One night in July 2003, a little before midnight, a plainclothes NYPD detective, investigating a series of car thefts in upper Manhattan, followed a suspicious-looking young man into the ATM lobby of a bank.
The detective watched as the man pulled a debit card from his pocket and withdrew hundreds of dollars in cash.
Then he pulled out another card and did the same thing. Then another, and another. The guy wasn’t stealing cars, but the detective figured he was stealing something.
Indeed, the young man was in the act of “cashing out,” as he would later admit. He had programmed a stack of blank debit cards with stolen card numbers and was withdrawing as much cash as he could from each account.
He was doing this just before 12 am, because that’s when daily withdrawal limits end, and a “casher” can double his take with another withdrawal a few minutes later.
The detective asked his name, and though the man went by many aliases on the Internet, he told the truth. “Albert Gonzalez,” he said.
After Gonzalez was arrested, word quickly made its way to the New Jersey US attorney’s office in Newark, which, along with agents from the Secret Service’s Electronic Crimes Task Force, had been investigating credit- and debit-card fraud involving cashers in the area, without much luck.
Gonzalez was debriefed and soon found to be a rare catch. Not only did he have data on millions of card accounts stored on the computer back in his New Jersey apartment, but he also had a knack for patiently explaining his expertise in online card fraud.
Gonzalez, law-enforcement officials would discover, was a moderator and rising star on Shadowcrew.com, an archetypal criminal cyberbazaar that sprang up during the Internet commerce boom in the early 2000s.
Shadowcrew had hundreds of members across the United States, Europe and Asia. It was, as one federal prosecutor put it to me, “an eBay, Monster.com and MySpace for cybercrime.”
After a couple of interviews, Gonzalez agreed to help the government so he could avoid prosecution. “I was 22 years old and scared,” he’d tell me later.
Gonzalez became one of the most valuable cybercrime informants the government has ever had. After his help enabled officials to indict more than a dozen members of Shadowcrew, Gonzalez’s minders at the Secret Service urged him to move back to his hometown, Miami, for his own safety.
After aiding another investigation, he became a paid informant in the Secret Service field office in Miami in early 2006.
The Secret Service agent who would come to know Gonzalez best, Agent Michael (a nickname derived from his real name), was transferred to Miami, and he worked with Gonzalez on a series of investigations on which Gonzalez did such a good job that the agency asked him to speak at seminars and conferences.
“It seemed he was trying to do the right thing,” Agent Michael said.
He wasn’t. Over the course of several years, during much of which he worked for the government, Gonzalez and his crew of hackers and other affiliates gained access to roughly 180 million payment-card accounts from the customer databases of some of the most well known corporations in America.
At his sentencing hearing in March, where he received two concurrent 20-year terms, the longest sentence ever handed down to an American for computer crimes, the judge said, “What I found most devastating was the fact that you two-timed the government agency that you were cooperating with, and you were essentially like a double agent.”
Gonzalez bought his first PC when he was 12. By the time he was 14 had hacked into NASA, which resulted in a visit by FBI agents to his South Miami high school. Undeterred, Gonzalez formed a cooperative of “black hats” – curiosity-driven hackers with an anti-authoritarian bent – and acquired a reputation.
By the time he dropped out of Miami Dade College during his freshman year, Gonzalez had taught himself, by reading software manuals, how to hack into Internet service providers for free broadband.
He discovered he could go further than that and co-opted the logins and passwords of managers and executives.
Sherlock Holmes quality
Gonzalez’s closest friend, Stephen Watt, who is now serving a two-year prison sentence for coding a software program that helped Gonzalez steal card data, describes Gonzalez as having “a Sherlock Holmes quality to him that is bounded only by his formal education.”
It was after he agreed in 2003 to become an informant that Gonzalez helped the Justice Department and the Secret Service to build, over the course of a year, an ingenious trap for Shadowcrew.
Gonzalez was the linchpin of Operation Firewall. Through him, the government came to, in hacker lingo, “own” Shadowcrew, as undercover buyers infiltrated the network and traced its users around the world; eventually, officials even managed to transfer the site onto a server controlled by the Secret Service.
Gonzalez persuaded Shadowcrew users to communicate through a virtual private network a secure channel that sends encrypted messages between computers, that he introduced onto the site. This VPN came with a special feature: a court-ordered wiretap.
Gonzalez worked alongside the agents for months on end. Most called him Albert. A couple of them who especially liked him called him Soup, after his old screen name soupnazi.
“Spending this much time with an informant this deeply into a cybercrime conspiracy – it was a totally new experience for all of us,” one Justice Department prosecutor says.
“It was kind of a bonding experience.”
On Oct. 26, 2004, Gonzalez was taken to Washington and installed in the Operation Firewall command center at Secret Service headquarters. He corralled the Shadowcrew targets into a chat session.
At 9 pm, agents began knocking down doors. By midnight, 28 people across eight states and six countries had been arrested, most of them mere feet from their computers. Nineteen were eventually indicted.
It was by some estimates the most successful cybercrime case the government had ever carried out.
The day after the raids Secret Service technicians defaced Shadowcrew’s home page with a photograph of a shirtless, tattooed tough slouching in a jail cell. The text said, “Contact your local United States Secret Service field office … before we contact you!”
“I did find the investigation exciting,” Gonzalez told me of turning against Shadowcrew. “The intellectual element. Unmasking them, figuring out their identities. Looking back, it was kind of easy, though. When someone trusts you, they let their guard down.”
He did say, however, that he “actually had a bad conscience” about it. “I had a moral dilemma, unlike most informants.” On another occasion, when he was discussing the same subject, Gonzalez wrote to me in a letter, “This distinction is very important … my loyalty has always been to the black-hat community.”
By the time Gonzalez returned to Miami after Operation Firewall, in late 2004, he was already exploring the vulnerability of corporate wireless networks.
Gonzalez was especially intrigued by the possibilities of a technique known as “war driving”: Hackers would sit in cars or vans in the parking lots of big-box stores with laptops and high-power radio antennae and burrow through companies’ vulnerable Wi-Fi networks.
Gonzalez reconnected with Christopher Scott – an old friend from an Internet relay chat network, EFnet, frequented by black hats_ who was willing to do grunt work. Scott began cruising the commercial stretches of Route 1 in Miami, looking for war-driving targets.
His experiments at BJ’s Wholesale Club and DSW met with success. He stole about 400,000 card accounts from the former, a million from the latter. He described the breaches and passed card numbers to Gonzalez.
The following summer, Scott parked outside a pair of Marshalls stores. He enlisted the help of Jonathan James, a minor celebrity among Miami black hats for being the first American juvenile ever incarcerated for computer crimes.
Scott cracked the Marshalls Wi-Fi network, and he and James started navigating the system: They co-opted logins and passwords and got Gonzalez into the network; they made their way into the corporate servers at the Framingham, Mass., headquarters of Marshalls’ parent company, TJX; and they located the servers that housed old card transactions from stores.
By the end of 2006, Gonzalez, Scott and James had information linked to more than 40 million cards. Using similar methods, they hacked into OfficeMax, Barnes & Noble, Target, Sports Authority and Boston Market, and probably many other companies that never detected a breach or notified the authorities.
At the same time that Gonzalez was stealing bank-card data, he was assembling an international syndicate. His favored fence was a Ukrainian, Maksym Yastremskiy, who would sell sets of card numbers to buyers across the Americas, Europe and Asia and split the proceeds with him.
Gonzalez hired another EFnet friend, Jonathan Williams, to cash out at ATM’s across the country, and a friend of Watt’s in New York would pick up the shipments of cash in bulk sent by Williams and Yastremskiy.
Watt’s friend would then wire the money to Miami or send it to a post office box there set up by James through a proxy. Gonzalez established dummy companies in Europe, and to collect payment and launder money he opened e-gold and WebMoney accounts, which were not strictly regulated.
Finally, he joined up with two Eastern European hackers known to him only by their screen names, Annex and Grig, who were colluding to break into American card-payment processors – the very cash arteries of the retail economy.”I’ve been asking myself, why did I do it?”
Gonzalez told me over the phone from prison recently. “At first I did it for monetary reasons. The service’s salary wasn’t enough, and I needed the money. By then I’d already created the snowball and had to keep doing it. I wanted to quit but couldn’t.”
He claims his intentions were partly admirable. He genuinely wanted to help out Patrick Toey, a close friend and hacker who would later do much of the more sophisticated legwork involved in Gonzalez’s hacking into corporate networks.
Unlike Gonzalez and Watt, Toey, who is 25, had a rough upbringing. After dropping out of high school, he supported his mother and his younger brother and sister by hacking.
Gonzalez invited Toey to live in his condominium in Miami, rent-free. Gonzalez owned it, but he enjoyed living at home with his parents more.
He says he loved his mother’s cooking and playing with his nephew, and he could more easily launder money through his parents’ home-equity line of credit that way.
Gonzalez relished the intellectual challenges of cybercrime too. He is not a gifted programmer, but by all accounts he can understand systems and fillet them with singular grace. I often got the impression that this was computer crime’s main appeal for Gonzalez.
SECOND AND FINAL PART NEXT WEEK
James Verini is a writer in New York.