United States v. Hutchins

Citation361 F.Supp.3d 779
Decision Date11 February 2019
Docket NumberCase No. 17-CR-124-2-JPS
Parties UNITED STATES of America, Plaintiff, v. Marcus HUTCHINS, Defendant.
CourtU.S. District Court — Eastern District of Wisconsin

Benjamin W. Proctor, Michael J. Chmelar, Benjamin P. Taibleson, United States Department of Justice (ED-WI) Office of the US Attorney, Milwaukee, WI, for Plaintiff.

Brian E. Klein, Baker Marquart LLP, Los Angeles, CA, Marcia C. Hofmann, Zeitgeist Law PC, San Francisco, CA, Daniel W. Stiller, D. Stiller LLC, Milwaukee, WI, for Defendant.


J.P. Stadtmueller, U.S. District Judge


Defendant Marcus Hutchins is a hacker who received considerable attention for disabling a North Korean malware called WannaCry. He has a reputation as a "white hat" hacker, which implies a hacker who works for the benefit of the public. Hutchins has nevertheless been indicted for various crimes related to his activity with two forms of malware, "Kronos" and "UPAS Kit."

On March 30, 2018, Hutchins filed a motion to suppress the statement that he made to Federal Bureau of Investigation ("FBI") agents immediately following his arrest, as well as any evidence the government may have obtained as a result. (Docket # 55). On July 13, 2018, Hutchins also filed three motions to dismiss various counts in the superseding indictment. (Docket # 92, # 95, and # 96).1 Magistrate Judge Nancy Joseph issued a report and recommendation in which she recommended denying all motions. (Docket # 109). Hutchins timely objected, and each party has fully briefed the issues. The Court will address each of the motions below. In accord with Magistrate Joseph's analyses, all motions will be denied. The Court will overrule Hutchins's objections and adopt Magistrate Joseph's recommendation in large measure.


When reviewing a magistrate's recommendation, this Court is obliged to analyze de novo "those portions of the report or specified proposed findings or recommendations to which objection is made." 28 U.S.C. § 636(b)(1)(C). The Court can "accept, reject, or modify, in whole or in part, the findings or recommendations made by the magistrate." Id. The Court's review encompasses both the magistrate's legal analysis and factual findings. Id. ; see also Fed. R. Crim. P. 59(b).


Hutchins, a citizen of the United Kingdom, is a coder and hacker of considerable repute. He is most well-known for finding the kill-switch to a North Korean malware called WannaCry in May 2017. According to the superseding indictment, several years ago, Hutchins developed two types of malware, UPAS Kit and Kronos (a "banking trojan").

The superseding indictment alleges that Hutchins developed UPAS Kit and, in 2012, sold it to Individual A, who then sold it to an individual in the Eastern District of Wisconsin. At some point before July 2014, Hutchins allegedly developed Kronos and provided it to Individual A, intending for Individual A to advertise, promote, and sell it. Hutchins used a YouTube video to demonstrate how Kronos worked, and referred prospective customers to Individual A. In December 2014, Hutchins hacked and analyzed a malware that competed with Kronos, and published a blog post describing the competing malware's vulnerability. In February 2015, Hutchins allegedly updated the Kronos malware, and distributed it to Individual B, who was located in California and was known to be involved in cyber-based criminal activities.

On July 11, 2017, a grand jury indicted Hutchins on various counts related to his activity with the malware. He was charged with conspiracy, fraud, and unlawfully intercepting communications. (Docket # 1). On June 5, 2018, the government filed a superseding indictment with additional charges. (Docket # 86). In Count One, the superseding indictment charges Hutchins with conspiring to violate the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030, and the Electronic Communications Privacy Act ("Wiretap Act"), 18 U.S.C. § 2510 et seq. , in violation of 18 U.S.C. § 371. Counts Two and Three charge Hutchins with disseminating, aiding, and abetting an attempt to advertise the malware, in violation of the Wiretap Act. Counts Four and Five charge Hutchins with aiding and abetting the distribution of the malware, in violation of the Wiretap Act. Count Six charges Hutchins with using, or getting others to use, the malware to intercept communications in violation of the Wiretap Act. Count Seven charges Hutchins with causing, aiding, and abetting the transmission of malware in violation of the CFAA. Count Eight charges Hutchins with aiding and abetting the intentional access and damage to protected computers for the purpose of private financial gain, in violation of the CFAA. Count Nine charges Hutchins with lying to the FBI about whether he knew that his computer code was part of Kronos, in violation of 18 U.S.C. § 1001(a)(2). Finally, Count Ten charges Hutchins with conspiring to commit fraud in connection with his malware activities, in violation of 18 U.S.C. §§ 1343, 1349.

In the summer of 2017, Hutchins spent a week in Las Vegas to attend "Defcon," which is a conference for hackers. On August 2, 2017, Hutchins was about to embark on his journey back to the U.K. Hutchins was waiting in a lounge at the Las Vegas airport when a federal agent and two Customs and Border Patrol ("CBP") officials approached him. Unbeknownst to him, FBI Special Agents Lee Chartier ("Chartier") and Jamie Butcher ("Butcher") had been monitoring Hutchins's whereabouts all morning, and had followed him to the airport, through security, and to his lounge. Although the FBI had originally planned to arrest Hutchins as he boarded the flight, they opted to arrest him earlier in order to ensure that he did not consume any alcoholic beverages that might affect his ability to answer questions in an interrogation. Indeed, Hutchins had spent much of the week partying, which included ingesting various intoxicating substances. He had had very little sleep the night before. There are no allegations, however, that Hutchins was intoxicated whilst at the airport—only exhausted and, it can be assumed, terribly hungover.

Thus, at approximately 1:17 p.m., Hutchins was approached in the airport lounge by two CBP officers and a plainclothes FBI agent, Chartier. These officials escorted Hutchins to a stairwell, whereupon he was handcuffed. Chartier informed Hutchins that he was under arrest pursuant to a federal warrant. The officials then led Hutchins to an interview room, where Butcher was waiting. The agents observed Hutchins to be alert, engaged, and not visibly intoxicated or disoriented. Hutchins verbally confirmed that he was able to answer questions and was not drunk. Hutchins received his Miranda rights orally. He was also given an advisement of rights form. He listened to his rights and signed the advisement form in the presence of both agents. There is a dispute as to what time he signed it, but the Court does not find this to be material for reasons that will be explained below.

Hutchins then proceeded to respond to the questions asked by the agents, and gave consent for them to search his phones, laptops, backpacks, and USB drives. He did not request a lawyer or invoke his right to remain silent, although he did ask "what this is all about." The agents told him they would explain eventually, but continued questioning him. In total, Hutchins was questioned for approximately 105 minutes. He was offered food, an opportunity to use the restroom, and—eventually—allowed to contact his mother. He was not shown a copy of the arrest warrant until over an hour into the interrogation.2

Hutchins showed every indication of being voluntarily cooperative with the agents, but was also clearly confused about the nature of the interrogation. The interrogation began with broad questions about his career and his online activities, but about ten minutes in, the questions focused on Hutchins's involvement with malware. Hutchins acknowledged that when he was younger, he had written some code that ultimately ended up in malware, but denied that he developed malware. About eleven minutes into the interrogation, after looking at a string of code, Hutchins asked if they were looking for the developer of Kronos. Hutchins stated that he did not develop Kronos, and he had "gotten out" of writing code for malware before he was eighteen. Thirteen minutes in, he said that he had feared that law enforcement authorities would come after him, instead of the actual developer, because pieces of his code appeared in Kronos. Thus, Hutchins was aware that the criminal investigation was, at least in part, about Kronos, and that he was implicated in the investigation, although he expressed confusion about why he was being detained throughout the interrogation. Almost eighty minutes into the recorded interrogation, the agents finally provided him with the warrant, and told him that it had "nothing to do with WannaCry." The interrogation continued for about twenty minutes after that. Throughout the remainder of the interrogation, Hutchins tried to be helpful but noted that he had been "out" of so-called "black hat" hacking for so long that he did not have any helpful connections.

Hutchins was taken to a jail, where he proceeded to make two phone calls, which were recorded. Prior to making the phone calls, Hutchins was informed that the phone calls were subject to monitoring and recording. In the calls, Hutchins also made incriminating statements.


4.1 Motion to Suppress

Hutchins seeks to suppress his post-arrest statements and any evidence that may have been obtained as a result of his statements. He argues that he did not waive his Miranda rights, (Docket # 55 at 6–9), and submits that the government has not met its burden in rebutting the presumption against waiver, (Docket # 111 at 13). Hutchins calls into question whether (1) he received notice of his rights at all; and (2) whether he was able to voluntarily waive his rights...

To continue reading

Request your trial
3 cases
  • United States v. Rodriguez-Arvizu
    • United States
    • U.S. District Court — District of Arizona
    • 12 octobre 2021
    ...because they were a product of deception in that law enforcement misled him as to the true nature of their investigation. Hutchens, 361 F.Supp.3d at 791. The Court expressed its concern about the “abject failure of the agents to abide by” Rule 4(c)(3)(A). Id. However, the Court never addres......
  • James v. The Walt Disney Co.
    • United States
    • U.S. District Court — Northern District of California
    • 8 novembre 2023
    ... ... THE WALT DISNEY COMPANY, Defendants. No. 23-cv-02500-EMC (EMC) United States District Court, N.D. California November 8, 2023 ...           ... Wiretap Act. See also United States v. Hutchins , 361 ... F.Supp.3d 779, 795 (E.D. Wis. 2019) (stating that ... “[t]he majority of ... ...
  • United States v. Singla
    • United States
    • U.S. District Court — Northern District of Georgia
    • 28 novembre 2022
    ... ... professional relationship he had (if any) to GMC, to what ... extent he had access to GMC's internal network or to what ... degree he exceeded his authority while accessing GMC's ... computer system. cf. , United States v ... Hutchins , 361 F.Supp.3d 779, 793 (E.D. Wisc., Feb. 11, ... 2019)(where defendant's motion to dismiss indictment ... charging him ... with violating the CFAA was denied after the court found the ... indictment specifically advised him of the nature of the ... charges. Each ... ...
1 books & journal articles
  • § 7.05 The Computer Fraud and Abuse Act (18 U.S.§ 1030)
    • United States
    • Full Court Press Intellectual Property and Computer Crimes Title Chapter 7 The Computer Fraud and Abuse Act (CFAA)
    • Invalid date
    ...destructive as using a virus on a computer, or less invasive conduct such as "flooding an email account"); United States v. Hutchins, 361 F. Supp. 3d 779, 794 (E.D. Wis. 2019) (holding that when a person "steals (sensitive data)," as a matter of logic, they impaired the integrity of the dat......

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT