Albert Gonzalez (born 1981) is a computer hacker and computer criminal who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 through 2007—the biggest such fraud in history.
Gonzalez and his accomplices used SQL injection to deploy backdoors on several corporate systems in order to launch packet sniffing (specifically, ARP Spoofing) attacks which allowed him to steal computer data from internal corporate networks.
During his spree, he was said to have thrown himself a $75,000 birthday party and complained about having to count $340,000 by hand after his currency-counting machine broke. Gonzalez stayed at lavish hotels but his formal homes were modest.
Gonzalez had three federal indictments:
- May 2008 in New York for the Dave & Busters case (trial schedule September 2009)
- May 2008 in Massachusetts for the TJ Maxx case (trial scheduled early 2010)
- August 2009 in New Jersey in connection with the Heartland Payment case.
On March 25, 2010, Gonzalez was sentenced to 20 years in federal prison.
Gonzalez, a Cuban-American, attended South Miami High School in Miami, Florida, where he was described as the "troubled" pack leader of computer nerds. In his senior year at the school, he and friend used the library computer to hack into computer systems of the government of India where they left messages about their culture. Reportedly India had to cancel government checks as a result. Gonzalez was not charged and was warned to stay away from a computer for six months. In 2000 he moved to New York City where he lived for three months before moving to Kearny, New Jersey.
Main article: ShadowCrewWhile in Kearny he was accused of being the mastermind of a group of hackers called the Shadowcrew group, which trafficked in 1.5 million stolen credit and ATM card numbers. Although considered the mastermind of the scheme (operating on the site under the screen name of "CumbaJohnny"), he was not indicted. According to the indictment, there were 4,000 people who registered with the Shadowcrew.com website. Once registered they could buy stolen account numbers or counterfeit documents at auction or read “Tutorials and How-To’s” describing the use of cryptography in magnetic strips on credit cards, debit cards, and ATM cards so that the numbers could be used. Moderators of the website punished members who did not abide by the site's rules including providing refunds to buyers if the stolen card numbers proved invalid.
In addition to the card numbers, numerous other objects of identity theft were sold at auction, including counterfeit passports, drivers’ licenses, Social Security cards, credit cards, debit cards, birth certificates, college student identification cards, and health insurance cards. One member sold 18 million e-mail accounts with associated usernames, passwords, dates of birth, and other personally identifying information. Most of those indicted were members who actually sold illicit items. Members who maintained or moderated the website itself were indicted including one who attempted to register the .cc domain name Shadowcrew.cc
The Secret Service dubbed their investigation "Operation Firewall" and is believed that $4.3 million was stolen as Shadowcrew shared its information with other groups entitled Carderplanet and Darkprofits. The investigation involved units from the United States, Bulgaria, Belarus, Canada, Poland, Sweden, the Netherlands, and Ukraine. Gonzalez was initially charged with possession of 15 fake credit and debit cards in Newark, New Jersey, though he avoided jail time by providing evidence to the United States Secret Service against his cohorts. 19 ShadowCrew members were indicted. He then returned to Miami.
While cooperating with authorities, he was said to have masterminded the hacking of TJX Companies in which 45.6 million credit and debit card numbers were stolen over an 18 month period ending in 2007 topping the 2005 breach of 40 million records at CardSystems Solutions. Gonzalez and 10 others sought targets while wardriving and seeking vulnerabilities in wireless networks along U.S. Route 1 in Miami. They compromised cards at BJ's Wholesale Club, DSW, Office Max, Boston Market, Barnes & Noble, Sports Authority and T.J. Maxx.[dead link]
The hacking was an embarrassment to TJ Maxx, which discovered the breach in December 2006. The company initially believed the intrusion began in May 2006, but further investigation revealed breaches dating back to July 2005.
One of his co-conspirators was 7-foot-tall Stephen Watt, known in the hacker world as "Unix Terrorist" and "Jim Jones." Watt worked at Morgan Stanley in New York City and wrote the sniffer program.
Gonzalez was arrested on May 7, 2008, on charges stemming from hacking into the Dave & Buster's corporate network from a point of sale location at a restaurant in Islandia, New York. The incident occurred in September 2007. About 5,000 card numbers were stolen. Fraudulent transactions totaling $600,000 were reported on 675 of the cards.
Authorities became suspicious after the conspirators kept returning to the restaurant to reintroduce their hack because it would not restart after the company computers shut down.
Gonzalez was arrested in Room 1508 at the National Hotel in Miami Beach, Florida. In various related raids, authorities seized $1.6 million in cash (including $1.1 million in plastic bags in a three-foot drum buried in his parents' backyard), his laptops and a compact Glock pistol.
Officials said that Gonzalez lived in a nondescript house in Miami.
- Stephen Watt was charged with providing a data theft tool in an identity theft case. He was sentenced to two years and received a 171.5 million dollar restitution for his role.
- Damon Patrick Toey pled guilty to wire fraud, credit card fraud, and aggravated identity theft and received a five-year sentence.
- Humza Zaman pled guilty to conspiracy to money laundering and received a four-year sentence.
- Christopher Scott pleads guilty to conspiracy, unauthorized access to computer systems, access device fraud and identity theft. He was sentenced to seven years.
Heartland Payment Systems
In August 2009 Gonzalez was indicted in Newark, New Jersey on charges dealing with hacking into the Heartland Payment Systems, Citibank-branded 7-Eleven ATM's and Hannaford Brothers computer systems. Heartland bore the bulk of the attack in which 130 million card numbers were stolen. Hannaford had 4.6 million numbers stolen. Two other retailers were not disclosed in the indictment, however, Gonzalez's attorney told StorefrontBacktalk that two of the retailers were J.C. Penney and Target Corporation. Heartland reported that it had lost $12.6 million in the attack including legal fees. Gonzalez allegedly called the scheme "Operation Get Rich or Die Tryin."
According to the indictment the attacks by Gonzalez and two unidentified hackers "in or near Russia" along with unindicted conspirator "P.T." from Miami began on December 26, 2007, at Heartland Payment Systems, August 2007 against 7-Eleven and Hannaford Brothers in November 2007 and two other unidentified companies. Gonzalez and his cohorts targeted large companies and studied their check out terminals and then attacked the companies from internet-connected computers in New Jersey, Illinois, Latvia, the Netherlands, and Ukraine.
They covered their attacks over the Internet using more than one messaging screen name, storing data related to their attacks on multiple Hacking Platforms, disabling programs that logged inbound and outbound traffic over the Hacking Platforms, and disguising, through the use of “proxies,” the Internet Protocol addresses from which their attacks originated.
The indictment said the hackers tested their program against 20 anti-virus programs.
Rene Palomino Jr., attorney for Gonzalez, charged in a blog on the New York Times website that the indictment arose out of squabbling among U.S. Attorney offices in New York, Massachusetts, and New Jersey. Palomino said that Gonzalez was in negotiations with New York and Massachusetts for a plea deal in connection with the T.J. Maxx case when New Jersey made its indictment. Palomino identified the unindicted conspirator "P.T." as Damon Patrick Toey who had pled guilty in the T.J. Maxx case. Palomino said Toey rather than Gonzalez was the ringleader of the Heartland case. Palomino further said, “Mr. Toey has been cooperating since Day One. He was staying at (Gonzalez’s) apartment. This whole creation was Mr. Toey’s idea...It was his baby. This was not Albert Gonzalez. I know for a fact that he wasn’t involved in all of the chains that were hacked from New Jersey.”
Palomino said one of the unnamed Russian hackers in the Heartland case was Maksym Yastremskiy who was also indicted in the T.J. Maxx but is now serving 30 years in a Turkish prison on a charge of hacking Turkish banks in a separate matter. Investigators said Yastremskiy and Gonzalez exchanged 600 messages and that Gonzalez paid him $400,000 through e-gold.
Yastremskiy was arrested in July 2007 in Turkey on charges of hacking into 12 banks in Turkey. The Secret Service investigation into him was used to build the case against Gonzalez including a sneak and peek covert review of Yastremskiy's laptop in Dubai in 2006 and a review of the disk image of the Latvia computer leased from Cronos IT and alleged to have been used in the attacks.
After the indictment, Heartland issued a statement saying that it does not know how many card numbers were stolen from the company and that it does not know how the U.S. government reached the 130 million number.
On August 28, 2009, Gonzalez's attorney filed papers with the United States District Court for the District of Massachusetts in Boston indicating that he would plead guilty to all 19 charges in the U.S. v. Albert Gonzalez, 08-CR-10223, case (the TJ Maxx case). According to reports, this plea bargain would "resolve" issues with the New York case of U.S. v. Yastremskiy, 08-CR-00160 in United States District Court for the Eastern District of New York (the Dave and Busters case).
On March 25, 2010, U.S. District Judge Patti Saris sentenced Gonzalez to 20 years in prison for hacking into and stealing information from TJX, Office Max, the Dave & Busters restaurant chain, Barnes & Noble and a string of other companies. The next day, U.S. District Court Judge Douglas P. Woodlock sentenced him to 20 years in connection with the Heartland Payment Systems case. The sentences were ordered to run concurrently, meaning that Gonzalez will serve a total of 20 years for both cases. Gonzalez was also ordered to forfeit more than $1.65 million, a condominium in Miami, a blue 2006 BMW 330i automobile, IBM and Toshiba laptop computers, a Glock 27 firearm, a Nokia cell phone, a Tiffany diamond ring and three Rolex watches.
On March 25, 2011, Gonzalez filed a motion in U.S. District Court in Boston to withdraw his guilty plea. He claimed that during the time he committed his crimes, he had been assisting the United States Secret Service seek out international cyber criminals and said his attorneys failed to advise him that he could have therefore used a “public authority” defense. The Secret Service declined to comment on Gonzalez's motion, which is still pending.
Gonzalez is currently serving his 20-year sentence at the Federal Correctional Institution, Milan, a low-security facility in Michigan. He is scheduled for release in 2025