08-25-2009, 03:32 PM
Identity theft: Miami hacker cyberthief of the century?
By SCOTT HIAASEN, ROB BARRY, NIRVI SHAH AND MICHAEL SALLAH
Miami Herald , Sunday, August 23, 2009
On May 7, 2008, federal agents swept through Miami-Dade looking for evidence that one of their best informants was also one of the world's biggest cyberthiefs. Searching three homes and a luxury hotel room in South Beach, they found 14 computers, $400,000 in cash, six firearms, expensive jewelry — and even stumbled on a marijuana grow house.
What they missed was the most compelling evidence in Albert Gonzalez's life of crime: a three-foot drum buried in his parents' backyard stuffed with $1.1 million wrapped in plastic bags. The money — like so many other pieces of evidence — wasn't unearthed until this year by federal agents still unraveling a case that continues to confound even the most seasoned cyberspace investigators.
Federal agents announced after last year's raids that Gonzalez had orchestrated the largest credit-card heist in the nation's history — 41 million cards stolen from Americans. But last week, they came back with even more evidence to show Gonzalez had masterminded a fraud three times as large.
Though Gonzalez has been in jail since the raids last year, investigators are still finding new evidence traced to the years the Miami native was ripping off millions of credit cards — while on the Secret Service's payroll.
For years, Gonzalez was able to hide his activities — skills honed since he was in grade school — using fake identities and encrypted hard drives on computers scattered across the globe.
Even Gonzalez's lawyer says his client was a step ahead of investigators, including his own federal handlers. ``I don't think the government was prepared to deal with a kid like Albert,'' said Rene Palomino Jr.
The charges against Gonzalez — including last week's indictment — exposed major security breakdowns at credit-card processors and dealt an embarrassing blow to federal agents paying him to help catch other cyberthieves.
The case also offers a glimpse into the intricate network of cybercriminals who reach across continents to buy and sell vast amounts of credit-card data on the worldwide black market.
``This is a magnitude we've never seen before by an individual or a small group of individuals,'' said Scott Mitic, CEO of TrustedID, an identity-theft protection company in California. ``There's no doubt that this is the heist of the century.''
Though he began hacking for thrills at an early age, Gonzalez's first real foray into cybercrime began shortly after he graduated from South Miami High School in 1999 and moved to New York.
For a brief time the young man with self-taught skills held a job with a computer company, but soon found he could earn more money by emptying ATM machines with stolen debit cards, said his former lawyer, David Zapp.
``It was a necessity type thing,'' said Zapp, who practices in New York. ``He had a nice job, then he lost it.''
It wasn't long before his exploits got him in trouble: Federal agents in New Jersey arrested Gonzalez in 2003 on charges of having more than 15 fake credit and debit cards.
Instead of pressing the case in court, agents for the U.S. Secret Service decided to put his skills to work as a snitch, helping the agency combat a rapidly developing crime: large-scale identity theft.
Because businesses were storing credit-card numbers on computers exposed to the Internet, systems were being breached more often than ever before.
Zapp said agents were not only impressed with Gonzalez's computer skills, but his demeanor as well. ``This guy was not a sullen or street kind of guy. You could tell he had been brought up well. I think most people who dealt with him at that stage in his life felt very protective and fatherly of him.''
Using the screen name CumbaJohnny, Gonzalez helped the Secret Service monitor people on the website known as ``ShadowCrew,'' a notorious message board where hackers traded software, techniques and stolen data.
The Secret Service wasn't alone in watching ShadowCrew. The FBI was also snooping on the site. Former agent E.J. Hilbert said he remembers CumbaJohnny, but never knew the hacker was working for the government.
At one point, Hilbert said, he even made a deal to buy stolen information from CumbaJohnny. ``I was the bag man,'' he said.
After a year, Gonzalez's work as a snitch paid dividends: 19 ShadowCrew members were indicted in New Jersey in 2004, accused of stealing 1.5 million credit-card accounts.
For Gonzalez, whose father arrived in Florida on a homemade raft from Cuba in the 1970s, the success brought praise from home.
``His parents were very proud of him: He was working for the government,'' Palomino said. ``He was finally on his way.''
The following month, Gonzalez was allowed by his handlers to move back to Miami, where he bought a condo and soon founded a computer consulting service, records show.
During the next four years, he shuttled between Florida and the New York area, while continuing to work for the Secret Service.
But unknown to agents, Gonzalez was slowly rising to become the leader of a criminal ring far more ambitious than the one he helped bring down, prosecutors say.
Drawing together a loose band of hackers in the U.S. and credit-card traffickers from Eastern Europe,
Gonzalez built a criminal enterprise with the ability to move vast amounts of data around the world, indictments say.
He nicknamed his plan ``Operation Get Rich or Die Tryin'.'' And get rich he did.
Prosecutors say he amassed at least $1.6 million while living in luxury hotels in Miami and New York, spending wads of cash on a lifestyle far removed from his working-class roots.
He threw himself a $75,000 birthday party on South Beach and once complained about having to count $340,000 by hand after his money-counter broke, court records show.
The money came from a variety of sources.
In one scheme, Gonzalez and others cruised up and down U.S. 1 in SUVs loaded with laptops and antennas designed to sweep up credit-card numbers from outside retail stores. Their targets: Barnes & Noble, TJ Maxx, BJ's Wholesale Club, Office Max, Sports Authority and more.
The stolen data was shipped to a team of people scattered around the country who used the information to make phony credit and debit cards for buying goods and getting cash, investigators say.
One New York man sent more than $300,000 in cash to Gonzalez from fraudulent ATM transactions in California; another accomplice was arrested outside Philadelphia with 80 bogus cards and a duffel bag filled with $208,000 in cash, records show.
But Gonzalez's methods went beyond prowling the streets in search of big-box stores.
He also targeted two corporate headquarters and a major credit-card processing center, reaping far greater rewards.
By using a method known as ``SQL injection'' and installing custom programs to crack into computer networks, he devoured reams of credit-card numbers — enough to fill five billion typed pages.
The numbers would then be sold overseas with the help of Maksym Yastremskiy, a notorious data-broker from Ukraine. For more than a year, federal agents hunted Yastremskiy from Dubai to Turkey, where he was arrested in July 2007.
When investigators seized Yastremskiy's computer, they found more than 600 messages between him and Gonzalez — some discussing a ``sniffer'' program to steal credit-card numbers.
They also found that Yastremskiy paid Gonzalez $400,000 through a website called e-gold, which purports to create an Internet currency system backed with gold.
With Yastremskiy in custody in Turkey, Secret Service agents focused their attention on Gonzalez.
In May 2008, armed with search warrants, agents found their former informant in a room at the chic National Hotel in Miami Beach with two laptops, $22,000 and a Glock pistol.
They also searched Gonzalez's parents' home, his condo, and the Palmetto Bay home of an accomplice, where they found 75 marijuana plants, prosecutors say.
Within months of the raids, Gonzalez was indicted in the first record-breaking case. Then, this past week, prosecutors announced yet another record-shattering indictment against Gonzalez, accusing him of stealing an additional 130 million credit card numbers. He is being held in jail in Brooklyn.
In all, he has been accused of stealing at least 170 million credit-card numbers over four years — including at least two years when he was acting as a Secret Service informant, said Palomino.
The case underscores the dangers of using confidential informants in criminal investigations — often the only way to gain information from tightly knit criminal groups.
``The problem with these guys is that they constantly need to be monitored and controlled,'' said James We****, a former FBI agent who investigated the Mafia and other criminal organizations. ``People don't realize that they are some of the most dangerous people to work with.''
The Secret Service would not comment on Gonzalez's role as an informant or discuss details of his case.
At least a dozen witnesses have already agreed to plead guilty and testify against Gonzalez, who faces a potential life sentence if convicted.
Palomino describes Gonzalez as remorseful, saying he hoped to reach a plea bargain before the newest indictment was announced Monday.
His parents have also come under scrutiny from federal agents: In court papers, prosecutors claim they helped their son launder money, though they were never charged. Palomino insists they have been cleared of any wrongdoing, saying the ordeal ``has taken an extreme toll on them.''
No matter how the criminal case is resolved, their son will be infamous in the world of cybercrime, Palomino said.
``Albert Gonzalez is going to go down as one of the best people as far as hacking in the country. Probably the best in our lifetime,'' the lawyer said. ``Imagine if Albert had kept on a straight trail what he could have done.''
By SCOTT HIAASEN, ROB BARRY, NIRVI SHAH AND MICHAEL SALLAH
Miami Herald , Sunday, August 23, 2009
On May 7, 2008, federal agents swept through Miami-Dade looking for evidence that one of their best informants was also one of the world's biggest cyberthiefs. Searching three homes and a luxury hotel room in South Beach, they found 14 computers, $400,000 in cash, six firearms, expensive jewelry — and even stumbled on a marijuana grow house.
What they missed was the most compelling evidence in Albert Gonzalez's life of crime: a three-foot drum buried in his parents' backyard stuffed with $1.1 million wrapped in plastic bags. The money — like so many other pieces of evidence — wasn't unearthed until this year by federal agents still unraveling a case that continues to confound even the most seasoned cyberspace investigators.
Federal agents announced after last year's raids that Gonzalez had orchestrated the largest credit-card heist in the nation's history — 41 million cards stolen from Americans. But last week, they came back with even more evidence to show Gonzalez had masterminded a fraud three times as large.
Though Gonzalez has been in jail since the raids last year, investigators are still finding new evidence traced to the years the Miami native was ripping off millions of credit cards — while on the Secret Service's payroll.
For years, Gonzalez was able to hide his activities — skills honed since he was in grade school — using fake identities and encrypted hard drives on computers scattered across the globe.
Even Gonzalez's lawyer says his client was a step ahead of investigators, including his own federal handlers. ``I don't think the government was prepared to deal with a kid like Albert,'' said Rene Palomino Jr.
The charges against Gonzalez — including last week's indictment — exposed major security breakdowns at credit-card processors and dealt an embarrassing blow to federal agents paying him to help catch other cyberthieves.
The case also offers a glimpse into the intricate network of cybercriminals who reach across continents to buy and sell vast amounts of credit-card data on the worldwide black market.
``This is a magnitude we've never seen before by an individual or a small group of individuals,'' said Scott Mitic, CEO of TrustedID, an identity-theft protection company in California. ``There's no doubt that this is the heist of the century.''
Though he began hacking for thrills at an early age, Gonzalez's first real foray into cybercrime began shortly after he graduated from South Miami High School in 1999 and moved to New York.
For a brief time the young man with self-taught skills held a job with a computer company, but soon found he could earn more money by emptying ATM machines with stolen debit cards, said his former lawyer, David Zapp.
``It was a necessity type thing,'' said Zapp, who practices in New York. ``He had a nice job, then he lost it.''
It wasn't long before his exploits got him in trouble: Federal agents in New Jersey arrested Gonzalez in 2003 on charges of having more than 15 fake credit and debit cards.
Instead of pressing the case in court, agents for the U.S. Secret Service decided to put his skills to work as a snitch, helping the agency combat a rapidly developing crime: large-scale identity theft.
Because businesses were storing credit-card numbers on computers exposed to the Internet, systems were being breached more often than ever before.
Zapp said agents were not only impressed with Gonzalez's computer skills, but his demeanor as well. ``This guy was not a sullen or street kind of guy. You could tell he had been brought up well. I think most people who dealt with him at that stage in his life felt very protective and fatherly of him.''
Using the screen name CumbaJohnny, Gonzalez helped the Secret Service monitor people on the website known as ``ShadowCrew,'' a notorious message board where hackers traded software, techniques and stolen data.
The Secret Service wasn't alone in watching ShadowCrew. The FBI was also snooping on the site. Former agent E.J. Hilbert said he remembers CumbaJohnny, but never knew the hacker was working for the government.
At one point, Hilbert said, he even made a deal to buy stolen information from CumbaJohnny. ``I was the bag man,'' he said.
After a year, Gonzalez's work as a snitch paid dividends: 19 ShadowCrew members were indicted in New Jersey in 2004, accused of stealing 1.5 million credit-card accounts.
For Gonzalez, whose father arrived in Florida on a homemade raft from Cuba in the 1970s, the success brought praise from home.
``His parents were very proud of him: He was working for the government,'' Palomino said. ``He was finally on his way.''
The following month, Gonzalez was allowed by his handlers to move back to Miami, where he bought a condo and soon founded a computer consulting service, records show.
During the next four years, he shuttled between Florida and the New York area, while continuing to work for the Secret Service.
But unknown to agents, Gonzalez was slowly rising to become the leader of a criminal ring far more ambitious than the one he helped bring down, prosecutors say.
Drawing together a loose band of hackers in the U.S. and credit-card traffickers from Eastern Europe,
Gonzalez built a criminal enterprise with the ability to move vast amounts of data around the world, indictments say.
He nicknamed his plan ``Operation Get Rich or Die Tryin'.'' And get rich he did.
Prosecutors say he amassed at least $1.6 million while living in luxury hotels in Miami and New York, spending wads of cash on a lifestyle far removed from his working-class roots.
He threw himself a $75,000 birthday party on South Beach and once complained about having to count $340,000 by hand after his money-counter broke, court records show.
The money came from a variety of sources.
In one scheme, Gonzalez and others cruised up and down U.S. 1 in SUVs loaded with laptops and antennas designed to sweep up credit-card numbers from outside retail stores. Their targets: Barnes & Noble, TJ Maxx, BJ's Wholesale Club, Office Max, Sports Authority and more.
The stolen data was shipped to a team of people scattered around the country who used the information to make phony credit and debit cards for buying goods and getting cash, investigators say.
One New York man sent more than $300,000 in cash to Gonzalez from fraudulent ATM transactions in California; another accomplice was arrested outside Philadelphia with 80 bogus cards and a duffel bag filled with $208,000 in cash, records show.
But Gonzalez's methods went beyond prowling the streets in search of big-box stores.
He also targeted two corporate headquarters and a major credit-card processing center, reaping far greater rewards.
By using a method known as ``SQL injection'' and installing custom programs to crack into computer networks, he devoured reams of credit-card numbers — enough to fill five billion typed pages.
The numbers would then be sold overseas with the help of Maksym Yastremskiy, a notorious data-broker from Ukraine. For more than a year, federal agents hunted Yastremskiy from Dubai to Turkey, where he was arrested in July 2007.
When investigators seized Yastremskiy's computer, they found more than 600 messages between him and Gonzalez — some discussing a ``sniffer'' program to steal credit-card numbers.
They also found that Yastremskiy paid Gonzalez $400,000 through a website called e-gold, which purports to create an Internet currency system backed with gold.
With Yastremskiy in custody in Turkey, Secret Service agents focused their attention on Gonzalez.
In May 2008, armed with search warrants, agents found their former informant in a room at the chic National Hotel in Miami Beach with two laptops, $22,000 and a Glock pistol.
They also searched Gonzalez's parents' home, his condo, and the Palmetto Bay home of an accomplice, where they found 75 marijuana plants, prosecutors say.
Within months of the raids, Gonzalez was indicted in the first record-breaking case. Then, this past week, prosecutors announced yet another record-shattering indictment against Gonzalez, accusing him of stealing an additional 130 million credit card numbers. He is being held in jail in Brooklyn.
In all, he has been accused of stealing at least 170 million credit-card numbers over four years — including at least two years when he was acting as a Secret Service informant, said Palomino.
The case underscores the dangers of using confidential informants in criminal investigations — often the only way to gain information from tightly knit criminal groups.
``The problem with these guys is that they constantly need to be monitored and controlled,'' said James We****, a former FBI agent who investigated the Mafia and other criminal organizations. ``People don't realize that they are some of the most dangerous people to work with.''
The Secret Service would not comment on Gonzalez's role as an informant or discuss details of his case.
At least a dozen witnesses have already agreed to plead guilty and testify against Gonzalez, who faces a potential life sentence if convicted.
Palomino describes Gonzalez as remorseful, saying he hoped to reach a plea bargain before the newest indictment was announced Monday.
His parents have also come under scrutiny from federal agents: In court papers, prosecutors claim they helped their son launder money, though they were never charged. Palomino insists they have been cleared of any wrongdoing, saying the ordeal ``has taken an extreme toll on them.''
No matter how the criminal case is resolved, their son will be infamous in the world of cybercrime, Palomino said.
``Albert Gonzalez is going to go down as one of the best people as far as hacking in the country. Probably the best in our lifetime,'' the lawyer said. ``Imagine if Albert had kept on a straight trail what he could have done.''