US nets the 'kingpin' of cybercrime
Siobhan Gorman | August 19, 2009
A 28-YEAR-OLD American, believed by prosecutors to be one of the nation's cybercrime kingpins, was indicted yesterday along with two Russian accomplices on charges that they carried out the largest hacking and identity-theft caper in US history.
Federal prosecutors alleged the three masterminded a global scheme to steal data from more than 130 million credit and debit cards by hacking into the computer systems of five major companies, including Hannaford Bros supermarkets, 7-Eleven and Heartland Payment Systems, a credit-card processing company.
The indictment in federal District Court in New Jersey comes after at least five years of criminal activity that has seen the alleged orchestrator, Albert Gonzalez of Miami, fall in and out of the federal grasp. Detained in 2003, Gonzalez was briefly an informant to the Secret Service before he allegedly returned to commit even bolder crimes.
Authorities have previously alleged that Gonzalez was the ringleader of a data breach that siphoned off more than 40 million credit card numbers from the TJX companies and others last year, costing the parent company of the TJ Maxx retail chain $US200million ($243m).
Gonzalez is in federal custody in New York, awaiting trial for alleged efforts to hack into the network of the national restaurant chain Dave & Buster's. He also faces charges in Boston in the TJX matter. The alleged thefts in yesterday's indictment took place from October 2006 to May last year.
Gonzalez is "a very important player in a sophisticated ring that has real results at the street level of bank, retail, debit and credit card fraud," said Seth Kosto, an assistant US district attorney in New Jersey specialises in computer fraud.
The indictment, interviews and recent court documents in the cases pending against Gonzalez paint him as a rising star in the cyber underground. He launched what he called "operation get rich or die tryin", targeting Fortune 500 companies with his data-theft operations, according to documents filed in the TJ Maxx matter.
These documents say he threw himself a $US75,000 birthday party and at one point lamented he had to count more than $US340,000 by hand because his money counter had broken.
Federal investigators say Gonzalez is a high-school graduate and self-taught programmer who cut his criminal teeth as a leader in the self-styled Shadowcrew, an online credit card hacking ring.
In 2004, 26 leaders of the 4000-person ring were arrested and convicted. "He was one of the key leaders," Scott Christie, a former prosecutor who worked on the case, said.
Gonzalez was not charged when he was arrested in 2003 because he agreed to become an informant for the Secret Service following his arrest, Justice Department officials said.
In November 2004, the government permitted him to move from New Jersey to Florida, where much of the subsequent hacking took place. He was arrested over the Dave & Buster's hacking scheme in May last year and has been in detention since.
Subsequent investigations into breaches at Heartland and others led investigators back to Gonzalez. They found that he and his co-conspirators in Russia, which the indictment does not name, staged their crime on a network of computers spanning New Jersey, California, Illinois, Latvia, The Netherlands and Ukraine that would infiltrate the computer networks of the victim companies.
In computer attacks lasting more than a year, the trio allegedly scooped up credit and debit card numbers and installed so-called back doors in the victims' computer networks to enable them to steal more data in the future, the indictment said.
They also installed "sniffer" programs to capture card data and send it to the hackers.
The trio made extensive efforts to conceal their activities, registering the computers they used under false names and communicating online under a variety of screen names. The three were charged with gaining unauthorised access to computers, computer fraud and conspiracy to commit wire fraud. Gonzalez faces up to 25 years in prison and $US500,000 in fines.
Wire fraud, conducted in cyberspace because wire transfers now use networks that connect to the internet, has exploded in recent years. The US Treasury Department reported that of the more than 55,000 incidents of wire fraud since 1998, more than half occurred in the past two years.