Albert Gonzalez (born 1981) is a computer hacker and computer criminal who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 through 2007—the biggest such fraud in history.
During his spree he was said to have to thrown himself a $75,000 birthday party and complained about having to count $340,000 by hand after hiscurrency-counting machine broke. Gonzalez stayed at lavish hotels but his formal homes were modest.
Gonzalez had three federal indictments:
- May 2008 in New York for the Dave & Busters case (trial schedule September 2009)
- May 2008 in Massachusetts for the TJ Maxx case (trial scheduled early 2010)
- August 2009 in New Jersey in connection with the Heartland Payment case.
While in Kearny he was accused of being the mastermind of a group of hackers called the Shadowcrew group, which trafficked in 1.5 million stolen credit and ATM card numbers.
Although considered the mastermind of the scheme (operating on the site under the screen name of "CumbaJohnny"), he was not indicted.
According to the indictment there were 4,000 people who registered with the Shadowcrew.com website. Once registered they could buy stolen account numbers or counterfeit documents at auction or read “Tutorials and How-To’s” describing the use of cryptography in magnetic strips on credit cards, debit cards and ATM cards so that the numbers could be used.
Moderators of the website punished members who did not abide by the site's rules including providing refunds to buyers if the stolen card numbers proved invalid.
In addition to the card numbers, counterfeit passports, drivers’ licenses, Social Security cards, credit cards, debit cards, birth certificates, college student identification cards, health insurance cards, were sold at auction.
One member sold 18 million e-mail accounts with associated usernames, passwords, dates of birth, and other personally identifying information.
Most of those indicted were members who actually sold illicit items. Members who maintained or moderated the website itself were indicted including one who attempted to register the .ccdomain name Shadowcrew.cc
The Secret Service dubbed their investigation "Operation Firewall" and is believed that $4.3 million was stolen as Shadowcrew shared its information with other groups entitled Carderplanet and Darkprofits. The investigation involved units from the United States, Bulgaria, Belarus, Canada, Poland, Sweden, the Netherlands and Ukraine.
Gonzalez was initially charged with possession of 15 fake credit and debit cards in Newark, New Jersey he avoided jailtime by providing evidence to the United States Secret Serviceagainst his cohorts. 19 ShadowCrew members were indicted.
He then returned to Miami.
While cooperating with authorities, he was said to have masterminded the hacking of TJX Companies in which 45.6 million credit and debit card numbers were stolen over an 18 month period ending in 2007 topping the 2005 breach of 40 million records at CardSystems Solutions. Gonzalez and 10 others sought targets while wardriving and seeking vulnerabilities inwireless networks along U.S. Route 1 in Miami. They compromised cards at BJ's Wholesale Club, DSW, Office Max, Boston Market, Barnes & Noble, Sports Authority and T.J. Maxx. 
The hacking was an embarrassment to TJ Maxx which discovered the breach in December 2006 and initially believed the intrusion began in May 2006 but further investigation revealed it dated back to July 2005.
One of his co-conspirators was 7-foot-tall Stephen Watt, known in the hacker world as "Unix Terrorist" and "Jim Jones", who worked at Morgan Stanley in New York City and wrote the sniffer program.
Gonzalez was arrested in May 7, 2008 on charges stemming from hacking into the Dave & Buster's corporate network from a point of sale location at a restaurant in Islandia, New York. The incident occurred in September 2007. About 5,000 card numbers were stolen. Fraudulent transactions totaling $600,000 were reported on 675 of the cards.
Authorities became suspicious after the conspirators kept returning to the restaurant to reintroduce their hack because it would not restart after the company computers shut down.
Gonzalez was arrested in Room 1508 at the National Hotel in Miami Beach, Florida. In various related raids authorities seized $1.6 million in cash (including $1.1 million in plastic bags in a three-foot drum buried in his parents' backyard), his laptops and a compact Glock pistol.
Officials said that Gonzalez lived in a non-descript house in Miami.
In August 2009 Gonzalez was indicted in Newark, New Jersey on charges dealing with hacking into the Heartland Payment Systems, Citibank-branded 7-Eleven ATM's and Hannaford Brothers computer systems. Heartland bore the bulk of the attack in which 130 million card numbers were stolen. Hannaford had 4.6 million numbers stolen. Two other retailers were not disclosed in the indictment however Gonzalez's attorney told StorefrontBacktalk that two of the retailers were J.C. Penney and Target Corporation.. Heartland reported that it had lost $12.6 million in the attack including legal fees. Gonzalez allegedly called the scheme "Operation Get Rich or Die Tryin."
According to the indictment the attacks by Gonzalez and two unidentified hackers "in or near Russia" along with unindicted conspirator "P.T." from Miami began on December 26, 2007 atHeartland Payment Systems, August 2007 against 7-11 and Hannaford Brothers in November 2007 and two other unidentified companies. Gonzalez and his co-horts targeted large companies and studied their check out terminals and then attacked the companies from internet-connected computers in New Jersey, Illinois, Latvia, the Netherlands and Ukraine.
They covered their attacks over the Internet using more than one messaging screen name, storing data related to their attacks on multiple Hacking Platforms, disabling programs that logged inbound and outbound traffic over the Hacking Platforms, and disguising, through the use of “proxies,” the Internet Protocol addresses from which their attacks originated.
The indictment said the hackers tested their program against 20 anti virus programs.
Rene Palomino Jr., attorney for Gonzalez, charged in a blog on the New York Times website that the indictment arose out of squabbling among U.S. Attorney offices in New York, Massachusetts and New Jersey. Palomino said that Gonzalez was in negotiations with New York and Massachusetts for a plea deal in connection with the T.J. Maxx case when New Jersey made its indictment. Palomino identified the unindicted conspirator "P.T." as Damon Patrick Toey who had pled guilty in the T.J. Maxx case. Palomino said Toey rather than Gonzalez was the ring leader of the Heartland case. Palomino further said, “Mr. Toey has been cooperating since Day One. He was staying at (Gonzalez’s) apartment. This whole creation was Mr. Toey’s idea...It was his baby. This was not Albert Gonzalez. I know for a fact that he wasn’t involved in all of the chains that were hacked from New Jersey.”
Palomino said one of the unnamed Russian hackers in the Heartland case was Maksym Yastremski who was also indicted in the T.J. Maxx but is now serving 30-years in a Turkish prison on a charge of hacking Turkish banks in a separate matter. Investigators said Yastremskiy and Gonzalez exchanged 600 messages and that Gonzalez paid him $400,000 through e-gold.
Yastremskiy was arrested in July 2007 in Turkey on charges of hacking into 12 banks in Turkey. The Secret Service investigation into him was used to build the case against Gonzalez including a sneak and peek covert review of Yastremskiy's laptop in Dubai in 2006 and a review of the disk image of the Latvia computer leased from Cronos IT and alleged to have been used in the attacks.
After the indictment Heartland issued a statement saying that it does not know how many card numbers were stolen from the company and that it does not know how the U.S. government reached the 130 million number.
On August 28, 2009, his attorney filed papers with the United States District Court for the District of Massachusetts in Boston indicating that he would plead guilty to all 19 charges in the U.S. v. Albert Gonzalez, 08-CR-10223, case (the TJ Maxx case). According to reports this plea bargain would "resolve" issues with the New York case of U.S. v. Yastremskiy, 08-CR-00160 in United States District Court for the Eastern District of New York (the Dave and Busters case).
Gonzalez could serve a term of 15 years to 25 years. He would forfeit more than $1.65 million, a condominium in Miami, a blue 2006 BMW 330i automobile, IBM and Toshiba laptop computers, a Glock 27 firearm, a Nokia cell phone, a Tiffany diamond ring and three Rolex watches.
His sentence would run concurrent with whatever comes out of the case in the United States District Court for the District of New Jersey (meaning that he would serve the longest of the sentences he receives).
- From snitch to cyberthief of the century - Miami Herald - August 22, 2009
- Miami hacker in credit card scam honed skills at early age - Miami Herald - August 20, 2009
- Soupnazi' hacker Albert Gonzalez went from nerdy past to life of sex, guns and drugs - New York Daily News - August 19, 2009
- Government informant is called kingpin of largest U.S. data breaches - Computer World - August 18, 2009
- Grand jury indictment of Shadowcrew
- Secret Service busts online organized crime ring - Computerworld - October 28, 2004
- TJX data breach: At 45.6M card numbers, it's the biggest ever - Computerworld - March 29, 2007
- Grand jury indictment, District of Massachusetts
- The Retail Store Hacker Albert Gonzalez Now Faces Prison Time". Law Vibe.
- TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison". Wired. June 18, 2009.
- Three Charged in Dave & Buster's Hacking Job - csoonline.com - May 24, 2008
- No hack as a hacker - Chicago Sun Times - August 23, 2009
- J.C. Penney, Target Added To List Of Gonzalez Retail Victims - StorefontBackTalk - August 27, 2009
- Hacker Charged With Heartland, Hannaford Breaches - wired.com - August 17, 2009
- Grand jury indictment, District of New Jersey
- Gonzalez Case Raises Very OId Retail Security Issues - Storefrontbacktalk.com - August 23, 2009
- Hacking Suspect’s Lawyer Criticizes Federal Prosecutors - nytimes.com - August 19, 2009
- In Gonzalez Hacking Case, a High-Stakes Fight Over a Ukrainian’s Laptop - Wired - August 20, 2009
- Gonzalez: The Al Capone Of Cyber Thieves? - storefrontbacktalk.com - August 19, 2009
- Man Accused of Stealing Stores’ Data Pleads Guilty - New York Times - August 29, 2009
- Computer Hacker Gonzalez to Admit Guilt, Forfeit $1.65 Million - Bloomberg - August 29, 2009