August 12, 2008
Global Trail of an Online Crime Ring
By BRAD STONE
As an international ring of thieves plundered the credit card numbers of millions of Americans, investigators struggled to figure out who was orchestrating the crimes in the United States.
When prosecutors unveiled indictments last week, they made a stunning admission: the culprit was, they said, their very own informant.
Albert Gonzalez, 27, appeared to be a reformed hacker. To avoid prison time after being arrested in 2003, he had been helping federal agents identify his former cohorts in the online underworld where credit and debit card numbers are stolen, bought and sold.
But on the sly, federal officials now say, Mr. Gonzalez was connecting with those same cohorts and continuing to ply his trade, using online pseudonyms — including “soupnazi” — that would be his undoing. As they tell it, Mr. Gonzalez had a central role in a loosely organized online crime syndicate that obtained tens of millions of credit and debit card numbers from nine of the biggest retailers in the United States.
The indictments last week of 11 people involved in the group give a remarkably comprehensive picture of how the Internet is enabling new kinds of financial crimes on a vast international scale.
In interviews over the last few days, investigators detailed how they had tracked Mr. Gonzalez and other members of a ring that extended from Ukraine, where a key figure bought and sold stolen numbers over the Internet, to Estonia, where a hacker infiltrated the servers of a Dallas-based restaurant chain.
The criminals stored much of their data on computer servers in Latvia and Ukraine, and purchased blank debit and credit cards from confederates in China, which they imprinted with some of the stolen numbers for use in cash machines, investigators say.
“This was the largest hacking and theft of credit and debit card information ever successfully investigated and prosecuted within the United States,” said Craig Magaw, special agent in charge of the Secret Service’s criminal investigative division. “This case shows that there are no more boundaries.”
Mr. Gonzalez’s Miami lawyer, Rene Palomino Jr., disputes the charges and says his client is merely a “kid” who lived with church-going parents before starting work as a government informant. Mr. Palomino said the indictment “represents serious and substantial legal and factual challenges for the government to prove at trial.”
The story begins five years ago in Miami, along the stretch of Route 1 called the South Dixie Highway. Starting in 2003, national retailers with outlets there, including BJ’s Wholesale Club, the Sports Authority, OfficeMax, DSW and Barnes & Noble, began falling victim to “war-drivers” — drive-by hackers who searched for holes in the security of wireless networks.
According to last week’s indictments, those hackers were Mr. Gonzalez and two Miami accomplices, Christopher Scott, 25, and Damon Patrick Toey, 23.
Investigators say the conspirators began their largest theft in July 2005, when they identified a vulnerable network at a Marshall’s department store in Miami and used it to place a so-called sniffer program on the computers of the chain’s parent company, TJX, in Framingham, Mass. The program pulled out data like credit card numbers from the network traffic.
Fifteen months later, the company, which also owns TJ Maxx stores, admitted that up to 45 million credit and debit card numbers had been exposed in the prolonged attack. It has already cost TJX more than $130 million in settlement claims with banks and afflicted customers.
The Secret Service — which is charged with combating financial fraud in addition to protecting public officials — had until that point focused its attention on the resellers of stolen card numbers.
In October 2004, the agency concluded Operation Firewall, an 18-month investigation into members of the Shadowcrew Web site, where blocks of purloined card numbers, known as dumps, were bought and sold. Twenty-eight people were arrested, and a hub of the shady underworld of “carders” — typically unemployed, technically sophisticated and highly arrogant young men — was shut down.
Assisting with that investigation was Albert Gonzalez, a Cuban-American from Miami who had been arrested in 2003 on credit card fraud charges in New Jersey and agreed to cooperate with authorities to avoid jail time. According to the Secret Service, Mr. Gonzalez helped agents surreptitiously access the Shadowcrew site and pose as interested buyers of stolen information.
“In order to infiltrate those organizations you have to be established,” Mr. Magaw said. “You cannot just get on criminal boards and start dealing with high-level players. He provided us with that ability to do that on Shadowcrew.”
In the wake of Operation Firewall — and the expanding wave of credit card theft emanating from south Florida — the Secret Service began to focus on how the members of Shadowcrew and other carders were obtaining stolen credit card data.
They focused on a ring of people, most of whom had never met in person, who were working together in cyberspace and breaking into corporate computer systems nationwide.
Secret Service agents from the San Diego field office homed in on Maksym Yastremskiy or “maksik,” 25, from the Ukrainian industrial city of Kharkiv. Agents believed that he was among the largest distributors of stolen debit and credit card numbers in the world. Mr. Yastremskiy, an indictment unveiled last week in San Diego alleges, earned over $11 million plying his trade in 2004-6 alone.
In July 2007, the Secret Service learned that Mr. Yastremskiy was traveling on vacation to Turkey and the agency coordinated his arrest by the Turkish police outside a nightclub in Kemer. The Turkish police provided a copy of the hard drive from Mr. Yastremskiy’s laptop to Secret Service agents, yielding significant breakthroughs in the case.
In addition to millions of stolen credit and debit card numbers, investigators found a sniffer program similar to the one used that year to capture credit card transactions at 11 restaurants in the Dave & Buster’s chain. That attack, unlike earlier ones, was not conducted through war-driving. Instead, Aleksandr Suvorov, 24, an Estonian hacker, remotely accessed the chain’s computers by exploiting errors in the way it set up passwords, investigators say.
Agents brought the sniffer program to the Computer Emergency Response Center at Carnegie Mellon University, where experts compared it with another program found during the investigation of the earlier breach at TJX and found they were two versions of the same underlying code. Agents now knew conclusively that the same gang was responsible for both crimes.
They now had to figure out who Mr. Yastremskiy was working with in the United States. A forensic analysis of his computer yielded records of conversations over the ICQ chat network between Mr. Yastremskiy and a cohort represented only by the user number 201679996.
In short, jargon-punctuated messages, this person took credit for supplying the software used in the Dave & Buster’s attack and expressed alarm when the gang’s exploits and collaborators were being exposed by investigators.
In the end, it was a reference to a “Seinfeld” character that helped Secret Service agents untangle the mystery. Agents connected the ICQ user name to an e-mail address at a Russian-based Internet provider, , a reference to a cantankerous soup maker in the program.
Records from Mr. Gonzalez’s 2003 arrests showed he had once used that e-mail address, and confidential sources told Secret Service agents that Mr. Gonzalez still used the “soupnazi” nickname, along with another, “segvec.” Tying the bow even tighter, the mysterious ICQ chatter had referred to himself as segvec.
The agency says it immediately stopped using Mr. Gonzalez as an informant and began investigating him, in part by tracing his financial assets through online accounts. In their indictment last week, the authorities said that Mr. Gonzalez and his two Miami-based conspirators were storing millions of credit and debit card numbers on servers in Latvia and Ukraine, and imprinting some of those numbers on blank A.T.M. cards supplied by collaborators in China. They used those cards to withdraw hundreds of thousands of dollars in cash.
Government lawyers also said that Mr. Gonzalez had used his position as a Secret Service informant to warn fellow conspirators about ongoing investigations. They say he appeared to have been involved in most aspects of the ring’s operations.
Secret Service agents arrested Mr. Gonzalez on May 7 at the luxurious National Hotel in Miami Beach, where he was staying with his girlfriend and, investigators say, trying to hack into the wireless networks of nearby businesses. According to the indictment, the authorities found in the hotel room two laptops, more than $20,000 in cash and a Glock 27 firearm with ammunition, although the arrest was peaceful.
They found another computer, a hard drive and a currency counter in a one-bedroom condominium Mr. Gonzalez owned in a working-class Miami neighborhood.
Neither Mr. Gonzalez nor his parents were available for comment, though Mr. Palomino, his lawyer, said the family was shaken. “Here is the attorney general of the United States announcing the charges against your son and telling the whole world that he is looking at life in prison,” he said. “It’s shellshock.”
Mr. Gonzalez is now in jail in New York, on charges related to the Dave & Buster’s theft. His two Miami conspirators are expected to turn themselves in to the authorities in Boston soon, the Secret Service says.
Meanwhile, the Justice Department is negotiating for the extradition of Mr. Yastremskiy from Turkey, where he is imprisoned. The Secret Service coordinated the arrest of Mr. Suvorov, the Estonian, at an airport in Frankfurt last March. He is now in a German jail.
Members of the financial services industry are applauding.
“We were always trying to get law enforcement to go after these guys for us,” said a payments industry executive who would speak only anonymously. “Over the last two or three years, the Secret Service has devoted lots of time to it. This at least sends a message to the criminal side that there are folks coming after you, even if you are operating outside the United States.”