Decoding the credit card hacking ring

Font Size

Print

Feedback

Email

Discuss

: As an international ring of thieves plundered the credit card numbers of millions of Americans, investigators struggled to figure out who was orchestrating the crimes in the US.

When prosecutors unveiled indictments last week, they made a stunning admission: The culprit was, they said, their very own informant.

Albert Gonzalez, 27, appeared to be a reformed hacker. To avoid prison time after being arrested in 2003, he had been helping federal agents identify his former cohorts in the online underworld where credit and debit card numbers are stolen, bought and sold.

But on the sly, federal officials now say, Gonzalez was connecting with those same cohorts and continuing to ply his trade, using online pseudonyms—including ‘soupnazi’—that would be his undoing. As they tell it, Gonzalez had a central role in a loosely organised online crime syndicate that obtained tens of millions of credit and debit card numbers from nine of the biggest retailers in the US.

The indictments last week of 11 people involved in the group give a remarkably comprehensive picture of how the Internet is enabling new kinds of financial crimes on a vast international scale.

In interviews over the last few days, investigators detailed how they tracked Gonzalez and other members of a ring that extended from Ukraine, where a key figure bought and sold stolen numbers over the Internet, to Estonia, where a hacker infiltrated the servers of a Dallas-based restaurant chain. The criminals stored much of their data on computer servers in Latvia and Ukraine, and purchased blank debit and credit cards from confederates in China, which they imprinted with some of the stolen numbers for use in cash machines, investigators say.

“This was the largest hacking and theft of credit and debit card information ever successfully investigated and prosecuted within the US,” said Craig Magaw, special agent in charge of the Secret Service’s criminal investigative division. “This case shows that there are no more boundaries.”

Gonzalez’s lawyer, Rene Palomino Jr, disputes the charges and says his client is merely a ‘kid’ who lived with church-going parents before starting work as a government informant. Palomino said the indictment “represents serious and substantial legal and factual challenges for the government to prove at trial.”

The story begins five years ago in Miami, along the stretch of Route 1 called the South Dixie Highway. Starting in 2003, national retailers with outlets there, including BJ’s Wholesale Club, the Sports Authority, OfficeMax, DSW and Barnes & Noble, began falling victim to ‘war-drivers’—drive-by hackers who searched for holes in the security of wireless networks.

According to last week’s indictments, those hackers were Gonzalez and two Miami accomplices, Christopher Scott, 25, and Damon Patrick Toey, 23.

Investigators say the conspirators began their largest heist in July 2005, when they identified a vulnerable network at a Marshall’s department store in Miami and used it to place a so-called sniffer programme on the computers of the chain’s parent company, TJX, in Framingham, Mass. The programme pulled out data like credit card numbers from the network traffic.

Fifteen months later, the company, which also owns TJ Maxx stores, admitted that up to 45 million credit and debit card numbers had been exposed in the prolonged attack. It has already cost TJX more than $130 million in settlement claims with banks and afflicted customers.

The Secret Service—which is charged with combating financial fraud in addition to protecting public officials—had until that point focused its attention on the resellers of stolen card numbers. In October 2004, the agency concluded Operation Firewall, an 18-month investigation into members of the Shadowcrew website, where blocks of purloined card numbers, known as dumps, were bought and sold. Twenty-eight people were arrested, and a hub of the shady underworld of ‘carders’—typically unemployed, technically sophisticated and highly arrogant young men—was shut down.

Assisting with that investigation was Albert Gonzalez, a Cuban-American from Miami who had been arrested in 2003 on credit card fraud charges in New Jersey and agreed to cooperate with authorities to avoid jail time.

According to the Secret Service, Gonzalez helped agents surreptitiously access the Shadowcrew site and pose as interested buyers of stolen information.

“In order to infiltrate those organisations you have to be established,” Magaw said. “You cannot just get on criminal boards and start dealing with high-level players. He provided us with that ability to do that on Shadowcrew.”