Très long mais passionnant, l’histoire du plus gros hacking de tous les temps… Un vrai roman d’espionnage…
The Great Cyberheist
One night in July 2003, a little before midnight, a plainclothes N.Y.P.D. detective, investigating a series of car thefts in upper Manhattan, followed a suspicious-looking young man with long, stringy hair and a nose ring into the A.T.M. lobby of a bank. Pretending to use one of the machines, the detective watched as the man pulled a debit card from his pocket and withdrew hundreds of dollars in cash. Then he pulled out another card and did the same thing. Then another, and another. The guy wasn’t stealing cars, but the detective figured he was stealing something.
Indeed, the young man was in the act of “cashing out,” as he would later admit. He had programmed a stack of blank debit cards with stolen card numbers and was withdrawing as much cash as he could from each account. He was doing this just before 12 a.m., because that’s when daily withdrawal limits end, and a “casher” can double his take with another withdrawal a few minutes later. To throw off anyone who might later look at surveillance footage, the young man was wearing a woman’s wig and a costume-jewelry nose ring. The detective asked his name, and though the man went by many aliases on the Internet — sometimes he was cumbajohny, sometimes segvec, but his favorite was soupnazi — he politely told the truth. “Albert Gonzalez,” he said.
After Gonzalez was arrested, word quickly made its way to the New Jersey U.S. attorney’s office in Newark, which, along with agents from the Secret Service’s Electronic Crimes Task Force, had been investigating credit- and debit-card fraud involving cashers in the area, without much luck. Gonzalez was debriefed and soon found to be a rare catch. Not only did he have data on millions of card accounts stored on the computer back in his New Jersey apartment, but he also had a knack for patiently explaining his expertise in online card fraud. As one former Secret Service agent told me, Gonzalez was extremely intelligent. “He knew computers. He knew fraud. He was good.”
Gonzalez, law-enforcement officials would discover, was more than just a casher. He was a moderator and rising star on Shadowcrew.com, an archetypal criminal cyberbazaar that sprang up during the Internet-commerce boom in the early 2000s. Its users trafficked in databases of stolen card accounts and devices like magnetic strip-encoders and card-embossers; they posted tips on vulnerable banks and stores and effective e-mail scams. Created by a part-time student in Arizona and a former mortgage broker in New Jersey, Shadowcrew had hundreds of members across the United States, Europe and Asia. It was, as one federal prosecutor put it to me, “an eBay, Monster.com and MySpace for cybercrime.”
After a couple of interviews, Gonzalez agreed to help the government so he could avoid prosecution. “I was 22 years old and scared,” he’d tell me later. “When you have a Secret Service agent in your apartment telling you you’ll go away for 20 years, you’ll do anything.”
He was also good-natured and helpful. “He was very respectable, very nice, very calm, very well spoken,” says the Secret Service agent who would come to know Gonzalez best, Agent Michael (a nickname derived from his real name). “In the beginning, he was quiet and reserved, but then he started opening up. He started to trust us.”
The agents won his trust in part by paying for his living expenses while they brought him to their side and by waiting for Gonzalez to work through his withdrawal. An intermittent drug addict, Gonzalez had been taking cocaine and modafinil, an antinarcoleptic, to keep awake during his long hours at the computer. To decompress, he liked Ecstasy and ketamine. At first, a different agent told me, “he was extremely thin; he smoked a lot, his clothes were disheveled. Over time, he gained weight, started cutting his hair shorter and shaving every day. It was having a good effect on his health.” The agent went on to say: “He could be very disarming, if you let your guard down. I was well aware that I was dealing with a master of social engineering and deception. But I never got the impression he was trying to deceive us.”
Gonzalez’s gift for deception, however, is precisely what made him one of the most valuable cybercrime informants the government has ever had. After his help enabled officials to indict more than a dozen members of Shadowcrew, Gonzalez’s minders at the Secret Service urged him to move back to his hometown, Miami, for his own safety. (It was not hard for Shadowcrew users to figure out that the one significant figure among their ranks who hadn’t been arrested was probably the unnamed informant in court documents.) After aiding another investigation, he became a paid informant in the Secret Service field office in Miami in early 2006. Agent Michael was transferred to Miami, and he worked with Gonzalez on a series of investigations on which Gonzalez did such a good job that the agency asked him to speak at seminars and conferences. “I shook the hand of the head of the Secret Service,” Gonzalez told me. “I gave a presentation to him.” As far as the agency knew, that’s all he was doing. “It seemed he was trying to do the right thing,” Agent Michael said.
He wasn’t. Over the course of several years, during much of which he worked for the government, Gonzalez and his crew of hackers and other affiliates gained access to roughly 180 million payment-card accounts from the customer databases of some of the most well known corporations in America: OfficeMax,BJ’s Wholesale Club, Dave & Buster’s restaurants, the T. J. Maxx and Marshalls clothing chains. They hacked into Target, Barnes & Noble, JCPenney, Sports Authority, Boston Market and 7-Eleven’s bank-machine network. In the words of the chief prosecutor in Gonzalez’s case, “The sheer extent of the human victimization caused by Gonzalez and his organization is unparalleled.”