British hacker Marcus Hutchins, who helped thwart a global cyberattack in 2017, avoided jail time on Friday but faced a year of supervised release after pleading guilty to two counts of creating malware.
Hutchins has been held on bond since 2017 in the United States after the FBI arrested him, accusing the 25-year-old of creating a program designed to steal banking credentials.
During his release, Hutchins can return to the United Kingdom, according to the BBC.
His program, Kronos banking Trojan, was of the type that infects browsers, then captures usernames and passwords when an unsuspecting user visits a bank or other trusted location.
His crime carried a maximum sentence of 10 years in prison, although investigators acknowledged earlier in 2019 that he had stopped creating malware. In a statement posted on his website, Hutchins pledged to use his knowledge of malware for good.
“As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” he said. “I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes.
“I will continue to devote my time to keeping people safe from malware attacks.”
The allegations against Hutchins came as a shock to the cybersecurity community. His quick thinking helped control the spread of the WannaCry attack that crippled thousands of computers and affected the U.K.’s National Health Service.
Hutchins, on Friday, tweeted his gratitude for the judge’s leniency.
“Sentenced to time served! Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally,” he said.
The Associated Press contributed to this report.
By Sam Dorman