COURT DOC: Leader of Hacking Ring Sentenced for Massive Identity Thefts from Payment Processor and U.S. Retail Networks

The leader of the largest hacking and identity theft ring ever prosecuted by the U.S. government has been sentenced to 20 years and one day in prison for his role in a series of hacks into a major payment processor and several retail networks.

On March 25, 2010, Albert Gonzalez, 28, of Miami, was sentenced by U.S. District Court Judge Patti B. Saris in U.S. District Court in Boston to 20 years in prison for conspiracy, computer fraud wire fraud, access device fraud and aggravated identity theft related to hacks into numerous major U.S. retailers, including the TJX Companies, BJs Wholesale Club, OfficeMax, Boston Market, Barnes Noble and Sports Authority.

Thursdays sentence also addresses the charges brought in the Eastern District of New York and transferred to Boston for plea and sentence. The New York indictment charged Gonzalez with, among other things, conspiracy to commit wire fraud relating to his breach of the electronic payment systems of the Dave and Busters restaurant chain. Gonzalez was also ordered to serve three years of supervised release following his prison term and to pay a fine of $25,000.

According to court documents related to his conviction in the Massachusetts and New York cases, Gonzalez and his co-conspirators broke into retail credit card payment systems through a series of sophisticated techniques, including ‘wardriving’ and installation of sniffer programs to capture credit and debit card numbers used at the victim retail stores. Wardriving involves driving around in a car with a laptop computer looking for unsecure wireless computer networks of retailers. Using these techniques, Gonzalez and his co-defendants were able to steal more than 40 million credit and debit card numbers from victim retailers. According to court documents, Gonzalez and his co-conspirators sold the numbers to others for their fraudulent use and engaged in ATM fraud by encoding the data on the magnetic stripe of blank cards and withdrawing thousands of dollars at a time from ATMs.

Gonzalez and his co-conspirators concealed and laundered their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe. Gonzalezs co-conspirators were located throughout the United States, Estonia and the Ukraine. In the New Jersey case, Gonzalez provided malware to other hackers that allowed them to circumvent anti-virus programs and firewalls, and gain access to the victim companies networks. Gonzalez admitted in court documents that it was foreseeable that, based upon his assistance, his co-conspirators would be able to steal tens of millions of credit and debit card numbers, affecting more than 250 financial institutions.

To date, six co-conspirators have pleaded guilty in the United States. One co-conspirator, an Estonian national, was apprehended at the United States request by German authorities while he was travelling in Germany. He was subsequently extradited to the United States, where he pleaded guilty to his role in the hacking and identity theft scheme. Another co-conspirator was arrested and convicted in Turkey on related identity theft charges, and was sentenced to 30 years in prison. (Source: U.S. Department of Justice)