He inadvertently halted the global spread of the international ransomware attack and will donate thousands of pounds of his reward money to charity, but Marcus Hutchins, the security expert labelled the “accidental hero”, has said his “five minutes of fame” have been “horrible”.
Hutchins, 22, was propelled into the media spotlight when he activated a “kill switch” in the malicious software that wreaked havoc on organisations including the UK’s National Health Service earlier this month. He originally told the Guardian how he spotted the URL not knowing what it would do at the time, and spoke under his alias of MalwareTech because he did not want to be identified.
But within two days Hutchins, who operates out of an English coastal town, tweeted that he had woken up to discover that his picture was on the front page of a newspaper and since then has become the centre of a media storm. At first the blogger saw the funny side of having to climb over his back wall to avoid reporters camped outside his house, but now, he says, the situation has escalated to the point that he feels the British tabloids have put his life in danger.
Writing of his experiences on Twitter, he also said the press had doxxed a friend of his, which involves searching for and publishing private or identifying information about a particular individual on the internet, typically with malicious intent.
In a tweet that has since been deleted Hutchins wrote: “One of the largest UK newspapers published a picture of my house, full address, and directions to get there … now I have to move.” He later implored his supporters not to doxx journalists in revenge and reiterated that he had not sought fame.
Hutchins got his first job straight after school without any serious qualifications thanks to his tech blog and skill at writing software, which he said has always been a hobby. He works remotely for Kryptos Logic, an LA-based threat intelligence company, which was impressed by his work and got in touch to offer him a job a little over a year ago.
Last week, he revealed that he had been awarded a bounty by HackerOne, a group that rewards ethical hackers for finding software flaws, and that he would divide the money between charities and educational resources for IT security students.
Offering the reward, HackerOne said: “Thank you for your active research into this malware and for making the internet safer!”
On Sunday, Hutchins said he had so far decided on four charities: Doctors Without Borders, Great Ormond Street, Charity: Water, and Hackers For Charity.
Ransomware is a type of malware that encrypts a user’s data, then demands payment in exchange for unlocking the data. This attack used a piece of malicious software called WannaCry, which exploits a vulnerability in Windows.
Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.
Hutchins previously warned that the attack could return in a new form and advised people to patch their systems. “This is not over,” he said. “The attackers will realise how we stopped it, they’ll change the code and then they’ll start again.”