Is Marcus Hutchins walking around with a target on his back? Yes and no, is the reply from the 22-year-old British computer expert.
“I find it’s hard to say. There are two sides to it. One part of me basically is telling me that the perpetrators are incompetent amateurs, and the other that they are very competent and are merely pretending to be amateurs,” Marcus Hutchins says.
Wearing a T-shirt, light blue jeans and black skate shoes and donning a boyish grin, which erupts before each sentence he utters, he looks nothing like someone, who managed to stop the spread of a global cyberattack two weeks ago. He points to Copenhagen City Hall. “That is probably the biggest building I’ve ever seen in my life,” he says.
“Personally, I don’t buy the whole North Korea thing. I know that Symantec (the cybersecurity company) says that there are similarities between the codes, but this is easily forgeable. So it could either be a few nutters who stole some of the code, or it could be someone purposely trying to look like the Lazarus Group,” the young hacker from the South West England.
The holy grail of cybercrime
At present, Marcus Hutchins sits in a chair designed by famed designer Arne Jacobsen and fiddles with his phone. He is participating in the Copenhagen Cybercrime Conference arranged by the Confederation of Danish Industry, Finance Denmark, and the Danish security company CSIS. But two weeks ago, on Friday, 12 May, he sat in his red and black leather office chair in front of his three computer screen at home and discovered that the National Health Service (NHS) was under attack by a malicious ransomware virus.
The so-called WannaCry computer worm encrypted the computer files and demanded ransom payments of around £230 to release them again. In Hutchins’ view, it is not uncommon for a system like the one used by NHS to be exposed to one or two attempted cyberattacks a day. But the two attacks were followed by a third and then a fourth that Friday in May. All of a sudden the attacks evolved into a wave, all of which he observed on his radar, but only a few hours after the first attack, Hutchins managed to corner the WannaCry worm and end its digital raid on the NHS. He stopped it by purchasing a domain at the price of £8, which forced the worm to crawl back into its hole. But before he could celebrate having stopped a global cyberattack, Marcus Hutchins was gripped by panic lasting several minutes.
“At first I thought it had triggered the worm and spread it to many more systems, and I was like, what? But then someone from the cyber security scene wrote me on Twitter saying I had stopped the spread of the virus. Fortunately, that turned out to be correct,” he says.
He compares the past two weeks to going from scoring important goals in a sport nobody cares about to scoring the decisive goal in a World Cup final in football, Hutchins says.
“This is the holy grail of stopping a cyberattack. We’ve shut down major attacks in the past, but we’ve never experienced anything like this.”
Due to this, not one day in the past two weeks has boron any resemblance to the ones that came before. Ever since he succeeded in halting the world’s largest cyberattack in terms of scope, he has been the subject of massive media attention. Thanks to the British tabloid press, the whole world now knows his name and his face. And now everyone is can easily track down his address.
You don’t buy the theory that North Korea might have had anything to do with the WannaCry attack. Does that mean that you aren’t worried about retaliation?
“I’m actually not that worried about the more serious hackers such as the Lazarus Group,” Marcus Hutchins says, instead stressing that he is far more fearful of the slew of less experienced and low-ranking hackers known as scriptkiddies.
“If you thwart a serious hacker attack, the skilled hackers will move on and develop a new one. But there are some young scriptkiddies out there, capable of sending drugs or even a special forces to my address. They have a tendency to get cross on a completely irrational level and target you specifically,” he says and points out that since 12 May, his servers have been hit by daily DDoS attacks intended to block access to the system.