From what is currently known it seems plausible that Marcus Hutchins should at least be under investigation. Some of the things he has done in the past were murky. Stopping a large ransomware attack (by accident) does not change that fact.

I have not seen remarks in the security community that people were afraid of being arrested out of the blue like Marcus Hutchins.