Photo of Albert Gonzalez by U.S. Secret Service
Albert Gonzalez (born 1981) is an American computer hacker and computer criminal who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 through 2007—the biggest such fraud in history.
Gonzalez and his accomplices used SQL injection to deploy backdoors on several corporate systems in order to launch packet sniffing (specifically, ARP Spoofing) attacks which allowed him to steal computer data from internal corporate networks.
During his spree he was said to have thrown himself a $75,000 birthday party and complained about having to count $340,000 by hand after his currency-counting machine broke. Gonzalez stayed at lavish hotels but his formal homes were modest.
Gonzalez had three federal indictments:
- May 2008 in New York for the Dave & Busters case (trial schedule September 2009)
- May 2008 in Massachusetts for the TJ Maxx case (trial scheduled early 2010)
- August 2009 in New Jersey in connection with the Heartland Payment case.
On March 25, 2010, Gonzalez was sentenced to 20 years in federal prison.
Gonzalez's parents, who had immigrated to the United States from Cuba in the 1970s, bought him his first computer when he was 8.
He attended South Miami High School in Miami, Florida, where he was described as the "troubled" pack leader of computer nerds. In 2000 he moved to New York City where he lived for three months before moving to Kearny, New Jersey.
While in Kearny he was accused of being the mastermind of a group of hackers called the Shadowcrew group, which trafficked in 1.5 million stolen credit and ATM card numbers. Although considered the mastermind of the scheme (operating on the site under the screen name of "CumbaJohnny"), he was not indicted. According to the indictment there were 4,000 people who registered with the Shadowcrew.com website. Once registered they could buy stolen account numbers or counterfeit documents at auction or read “Tutorials and How-To’s” describing the use of cryptography in magnetic strips on credit cards, debit cards and ATM cards so that the numbers could be used. Moderators of the website punished members who did not abide by the site's rules, including providing refunds to buyers if the stolen card numbers proved invalid.
In addition to the card numbers, numerous other objects of identity theft were sold at auction, including counterfeit passports, drivers’ licenses, Social Security cards, credit cards, debit cards, birth certificates, college student identification cards, and health insurance cards. One member sold 18 million e-mail accounts with associated usernames, passwords, dates of birth, and other personally identifying information. Most of those indicted were members who actually sold illicit items. Members who maintained or moderated the website itself were indicted including one who attempted to register the .cc domain name Shadowcrew.cc
The Secret Service dubbed their investigation "Operation Firewall" and is believed that $4.3 million was stolen as Shadowcrew shared its information with other groups entitled Carderplanet and Darkprofits. The investigation involved units from the United States, Bulgaria, Belarus, Canada, Poland, Sweden, the Netherlands and Ukraine. Gonzalez was initially charged with possession of 15 fake credit and debit cards in Newark, New Jersey, though he avoided jail time by providing evidence to the United States Secret Service against his cohorts. 19 ShadowCrew members were indicted. He then returned to Miami.
While cooperating with authorities, he was said to have masterminded the hacking of TJX Companies in which 45.6 million credit and debit card numbers were stolen over an 18-month period ending in 2007 topping the 2005 breach of 40 million records at CardSystems Solutions. Gonzalez and 10 others sought targets while wardriving and seeking vulnerabilities in wireless networks along U.S. Route 1 in Miami. They compromised cards at BJ's Wholesale Club, DSW, Office Max, Boston Market, Barnes & Noble, Sports Authority and T.J. Maxx.
The hacking was an embarrassment to TJ Maxx, which discovered the breach in December 2006. The company initially believed the intrusion began in May 2006, but further investigation revealed breaches dating back to July 2005.
One of his alleged co-conspirators was 7-foot-tall Stephen Watt, known in the hacker world as "Unix Terrorist" and "Jim Jones." Watt worked at Morgan Stanley in New York City and wrote the sniffer program.
Gonzalez was arrested on May 7, 2008 on charges stemming from hacking into the Dave & Buster's corporate network from a point of sale location at a restaurant in Islandia, New York. The incident occurred in September 2007. About 5,000 card numbers were stolen. Fraudulent transactions totaling $600,000 were reported on 675 of the cards.
Authorities became suspicious after the conspirators kept returning to the restaurant to reintroduce their hack because it would not restart after the company computers shut down.
Gonzalez was arrested in Room 1508 at the National Hotel in Miami Beach, Florida. In various related raids authorities seized $1.6 million in cash (including $1.1 million in plastic bags in a three-foot drum buried in his parents' backyard), his laptops and a compact Glock pistol.
Officials said that Gonzalez lived in a nondescript house in Miami.
- Stephen Watt was charged with providing a data theft tool in an identity theft case. Stephen Watt was sentenced to two years in prison and 3 years of supervised release. Also he was ordered by the court to pay back $171.5 million in restitution.
- Damon Patrick Toey pled guilty to wire fraud, credit card fraud, and aggravated identity theft and received a five-year sentence.
- Christopher Scott plead guilty to conspiracy, unauthorized access to computer systems, access device fraud and identity theft. He was sentenced to seven years.
Heartland Payment Systems
In August 2009 Gonzalez was indicted in Newark, New Jersey on charges dealing with hacking into the Heartland Payment Systems, Citibank-branded 7-Eleven ATM's and Hannaford Brothers computer systems. Heartland bore the bulk of the attack in which 130 million card numbers were stolen. Hannaford had 4.6 million numbers stolen. Two other retailers were not disclosed in the indictment; however, Gonzalez's attorney told StorefrontBacktalk that two of the retailers were J.C. Penney and Target Corporation. Heartland reported that it had lost $12.6 million in the attack including legal fees. Gonzalez allegedly called the scheme "Operation Get Rich or Die Tryin."
According to the indictment the attacks by Gonzalez and two unidentified hackers "in or near Russia" along with unindicted conspirator "P.T." from Miami began on December 26, 2007, at Heartland Payment Systems, August 2007 against 7-Eleven and Hannaford Brothers in November 2007 and two other unidentified companies. Gonzalez and his co-horts targeted large companies and studied their check out terminals and then attacked the companies from internet-connected computers in New Jersey, Illinois, Latvia, the Netherlands and Ukraine.
They covered their attacks over the Internet using more than one messaging screen name, storing data related to their attacks on multiple Hacking Platforms, disabling programs that logged inbound and outbound traffic over the Hacking Platforms, and disguising, through the use of “proxies,” the Internet Protocol addresses from which their attacks originated.
The indictment said the hackers tested their program against 20 anti virus programs.
Rene Palomino Jr., attorney for Gonzalez, charged in a blog on the New York Times website that the indictment arose out of squabbling among U.S. Attorney offices in New York, Massachusetts and New Jersey. Palomino said that Gonzalez was in negotiations with New York and Massachusetts for a plea deal in connection with the T.J. Maxx case when New Jersey made its indictment. Palomino identified the unindicted conspirator "P.T." as Damon Patrick Toey who had pled guilty in the T.J. Maxx case. Palomino said Toey rather than Gonzalez was the ring leader of the Heartland case. Palomino further said, “Mr. Toey has been cooperating since Day One. He was staying at (Gonzalez’s) apartment. This whole creation was Mr. Toey’s idea...It was his baby. This was not Albert Gonzalez. I know for a fact that he wasn’t involved in all of the chains that were hacked from New Jersey.”
Palomino said one of the unnamed Russian hackers in the Heartland case was Maksym Yastremskiy who was also indicted in the T.J. Maxx but is now serving 30 years in a Turkish prison on a charge of hacking Turkish banks in a separate matter. Investigators said Yastremskiy and Gonzalez exchanged 600 messages and that Gonzalez paid him $400,000 through e-gold.
Yastremskiy was arrested in July 2007 in Turkey on charges of hacking into 12 banks in Turkey. The Secret Service investigation into him was used to build the case against Gonzalez including a sneak and peek covert review of Yastremskiy's laptop in Dubai in 2006 and a review of the disk image of the Latvia computer leased from Cronos IT and alleged to have been used in the attacks.
After the indictment Heartland issued a statement saying that it does not know how many card numbers were stolen from the company and that it does not know how the U.S. government reached the 130 million number.
On August 28, 2009, Gonzalez's attorney filed papers with the United States District Court for the District of Massachusetts in Boston indicating that he would plead guilty to all 19 charges in the U.S. v. Albert Gonzalez, 08-CR-10223, case (the TJ Maxx case). According to reports this plea bargain would "resolve" issues with the New York case of U.S. v. Yastremskiy, 08-CR-00160 in United States District Court for the Eastern District of New York (the Dave and Busters case).
On March 25, 2010, U.S. District Judge Patti Saris sentenced Gonzalez to 20 years in prison for hacking into and stealing information from TJX, Office Max, the Dave & Busters restaurant chain, Barnes & Noble and a string of other companies. The next day, U.S. District Court Judge Douglas P. Woodlock sentenced him to 20 years in connection with the Heartland Payment Systems case. The sentences were ordered to run concurrently, meaning that Gonzalez will serve a total of 20 years for both cases. Gonzalez was also ordered to forfeit more than $1.65 million, a condominium in Miami, a blue 2006 BMW 330i automobile, IBM and Toshiba laptop computers, a Glock 27 firearm, a Nokia cell phone, a Tiffany diamond ring and three Rolex watches.
On March 25, 2011, Gonzalez filed a motion in U.S. District Court in Boston to withdraw his guilty plea. He claimed that during the time he committed his crimes, he had been assisting the United States Secret Service in seeking out international cybercriminals and said his attorneys failed to advise him that he could have therefore used a “public authority” defense. The Secret Service declined to comment on Gonzalez's motion, which is still pending.
- From snitch to cyberthief of the century – Miami Herald – August 22, 2009[dead link]
- "Case File: Operation Get Rich or Die Tryin". Retrieved February 23, 2011.
- "'Soupnazi' hacker Albert Gonzalez went from nerdy past to life of sex, guns and drugs – New York Daily News – August 19, 2009". Nydailynews.com. 2009-08-18. Retrieved 2012-05-07.
- Meek, James Gordon; and Siemaszko, Corky. "'Soupnazi' hacker Albert Gonzalez went from nerdy past to life of sex, guns and drugs", Daily News (New York), August 19, 2009. Accessed March 28, 2011. "After graduation, Gonzalez moved north to Manhattan and lived on the East Side for three months in 2000 before setting up shop in Kearny, N.J., records show. It was while living there in an anonymous garden apartment with mostly senior citizens as neighbors that Gonzalez was busted for hacking in 2003."
- Sharon Gaudin. "Government informant is called kingpin of largest U.S. data breaches – Computer World – August 18, 2009". Computerworld.com. Retrieved 2012-05-07.
- Grand jury indictment of Shadowcrew[dead link]
- Dan Verton (2004-10-28). "Secret Service busts online organized crime ring – Computerworld – October 28, 2004". Computerworld.com. Retrieved 2012-05-07.
- Jaikumar Vijayan (2007-03-29). "TJX data breach: At 45.6M card numbers, it's the biggest ever – Computerworld – March 29, 2007". Computerworld.com. Retrieved 2012-05-07.
- Grand jury indictment, District of Massachusetts[dead link][dead link]
- "The Retail Store Hacker Albert Gonzalez Now Faces Prison Time". Law Vibe.
- Zetter, Kim (June 18, 2009). "TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison". Wired.
- "Three Charged in Dave & Buster's Hacking Job – csoonline.com – May 24, 2008". Csoonline.com. 2008-05-14. Retrieved 2012-05-07.
- No hack as a hacker – Chicago Sun Times – August 23, 2009[dead link]
- Zetter, Kim (June 18, 2009). "TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison wired.com – June 2009". Wired.com.
- "Federal Indictment Press Release justice.gov – 2008". Department of Justice.
- Zetter, Kim (April 15, 2010). "Final Conspirator in Credit Card Hacking Ring Gets 5 Years wired.com – April 15, 2010". Wired.com.
- "TJX DATA THEFT CONSPIRATOR SENTENCED justice.gov – March 29, 2010". Department of Justice.
- "J.C. Penney, Target Added To List Of Gonzalez Retail Victims – StorefontBackTalk – August 27, 2009". Storefrontbacktalk.com. 2009-08-27. Retrieved 2012-05-07.
- Zetter, Kim (2009-07-17). "Hacker Charged With Heartland, Hannaford Breaches – wired.com – August 17, 2009". Wired.com. Retrieved 2012-05-07.
- Grand jury indictment, District of New Jersey[dead link]
- "Gonzalez Case Raises Very OId Retail Security Issues – Storefrontbacktalk.com – August 23, 2009". Storefrontbacktalk.com. 2009-08-23. Retrieved 2012-05-07.
- Stone, Brad (2009-08-19). "Hacking Suspect’s Lawyer Criticizes Federal Prosecutors – nytimes.com – August 19, 2009". Bits.blogs.nytimes.com. Retrieved 2012-05-07.
- Zetter, Kim (August 20, 2009). "In Gonzalez Hacking Case, a High-Stakes Fight Over a Ukrainian’s Laptop – Wired – August 20, 2009". Wired.com. Retrieved 2012-05-07.
- "Gonzalez: The Al Capone Of Cyber Thieves? – storefrontbacktalk.com – August 19, 2009". Storefrontbacktalk.com. Retrieved 2012-05-07.
- Zetter, Kim (March 25, 2010). "TJX Hacker Gets 20 Years in Prison". Wired.
- James Verini (November 10, 2010). "The Great Cyberheist". New York Times. Archived from the original on 13 November 2010. Retrieved November 14, 2010.
- Angela Moscaritolo (2011-04-11). "TJX hacker Gonzalez asks for withdrawl (sic) of guilty plea - SC Magazine". Scmagazineus.com. Retrieved 2012-05-07.