Last week, a debilitating computer virus now known as WannaCry spread across networks at hospitals, banks, and other organizations all around the world until it was stopped by a young security researcher working out of his bedroom.
“It just doesn’t make sense to give out my personal information”
Now, journalists have published his name against his will, bringing him unwanted attention and sending a signal to privacy-sensitive researchers that no good deed goes unpunished.
The researcher, writing under the username MalwareTechBlog, published a blog post on his personal site with findings about the virus, explaining how he stopped it and what would have to be done to prevent it from coming back. News outlets, including the Daily Mail,The Guardian, and CNN called the anonymous researcher a hero.
The researcher was initially responsive to press inquiries. He told reporters that he was 22, lived in the south of England with his parents, and worked for an L.A. security firm. However, he told The Guardian that he wanted to remain anonymous “because it just doesn’t make sense to give out my personal information, obviously we’re working against bad guys and they’re not going to be happy about this.”
It took about a day for UK papers, including The Mail, The Sun, The Telegraph, and The Mirror, to suss out the researcher’s name — Marcus Hutchins — publish photos of him, show up at his house, and track down his friends and associates for interviews. “It’s caused a fair bit of stress,” he told Forbes. “I don’t want fame.”
I think this is the mistake I made. They thought i was hiding something and not that i didn't want a journalist campsite on my front lawn. https://t.co/qqbBWB0djF— MalwareTech (@MalwareTechBlog) May 14, 2017
Hutchins wrote on Twitter that he was not concerned about his and his family’s personal safety as much as he just wanted privacy and quiet, especially as he continued to work with other researchers on battling WannaCry, which was still spreading as of Monday.
“For the record I don't "fear for my safety," I'm just unhappy with trying to help clear up Friday's mess with the dorbell going constantly,” he tweeted.
Exposing Hutchins triggered criticism online among researchers and observers who believe the doxxing was irresponsible, unnecessary, and dangerous. “They pored through his online footprint until they eventually had enough evidence to identify someone who literally didn’t want to be identified,” wrote journalist Matthew Hughes at The Next Web. “It’s worth noting that in stopping WannaCry, [Hutchins] has pissed off some very unsavory people. And now his name, age, appropximate location, and details of his family are in the public domain because a bunch of sleazy, shitty tabloids wanted some clicks.”
There was no reason to dox @MalwareTechBlog. Especially no reason to stalk his friends.— Steve Ragan (@SteveD3) May 15, 2017
Just so we're all clear, fuck The Sun, The Telegraph and The Daily Mail. https://t.co/N1Evm3EuPk— Thomas Fox-Brewster (@iblametom) May 15, 2017
Security researchers who work with companies and governments to secure their products, also known as white hat hackers, face real threats from so-called black hat hackers and their backers, which are often governments. The perpetrators behind WannaCry are not yet known.
If journalists were able to find Hutchins’ real name, it’s fair to assume that hackers bent on revenge could have figured it out as well. It’s also certainly possible that Hutchins may realize he enjoys his newfound celebrity. However, independent security researchers doing work on their own time are the best line of defense the world has against massive cyberattacks. WannaCry wasn’t stopped by the US government; in fact, it was indirectly caused by the NSA, which discovered the vulnerability that then got leaked online. Hutchins has done work for the public interest before, tracing the Mirai botnet epidemic that caused a massive web outage in October. Many security researchers give talks and publish under their own names, but others closely guard their privacy — and the press circus around Hutchins may discourage others from donating their time to fight malicious viruses in the future.