Myers-Briggs Type Indicator for Cybercriminal Psychology Offender Profiling

Jeffrey Crump
12 min readOct 5, 2020

--

In early March 2018, Reeves Wiedeman wrote an interesting story for New York Magazine titled Gray Hat based on interviews with Marcus Hutchins. Wiedeman wrote, “Hutchins is a self-described introvert and pessimist. (“I don’t really like people,” he [Hutchins] deadpanned.)” This deadpanned statement stuck in my head as I continued to read the story. It stuck in my head as I looked over the voluminous MalwareTech blog posts. It also stuck in my head as I scrolled through thousands and thousands of his tweets.

It struck me as interesting that this self-professed introvert really seemed to enjoy a lot of extroverted activities. I wanted to know if Hutchins was telling the truth or was he simply lying to Wiedeman in an effort to portray the mysterious rogue hacker with a hoodie stereotype and salvage a reputation amongst his peers? Of course, it could be neither, both, or something completely different.

The first step I took to understand Hutchins was to extract the crumbs of directly attributable data points from the Wiedeman story that I could assign to a personality trait. I came up with 58 individual data points. I now needed a personality spectrum to which to align my data points. For this, I chose the Myers-Briggs Type Indicator® (MBTI®).

Below are the 58 data points I extracted and the mapping I came up with.

Again, I’m not an MBTI professional so this should be considered a rudimentary attempt. I welcome feedback from MBTI-certified professionals, criminal psychologists, and law enforcement professionals.

STORY EXTRACTS MAPPED TO MBTI: EXTROVERSION

Attention Focused Outward: People, Things, Action

  • competitive swimmer
  • Hutchins had worked with law enforcement many times, including during WannaCry, when he publicly thanked the FBI for its help.

Relaxed and Confident

  • By his own estimate, there are only five people in the world — “I know of three, but five is a round number” — with his particular expertise.

The above quote was clarified by Hutchins on Twitter where he said, “People keep asking me about this quote. It’s a little out of context, the actual question was how many people I personally know of who do botnet tracking. I said a bunch of companies but I only know of about 3 -5 individuals who’ve built their own.

Seeks Variety and Action

  • A few days after we met for beers, Hutchins and I took a walk along Venice Beach.

Wants to be with Others

  • Hutchins delivered the keynote at a conference in Copenhagen, and at another event, when he started talking to a girl he thought was cute, he was bombarded by so many people asking him for photos that she got fed up and left.

Extroversion Keywords:

Sociable

  • In 2013, he started a blog.
  • quickly developed a reputation in the world of “InfoSec,” or information security, as being an unusually generous member of the community — A researcher in Bulgaria said Hutchins helped him track a botnet there for free.
  • Two days later, a friend called to tell Hutchins his picture was in the Daily Mail. Hutchins had given interviews pseudonymously, as MalwareTech, but he feared reprisal from the WannaCry hackers
  • Eventually, he granted an interview to the Associated Press; when the reporters asked Hutchins to spell his last name, he was so nervous he left out the n.
  • When we had parted ways the other night, Hutchins had told me he was going to meet some friends and “get so drunk I don’t remember anything.” He said he’d invite me along, but he wasn’t sure the others would be okay with it. “It’s a bunch of InfoSec people,” he said. “They’re all paranoid.”
  • Twitter Statistic: As of March 8, 2018 Hutchins had nearly 23,000 Tweets

Interraction

  • detailed his amateur explorations into “reverse engineering,” a critical cybersecurity job in which researchers dissect malware to figure out how it works.

STORY EXTRACTS MAPPED TO MBTI: INTROVERSION

Considering Deeply Before Acting

  • Hutchins said that he’d previously felt little desire to leave Ilfracombe. His friends were there, real estate was cheap —

Reserved and Questioning

  • As we walked up to the Santa Monica Pier, Hutchins grew wistful, thinking back to moments that could have led him anyplace but here.

Seeks Quiet for Concentration

  • Suddenly, at 22, Hutchins had a six-figure salary, two employees reporting to him, and the ability to work remotely from three computer monitors in his bedroom on his own schedule. (“My first question upon waking up and seeing the clock said 9:30 was ‘a.m. or p.m.?’ #DreamJob.”)

Wants Time to Be Alone

  • and had taken great pains to maintain his “OpSec,” hacker shorthand for operational security.
  • Most of his friends in Ilfracombe didn’t know what he did for work, partly because he couldn’t talk about it,
  • and most of his InfoSec friends didn’t know his real name.
  • Hutchins had tried to keep pictures and information about himself off the internet, avoiding services that asked for his physical address
  • With journalists staking out his home, Hutchins hid inside, slipping out once by leaping over a wall in the back, wearing a hoodie, to go to his favorite fish-and-chips shop.

Introversion Keywords:

One-to-One Discussion

  • After we’d been on the boardwalk for half an hour, Hutchins paused and looked toward the sea. “All this time, I’ve never actually just walked on the sand,” he said.

Reflects

  • His Twitter following quintupled, which was cool, though he tried to remain detached about it, posting a photo of the ocean with a digital-age koan: “50k new followers won’t bring you happiness, but the sea will.”
  • He had gone to the waves and back to surf, but he’d never thought to just take a stroll.
  • As we walked along the water, still wearing our shoes,
  • The world has never been more dependent on people like Hutchins, with their deep mastery of the digital systems undergirding things the rest of us take for granted. He seemed to realize this could be both a privilege and a burden. “I liked the connections and the power,” Hutchins said as a violinist played “Tale As Old As Time” on the pier. “Now I’m not sure it was worth it.”

STORY EXTRACTS MAPPED TO MBTI: SENSING

Prefers Using Learned Skills

  • By high school, his skills were advanced enough that administrators blamed him for an attack that took down the school’s servers. (Hutchins maintains his innocence.)

Sensing Keywords:

Data

  • his résumé included links to his blog and a childhood swimming certification

Detail

  • detailed his amateur explorations into “reverse engineering,” a critical cybersecurity job in which researchers dissect malware to figure out how it works.
  • He quickly noticed that the code included a seemingly random domain name — iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com — that was unregistered.

Realistic

  • Hutchins declared on Twitter, “Bad guys who come to the good side rarely become good guys, remember that.”

Actuality

  • The sense of power that comes with such connections could also be exhilarating: If Hutchins had information to share or a question to ask, he could quickly get in touch with British intelligence or someone at the FBI.

Present

  • Wannacry ransomware outbreak — “I picked a hell of a fucking week to take off work,” Hutchins said on Twitter.

STORY EXTRACTS MAPPED TO MBTI: INTUITION

Innovation

  • In addition to creating the malware,

Projecting Possibilities for the Future

  • Two days later, a friend called to tell Hutchins his picture was in the Daily Mail. Hutchins had given interviews pseudonymously, as MalwareTech, but he feared reprisal from the WannaCry hackers

Looks at the Big Picture

  • Hutchins also sent a curious tweet in 2014 — “Anyone got a kronos sample?” — that suggested he had learned about Kronos along with the rest of the security community (or was trying to distance himself from his handiwork).

STORY EXTRACTS MAPPED TO MBTI: THINKING

Decisions Based on the Logic of the Situation

  • he’d been planning to use his savings and his bitcoin earnings to pay $400,000 in cash for a large house
  • and there seemed to be no professional point in moving to London or San Francisco when he could stop a global cyberattack from his bedroom.

Uses Cause and Effect Reasoning

  • “We only talk about the people who get caught.”

Thinking Keywords:

Analysis

  • In 2017, he was invited into an initiative run by the U.K.’s National Cyber Security Centre to recruit “the best and the brightest” in cybersecurity to collaborate with the government. Hutchins maintained a hacker’s natural skepticism of authority but came to believe that public and private cooperation is essential to securing the internet

Critique

  • Post titled “Coding Malware for Fun and Not for Profit (Because That Would Be Illegal),” Hutchins declared that he was “so bored” with the malware being produced

Reason

  • he feared the damage was already done. Cybersecurity is a business based in trust, and he worried that the allegations alone made him unemployable. (He had recently noticed a number of Twitter bots commenting on his case with anti-American bents, which he speculated could be someone trying to use his case to divide the American cybersecurity community.)
  • He was convinced, for instance, that he had become a target after WannaCry

STORY EXTRACTS MAPPED TO MBTI: FEELING

Guided by Personal Values

  • Having once done things he shouldn’t have, he had realized that doing good was more rewarding, financially and otherwise, than doing bad. “We can fit in a car the number of people who do this for fun — the defenders of the internet,” Tentler, Hutchins’s InfoSec friend

Strive for Harmony and Positive Interactions

  • In 2017, he was invited into an initiative run by the U.K.’s National Cyber Security Centre to recruit “the best and the brightest” in cybersecurity to collaborate with the government. Hutchins maintained a hacker’s natural skepticism of authority but came to believe that public and private cooperation is essential to securing the internet

May Appear “Tenderhearted”

  • He was annoyed at those who defended him by saying he wasn’t skilled enough to have made Kronos in the first place. “I don’t know what hurts more,” Hutchins said. “That people think I’m a shitty person or that people think I’m that bad at programming.”

Feeling Keywords:

Humane

  • “Surf Life Saving” — lifeguarding as a sport

Circumstances

  • assuring readers that, “before you get on the phone to your friendly neighborhood FBI agent,” he had designed the malware so it couldn’t be deployed.
  • While Hutchins objected to parts of the Krebs article, he admitted that “I think everyone can see I have some shady things in my past.” But he didn’t think this was so unusual. “Most of cybersecurity has done something they shouldn’t at some point,” he said.
  • Most of all, Hutchins was bored, and he wanted to work again. “Not having access to my botnet-monitoring stuff is depressing,” he said.

Empathize

  • Hutchins said he knew of one cybercriminal who masquerades as a white hat and is sometimes quoted as an upstanding security expert in the press. And, he said, other cybercriminals would sometimes disappear from forums and then pop up months later working for the government.

STORY EXTRACTS MAPPED TO MBTI: JUDGMENT

Deciding and Planning

  • Hutchins was accused of conspiring to sell Kronos to cybercriminals for $2,000 and advertising it on AlphaBay, a dark-web marketplace the FBI has since shut down.

Organizing and Scheduling

  • Around the time Hutchins was allegedly coding Kronos, he was also on Twitter trying to figure out how to get a job, asking about résumé formatting and whether to join LinkedIn.

Controlling and Regulating

  • the code suggested that WannaCry was regularly pinging the domain; if he registered it, he thought he might be able to direct the traffic to a “sinkhole,” which would allow him to monitor the attack.

Goal Oriented

  • applied to GCHQ, the British equivalent of the NSA —

Judgment Keywords:

Decisive

  • After a quick conversation with Neino, Hutchins bought the domain on NameCheap.com for $10.69.

STORY EXTRACTS MAPPED TO MBTI: PERCEPTION

Focuses on Starting Tasks

  • In 2013, he started a blog.

Curious and Interested

  • Hutchins started learning to code when he was 12.
  • He went on to a local technical school for two years,
  • Post titled “Coding Malware for Fun and Not for Profit (Because That Would Be Illegal),” Hutchins declared that he was “so bored” with the malware being produced
  • he’d become interested in tracking botnets — “I was never trying to make a career out of it,” Hutchins said. “I was just kind of bored.”
  • Hutchins got a sample of WannaCry from a friend and began picking it apart.

Resisting Closure in Order to Obtain More Data

  • (local technical school) where he found the computer-science offerings primitive.

Perception Keywords:

Spontaneous

  • (so bored with malware being produced) that he had made some himself,
MBTI Extroversion/Introversion Mapping of Statements Made by Marcus Hutchins in Gray Hat Article
MBTI Sension/Intution Mapping of Statements Made by Marcus Hutchins in Gray Hat Article
MBTI Thinking/Feeling Mapping of Statements Made by Marcus Hutchins in Gray Hat Article
MBTI Judgment/Perception Mapping of Statements Made by Marcus Hutchins in Gray Hat Article

STORY EXTRACTS NOT MAPPED TO MBTI — GENERAL HACKER REFERENCES

• Researchers who worked with Hutchins were spooked. “This is bad,” wrote one member of a cybersecurity forum. “We need to assume for the period he was among us, any and all traffic was compromised and could be, along with our names etc., in the hands of various adversaries.”
• “A lot of people do have criminal pasts — or criminal presents — but we also have a lot of experience with people getting arrested for no good reason,” said Robert Graham, a security researcher.
• InfoSec community’s distrust of the Computer Fraud and Abuse Act, a 32-year-old law that is behind many cybercrime prosecutions in America, including the case against Hutchins. Both law enforcement and the security community generally agree the law is antiquated — its definition of a computer cites typewriters and handheld calculators — and it has produced several questionable prosecutions.
• One issue has been figuring out how to handle young hackers whose intentions are not always clear. In 2010, Stephen Watt, a former programmer at Morgan Stanley, was convicted of writing code used in a credit-card-theft ring called “Operation Get Rich or Die Tryin.” Watt hadn’t actually deployed the malware, received no money, and claimed not to know what it was being used for. Judge Nancy Gertner, who heard Watt’s case, told me she found herself in a difficult position when it came to sentencing — prosecutors argued for five years in prison, the defense wanted probation — and settled on a two-year prison sentence. “People lost money, and he deserved to be punished, but he was also a kid,” Gertner said.
• While the teenage exploits that Brian Krebs uncovered were troubling, many security researchers saw themselves in the allegations. “How does someone like Marcus become so talented?” Neino, his boss, said. “The best security researchers need to expose themselves to real threats. A lot of researchers hang out in underground forums and befriend criminals.”
• Cybersecurity also has a long history of bad guys who become good. Kevin Mitnick spent five years in prison for various cybercrimes in the ’90s but now runs a security company that consults with the FBI.
• Amit Serper, who is now 31 and helped stop a major Russian cyberattack last summer, told me that he and many others in the field had done things as a teenager that “could be counted as illegal.”
• Nearly everyone I spoke to from the InfoSec world cited research suggesting the human brain doesn’t fully form until people reach their mid-20s. Many of the most talented cybersecurity experts, they point out, honed their skills by testing boundaries as teens. “I call this period the Age of Rage,” Moussouris told me. “It might be about feeling important for the first time in your life and being recognized as powerful. It’s the first time you taste that feeling we all yearn for — significance.”
• (James Comey irritated the community in 2014 when he said the FBI struggled to hire people because “some of those kids want to smoke weed on the way to the interview.”) Some security researchers said they would stop sharing information with the government in protest. “It just gives people in the community a feeling of persecution,” Jennifer Granick, who works on cybersecurity for the ACLU, said.
• the DOJ is hosting a panel at South by Southwest this month about teaching ethics to hackers
• relatively little is being done to nudge talented young people toward the light, which could leave someone with Hutchins’s skills and a still-developing moral compass feeling adrift

--

--

Jeffrey Crump
Jeffrey Crump

Written by Jeffrey Crump

Cyber Security Consultant & Researcher

No responses yet