Exclusive interview: Marcus Hutchins halted a global cyberattack. He fears blackmail, but doesn’t believe in the 'North Korea thing'

Is Marcus Hutchins walking around with a target on his back? Yes and no, is the reply from the 22-year-old British computer expert.

“I find it’s hard to say. There are two sides to it. One part of me basically is telling me that the perpetrators are incompetent amateurs, and the other that they are very competent and are merely pretending to be amateurs,” Marcus Hutchins says.

Wearing a T-shirt, light blue jeans and black skate shoes and donning a boyish grin, which erupts before each sentence he utters, he looks nothing like someone, who managed to stop the spread of a global cyberattack two weeks ago. He points to Copenhagen City Hall. “That is probably the biggest building I’ve ever seen in my life,” he says.

“Personally, I don’t buy the whole North Korea thing. I know that Symantec (the cybersecurity company) says that there are similarities between the codes, but this is easily forgeable. So it could either be a few nutters who stole some of the code, or it could be someone purposely trying to look like the Lazarus Group,” the young hacker from the South West England.

The holy grail of cybercrime

At present, Marcus Hutchins sits in a chair designed by famed designer Arne Jacobsen and fiddles with his phone. He is participating in the Copenhagen Cybercrime Conference arranged by the Confederation of Danish Industry, Finance Denmark, and the Danish security company CSIS. But two weeks ago, on Friday, 12 May, he sat in his red and black leather office chair in front of his three computer screen at home and discovered that the National Health Service (NHS) was under attack by a malicious ransomware virus.

The so-called WannaCry computer worm encrypted the computer files and demanded ransom payments of around £230 to release them again. In Hutchins’ view, it is not uncommon for a system like the one used by NHS to be exposed to one or two attempted cyberattacks a day. But the two attacks were followed by a third and then a fourth that Friday in May. All of a sudden the attacks evolved into a wave, all of which he observed on his radar, but only a few hours after the first attack, Hutchins managed to corner the WannaCry worm and end its digital raid on the NHS. He stopped it by purchasing a domain at the price of £8, which forced the worm to crawl back into its hole. But before he could celebrate having stopped a global cyberattack, Marcus Hutchins was gripped by panic lasting several minutes.

“At first I thought it had triggered the worm and spread it to many more systems, and I was like, what? But then someone from the cyber security scene wrote me on Twitter saying I had stopped the spread of the virus. Fortunately, that turned out to be correct,” he says.

He compares the past two weeks to going from scoring important goals in a sport nobody cares about to scoring the decisive goal in a World Cup final in football, Hutchins says.

“This is the holy grail of stopping a cyberattack. We’ve shut down major attacks in the past, but we’ve never experienced anything like this.”

Due to this, not one day in the past two weeks has boron any resemblance to the ones that came before. Ever since he succeeded in halting the world’s largest cyberattack in terms of scope, he has been the subject of massive media attention. Thanks to the British tabloid press, the whole world now knows his name and his face. And now everyone is can easily track down his address.

You don’t buy the theory that North Korea might have had anything to do with the WannaCry attack. Does that mean that you aren’t worried about retaliation?

“I’m actually not that worried about the more serious hackers such as the Lazarus Group,” Marcus Hutchins says, instead stressing that he is far more fearful of the slew of less experienced and low-ranking hackers known as scriptkiddies.

“If you thwart a serious hacker attack, the skilled hackers will move on and develop a new one. But there are some young scriptkiddies out there, capable of sending drugs or even a special forces to my address. They have a tendency to get cross on a completely irrational level and target you specifically,” he says and points out that since 12 May, his servers have been hit by daily DDoS attacks intended to block access to the system.

Foto: Finn Frandsen

Regrets tweet about WannaCry

Cybersecurity journalist Brian Krebs became famous for being targeted by hackers. He was sent a bag of heroin from the deep web as a result of exposing the identity of a group of hackers using the notorious Anonymous group. Others have had the doors to their homes torpedoed by military special forces because someone has placed a call and reported that a hostage situation is occurring at the address.

“So my worry is actually that my address is out there. In the future someone might want to mess with me. I would like to operate without too much attention. And in the future, if anyone knows that I am the one engaged in preventing their attacks, they might try to blackmail me,” Marcus Hutchins says.

Under the handle @MalwareTechBlog you wrote on Twitter that you might have stopped the attack, and if you have a Twitter user, a hacker will be able to track down the man using it. Do you not bear some of the responsibility for your fame?

“I disagree because I doubt they found me via Twitter. I think some news media found a picture of me and released it publicly. And then someone called and gave them my name, which they could then use to find my address.”

But do you regret writing the tweet?

“Yes. I should have just done it without tweeting about it. I had no idea that the attention would be so massive.”

Sometimes it requires sacrifices before the significance of a problem or a group of people is recognized. Is the exposure of your identity the sacrifice that is needed to attract more attention to the threat of cybercrime, a problem that might be difficult for the public to understand?

“I don’t know. I doubt that me being famous will have any major effect. But I do believe that the WannaCry attack in itself has changed something. But I doubt that I personally had anything to do with it,” Marcus Hutchins says.

Sometimes you need a character, someone you remember. So do you think that it will play some part in attracting attention to the problem that people now remember the superb story about the 22-year-old hacker, who happened to stop the world’s largest cyberattack?

“Yeah, that might have some role to play. What happened with Brian Krebs was that he was the man to go to with everything relating to fraud or hacking of credit card information. And of course I hope that something like that is going to happen, so that I’m involved in keeping the public informed about what is happening.”

Translation: Christoffer Østergaard