Marcus Hutchins, the 23-year-old British “hero” who stopped a destructive global ransomware attack in May, only to be arrested last month in Las Vegas on an unrelated malware charge, is likely considering a plea deal, lawyers and legal experts say.

Hutchins’s arrest on charges that he helped craft a little-known trojan called Kronos — a malware that allows users to steal a victims’ banking information — brought a swell of support, with thousands donating to his legal defense fund. Fellow security researchers vouched that he’s an established white hat, not a black hat — meaning he uses his knowledge of malicious code to help people, not break the law for profit.

Soon after reports circulated that he planned to plead not guilty, Hutchins’s legal team clammed up, leaving only speculation about his circumstances and plans. They did not respond to requests for comment for this story.

But the known facts of the case indicate his team is likely considering pleading guilty and possibly helping the government in exchange for a reduced sentence, experts say. The indictment that named Hutchins said he worked with another in developing Kronos, but that name was blacked out in public copies of the document.

Hutchins is scheduled to be arraigned Monday in Milwaukee, though the reasons for that location are unknown.

“It would be unusual in a case like this that both sides wouldn’t at least talk about some sort of resolution,” Jay Leiderman, an attorney who’s represented several affiliates of the hacktivist collective Anonymous, told BuzzFeed News. “If there is some common ground between the parties, prior to arraignment is sometimes the best time to find out. That may even lead to an early resolution to the case that is quite favorable to the defendant.”

Hutchins became unintentionally famous in May when he stopped the so-called WannaCry ransom attack, which used a piece of software first developed by the National Security Agency to disable computers around the world. Hutchins created a kill switch for the ransomware, which had ravaged computers in Europe, Russia and China and stopped it before it had spread widely in the United States.

He clearly did not expect to be arrested by the FBI. As he explained at a dinner that included this reporter on July 30, the Sunday before he was arrested at McCarran Airport as he tried to return home, he’d come to Las Vegas during a pair of hacker conferences for his annual vacation. It was a chance to be around some of the best security experts in the world and to let off steam with his friends.

Several factors surrounding Hutchins’s case indicate that prosecutors are likely offering or negotiating a plea deal, and that the U.S. is interested in using him to catch the real mastermind behind Kronos, according Boston University legal professor Ahmed Ghappour, a former defense lawyer and scholar of U.S. hacking laws.

“Hutchins is not the lead defendant. That’s pretty clear from the indictment,” Ghappour told BuzzFeed news. “Typically, a prosecutor will try to flip a lower name defendant, provide them with an opportunity to plead to a less serious crime, and/or provide a recommendation for a lower sentence in exchange for info helpful to the government.”

In Hutchins’s initial court appearance Aug. 4, prosecutor Daniel Cowhig made it clear that the US is interested in capturing his alleged partner, saying that the other defendant “is still at large.”

According to Hutchins’s indictment, he created the Kronos malware, then, with his unnamed partner, engaged in a criminal conspiracy in 2014 and 2015 by updating the software and attempting to sell it on the deep web marketplace AlphaBay, which the FBI raided earlier this year. Curiously, given the charges, Hutchins tweeted a request for a sample of Kronos in July 2014, which would be normal activity for a security researcher interested in analyzing it.

As a person charged with a felony in the US, Hutchins would be in the minority if he didn’t take a plea deal. Two thirds of felony defendants are convicted, according to the Department of Justice’s Bureau of Justice Statistics. And regardless of what Hutchins actually did, exactly, it’s rare for defendants accused of hacking charges to be found not guilty on all counts at trial.

Were Hutchins to take a plea bargain, it would be “irrespective of actual factual guilt,” Ghappour said. Instead, it would be an acknowledgement of how hard it would be to beat the charges and that taking a reduced sentence or probation would simply be his best deal.

“Given the public outcry, given Hutchins’s knowledge, given that the other suspect’s likely at large, the government’s likely giving him a golden opportunity here,” he said.