The Briton praised for ending the NHS cyberattack admitted to police he created a code to harvest bank details, a court has heard.
Marcus Hutchins, 23, plans to plead not guilty to all six counts he faces regarding the creation and distribution of the Kronos malware, his lawyer said after his hearing in a Las Vegas court.
Earlier, a prosecutor told the court that Hutchins had admitted in a police interview that he created the code for the malware.
Dan Cowhig described Hutchins as a "danger to the public", adding that he had allegedly "admitted he was the author of the code of Kronos malware and indicated he sold it".
Mr Cowhig told the court that Hutchins and his unnamed co-defendant, who is still at large, were caught when undercover officers bought the code.
Other evidence includes records of chats between the two where Hutchins complained about the money he received for the sale, according to Mr Cowhig.
After the hearing, Hutchins's lawyer, Adrian Lobo, denied her client was the author of the code.
She said: "He fights the charges and we intend to fight the case.
"He has dedicated his life to researching malware, not trying to harm people. Use the internet for good is what he has done."
Hutchins, who spoke softly as he answered procedural questions
during the hearing, has been bailed under the condition that he pays $30,000 (£23,000) and that he stays in the US.
He will appear in court again on Tuesday and is expected to formally enter pleas then.
Hutchins, from Ilfracombe, Devon, gained worldwide attention for detecting a "kill switch" that effectively disabled the WannaCry worm in May.
The attack crippled the NHS and infected hundreds of thousands of computers worldwide, causing disruption at car factories, hospitals, shops and schools in more than 150 countries.
The current case in Las Vegas is unrelated to the WannaCry attack that struck the NHS, the US Justice Department has said.
Hutchins was arrested at the city's McCarran International Airport after he tried to fly back from the Def Con hacking conference, according to a friend in the IT security industry.
Court filings accuse Hutchins, known online as MalwareTech, of advertising, distributing and profiting from malware code known as Kronos that stole online banking credentials and credit card data.
Such malware infects web browsers, then captures usernames and passwords when an unsuspecting user visits a bank's website or another trusted location.
The suspected activity took place between July 2014 and July 2015, according to the court documents.