Miami man indicted in largest-ever scheme to steal credit card numbers
A Miami native who is one of the nation’s most well-known hackers is charged with stealing 130 million credit card numbers — a case prosecutors are calling the largest ever.
BY ROB BARRY
Albert Gonzalez, the Miami cyberthief and former government informant who broke records last year in the largest credit card fraud case in U.S. history, shattered his own mark this week, prosecutors say. The 28-year-old hacker who launched his career cruising Dixie Highway with a laptop to break into the security systems of box stores was indicted Monday in New Jersey in an elaborate scheme to steal more than 130 million credit cards — reselling them on the worldwide black market.
Known in dark corners of cyberspace as “soupnazi,” the Miami native was charged along with two unnamed defendants with targeting customers at convenience store giant 7-Eleven and supermarket chain Hannaford Brothers. The defendants also are accused of infiltrating the computers of a national credit card processing company.
Prosecutors said Gonzalez, who is already in jail awaiting trial in the earlier case, used a sophisticated hacking technique known as “SQL injection” to break into computer systems and steal credit and debit card records, sending the data to California, Illinois, Latvia, the Netherlands and Ukraine.
The data would then be printed on fresh cards and offered to thousands of buyers in cafes and nightclubs around the world.
Prosecutors said the case is the largest credit and debit card data breach “ever charged in the United States.”
The indictment represents the latest brush with the law for Gonzalez, a Cuban American high school graduate who became known to local hackers for his extraordinary computer skills and ability to navigate vast streams of data.
In 2003, he avoided a conviction for credit card theft in New Jersey by agreeing to become an informant for the U.S. Secret Service. But federal agents discovered in 2007 that the man they were using as a key operative was actually carrying out his own secret venture to steal millions of credit cards.
Armed with a laptop and a magnetic antenna, Gonzalez cruised along busy U.S. 1 in Miami tapping into the wireless networks of major retailers, including TJ Maxx, BJ’s WholeSale Club, OfficeMax and Barnes & Noble, and stealing the records of sales made with a credit card, prosecutors say.
He was indicted along with 10 others in federal court in Boston for stealing more than 40 million credit cards — the largest heist of its kind at the time.
Along the way, he amassed more than $1.65 million, a Miami condo, a BMW, a currency counter and a Glock 27. Prosecutors also said Gonzalez buried $1 million in the back yard of his parents’ house in southwest Miami-Dade.
Two others from Miami charged in the case, Christopher Scott and Damon Patrick Toey, have since pleaded guilty.
Since then, prosecutors say they discovered that those weren’t the only computer crimes he was carrying out.
Gonzalez had also launched a plan to reap even more customer accounts in 2006 by tapping directly into a credit card processing computers that handle millions of transactions a day.
The alleged hackers picked their targets by looking at the list of Fortune 500 companies and going to stores to find out what type of payment systems were in place, court records say.
“This is historically the largest incident ever. You combine these two together, and this guy is like the Tony Montana of credit card theft,” said Sean Arries, a security expert with Terremark, Inc. in Miami.
“It absolutely blows me away by the size of it.”
`A SELECT GROUP’
Investigators say Gonzalez and his network are among the most advanced they’ve encountered.
“We’re not seeing a huge array of hackers capable of doing this, but rather a more select group, [and that] demonstrates that there is a level of sophistication involved in these hacks,” said Assistant U.S. Attorney Erez Liebermann of the Justice Department’s New Jersey district office.
Gonzalez’s Miami attorney, Rene Palomino Jr., did not respond to requests for an interview.
No one answered the phone at Gonzalez’s childhood home just west of Coral Gables on Monday evening.
Neighbors said they haven’t seen Gonzalez for years, but that he grew up in the area, attending Coral Terrace Elementary School and South Miami Senior High.
“He was a really, really good kid,” said one neighbor, who did not want to be identified.
Beyond the criminal case, Arries said the cases involving Gonzalez have already forced companies to better protect their customers’ financial data and pay millions in settlements.
“It’s the companies responsibility to secure this sort of information and they were doing a really bad job at it,” Arries said. “They left themselves vulnerable.”
From snitch to cyberthief of the century
BY SCOTT HIAASEN, ROB BARRY, NIRVI SHAH AND MICHAEL SALLAH
On May 7, 2008, federal agents swept through Miami-Dade looking for evidence that one of their best informants was also one of the world’s biggest cyberthieves.
Searching three homes and a luxury hotel room in South Beach, they found 14 computers, $400,000 in cash, six firearms, expensive jewelry — and even stumbled on a marijuana grow house.
What they missed was the most compelling evidence in Albert Gonzalez’s life of crime: a three-foot drum buried in his parents’ backyard stuffed with $1.1 million wrapped in plastic bags. The money — like so many other pieces of evidence — wasn’t unearthed until this year by federal agents still unraveling a case that continues to confound even the most seasoned cyberspace investigators.
Federal agents announced after last year’s raids that Gonzalez had orchestrated the largest credit-card heist in the nation’s history — 41 million cards stolen from Americans. But last week, they came back with even more evidence to show Gonzalez had masterminded a fraud three times as large.
Though Gonzalez has been in jail since the raids last year, investigators are still finding new evidence traced to the years the Miami native was ripping off millions of credit cards — while on the Secret Service’s payroll.
For years, Gonzalez was able to hide his activities — skills honed since he was in grade school — using fake identities and encrypted hard drives on computers scattered across the globe.
Even Gonzalez’s lawyer says his client was a step ahead of investigators, including his own federal handlers. “I don’t think the government was prepared to deal with a kid like Albert,” said Rene Palomino Jr.
The charges against Gonzalez — including last week’s indictment — exposed major security breakdowns at credit-card processors and dealt an embarrassing blow to federal agents paying him to help catch other cyberthieves.
The case also offers a glimpse into the intricate network of cybercriminals who reach across continents to buy and sell vast amounts of credit-card data on the worldwide black market.
“This is a magnitude we’ve never seen before by an individual or a small group of individuals,” said Scott Mitic, CEO of TrustedID, an identity-theft protection company in California. “There’s no doubt that this is the heist of the century.”
Though he began hacking for thrills at an early age, Gonzalez’s first real foray into cybercrime began shortly after he graduated from South Miami High School in 1999 and moved to New York.
For a brief time the young man with self-taught skills held a job with a computer company, but soon found he could earn more money by emptying ATM machines with stolen debit cards, said his former lawyer, David Zapp.
“It was a necessity type thing,” said Zapp, who practices in New York. “He had a nice job, then he lost it.”
It wasn’t long before his exploits got him in trouble: Federal agents in New Jersey arrested Gonzalez in 2003 on charges of having more than 15 fake credit and debit cards.
Instead of pressing the case in court, agents for the U.S. Secret Service decided to put his skills to work as a snitch, helping the agency combat a rapidly developing crime: large-scale identity theft.
Because businesses were storing credit-card numbers on computers exposed to the Internet, systems were being breached more often than ever before.
Zapp said agents were not only impressed with Gonzalez’s computer skills, but his demeanor as well. “This guy was not a sullen or street kind of guy. You could tell he had been brought up well. I think most people who dealt with him at that stage in his life felt very protective and fatherly of him.”
Using the screen name CumbaJohnny, Gonzalez helped the Secret Service monitor people on the website known as “ShadowCrew,” a notorious message board where hackers traded software, techniques and stolen data.
The Secret Service wasn’t alone in watching ShadowCrew. The FBI was also snooping on the site. Former agent E.J. Hilbert said he remembers CumbaJohnny, but never knew the hacker was working for the government.
At one point, Hilbert said, he even made a deal to buy stolen information from CumbaJohnny. “I was the bag man,” he said.
After a year, Gonzalez’s work as a snitch paid dividends: 19 ShadowCrew members were indicted in New Jersey in 2004, accused of stealing 1.5 million credit-card accounts.
For Gonzalez, whose father arrived in Florida on a homemade raft from Cuba in the 1970s, the success brought praise from home.
“His parents were very proud of him: He was working for the government,” Palomino said. “He was finally on his way.”
The following month, Gonzalez was allowed by his handlers to move back to Miami, where he bought a condo and soon founded a computer consulting service, records show.
During the next four years, he shuttled between Florida and the New York area, while continuing to work for the Secret Service.
But unknown to agents, Gonzalez was slowly rising to become the leader of a criminal ring far more ambitious than the one he helped bring down, prosecutors say.
Drawing together a loose band of hackers in the U.S. and credit-card traffickers from Eastern Europe, Gonzalez built a criminal enterprise with the ability to move vast amounts of data around the world, indictments say.
He nicknamed his plan “Operation Get Rich or Die Tryin’.” And get rich he did.
Prosecutors say he amassed at least $1.6 million while living in luxury hotels in Miami and New York, spending wads of cash on a lifestyle far removed from his working-class roots.
He threw himself a $75,000 birthday party on South Beach and once complained about having to count $340,000 by hand after his money-counter broke, court records show.
The money came from a variety of sources.
In one scheme, Gonzalez and others cruised up and down U.S. 1 in SUVs loaded with laptops and antennas designed to sweep up credit-card numbers from outside retail stores. Their targets: Barnes & Noble, TJ Maxx, BJ’s Wholesale Club, Office Max, Sports Authority and more.
The stolen data was shipped to a team of people scattered around the country who used the information to make phony credit and debit cards for buying goods and getting cash, investigators say.
One New York man sent more than $300,000 in cash to Gonzalez from fraudulent ATM transactions in California; another accomplice was arrested outside Philadelphia with 80 bogus cards and a duffel bag filled with $208,000 in cash, records show.
But Gonzalez’s methods went beyond prowling the streets in search of big-box stores.
He also targeted two corporate headquarters and a major credit-card processing center, reaping far greater rewards.
By using a method known as “SQL injection” and installing custom programs to crack into computer networks, he devoured reams of credit-card numbers — enough to fill 50 billion typed pages.
The numbers would then be sold overseas with the help of Maksym Yastremskiy, a notorious data-broker from Ukraine. For more than a year, federal agents hunted Yastremskiy from Dubai to Turkey, where he was arrested in July 2007.
When investigators seized Yastremskiy’s computer, they found more than 600 messages between him and Gonzalez — some discussing a “sniffer” program to steal credit-card numbers.
They also found that Yastremskiy paid Gonzalez $400,000 through a website called e-gold, which purports to create an Internet currency system backed with gold.
With Yastremskiy in custody in Turkey, Secret Service agents focused their attention on Gonzalez.
In May 2008, armed with search warrants, agents found their former informant in a room at the chic National Hotel in Miami Beach with two laptops, $22,000 and a Glock pistol.
They also searched Gonzalez’s parents’ home, his condo, and the Palmetto Bay home of an accomplice, where they found 75 marijuana plants, prosecutors say.
Within months of the raids, Gonzalez was indicted in the first record-breaking case. Then, this past week, prosecutors announced yet another record-shattering indictment against Gonzalez, accusing him of stealing an additional 130 million credit card numbers. He is being held in jail in Brooklyn.
In all, he has been accused of stealing at least 170 million credit-card numbers over four years — including at least two years when he was acting as a Secret Service informant, said Palomino.
The case underscores the dangers of using confidential informants in criminal investigations — often the only way to gain information from tightly knit criminal groups.
“The problem with these guys is that they constantly need to be monitored and controlled,” said James Wedick, a former FBI agent who investigated the Mafia and other criminal organizations. “People don’t realize that they are some of the most dangerous people to work with.”
The Secret Service would not comment on Gonzalez’s role as an informant or discuss details of his case.
At least a dozen witnesses have already agreed to plead guilty and testify against Gonzalez, who faces a potential life sentence if convicted.
Palomino describes Gonzalez as remorseful, saying he hoped to reach a plea bargain before the newest indictment was announced Monday.
His parents have also come under scrutiny from federal agents: In court papers, prosecutors claim they helped their son launder money, though they were never charged. Palomino insists they have been cleared of any wrongdoing, saying the ordeal “has taken an extreme toll on them.”
No matter how the criminal case is resolved, their son will be infamous in the world of cybercrime, Palomino said.
“Albert Gonzalez is going to go down as one of the best people as far as hacking in the country. Probably the best in our lifetime,” the lawyer said. “Imagine if Albert had kept on a straight trail what he could have done.”