By Agence France-Presse
Marcus Hutchins, whose arrest in 2017 stunned the computer security community, acknowledged in a statement pleading guilty to criminal charges linked to his activity in 2014 and 2015.
"I regret these actions and accept full responsibility for my mistakes," the 24-year-old Hutchins, known by his alias "MalwareTech," wrote, noting that the charges related to his activity prior to his work in security.
"Having grown up, I've since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."
Hutchins in 2017 found a "kill switch" to stem the spread of the devastating WannaCry ransomware outbreak, prompting widespread news reports calling him a hero.
Months later he was arrested after attending the Def Con gathering of computer hackers in Las Vegas.
The case drew fire from critics who argued that researchers often work with computer code that can be deployed for malicious purposes.
A federal indictment unsealed in Wisconsin accused Hutchins and another individual of making and distributing the Kronos "banking Trojan," a reference to malicious software designed to steal user names and passwords used on online banking sites.
According to the indictment, Hutchins was part of a conspiracy to distribute the hacking tool on so-called dark markets.
He was released on bail while awaiting trial, allowing him to continue working for a security firm. He had maintained his innocence and won support from many others in his profession.
US prosecutors did not immediately respond to an AFP query about the case. But court documents published by the news site ZDNet showed Hutchins could face up to one year in jail on each of the criminal counts along with financial penalties.
Other counts in the indictment were dismissed, according to the court papers.