and was hired by Kryptos in 2015. He said his parents didn’t even know he had a job until the WannaCry attack.

Hutchins was supposed to be enjoying a week’s holiday, but returning home after a lunch of burgers and cheesy chips with a friend and seeing the carnage WannaCry was inflicting, he couldn’t resist jumping in.

After analysing a sample of the malware and seeing it spread by exploiting vulnerabilities in Microsoft’s network file-sharing protocols, he realised it was using a cyberweapon allegedly stolen from the US National Security Agency. Known as “EternalBlue,” it was part of a cache of sophisticated NSA hacking tools targeting Microsoft software that were obtained by the Shadow Brokers criminal gang last year and leaked onto the internet in April.

Hutchins also noticed a quirk buried deep in the malware code. It tested for the existence of an unregistered nonsensical domain name. He promptly registered the domain for $11 and redirected all traffic to a server designed to capture malicious data, a sinkhole, which would allow him to monitor the progress of the attack.

Although he didn’t realise it at the time, Hutchins had inadvertently triggered the malware’s kill switch. Before infecting and encrypting a computer’s hard drive, WannaCry would query the domain, and as long as it remained unregistered would proceed with the attack. Now, when the malware checked the domain and found it active, it immediately shut down. About 100 million attempts to infect computers, including more than 7 million in the US, have been mitigated since then, according to Kryptos data.

Hutchins said he has been courted by some of the world’s biggest cybersecurity firms. In 2015, he interviewed with Britain’s top-secret Government Communications Headquarters but went to work for Kryptos instead after it made him an offer he said he “couldn’t refuse.”

“He’s a natural talent,” said Salim Neino, 33, Kryptos’s chief executive officer, who hired Hutchins after reading his blog. “He was obviously solving hard problems and he wasn’t doing it for monetary reward, and those are some of the key traits of great cyberwarriors.”

Hutchins said he didn’t ask for a raise after WannaCry because he had just been given one. He wouldn’t say how much he earns, but money goes a long way in Ilfracombe, where 1 in 5 children comes from a family whose income is less than 60 per cent of the national average. 

Given the nature of his work and his tendency to sound off on social media without much of a filter, Hutchins had kept his online and real-world lives separate. “Generally, you don’t want to advertise what you’re doing as you don’t want to piss off the bad guys,” Hutchins said.