Is it possible to be a hacker without being a criminal?

There are many ways you can be an "ethical hacker." Here are a few that come to mind:

1. You can write malware that helps catch the bad guys. Who the "bad guys" are may depend on who you're working for, and what your beliefs are. This may be a gray/black area to some.
2. You can write malware so you can understand how it works, and then defend against it. The best anti-virus authors are those who understand how to actually create malware.
3. You can get paid to find bugs in programs developed by large corporations, but this isn't generally "creating" malware; it's just finding security holes, of which people could use to inject malware.

Just because someone creates malware doesn't mean they're going to use it against others. For some, just understanding how it works is enough. Not everyone involved in information security is out to hurt someone.

You can get paid for finding vulnerabilities in software and web sites, that hackers could potentially exploit. For example, see here and here.