ShadowCrew While in Kearny, he was accused of being the mastermind of a group of hackers called the ShadowCrew group, which trafficked in 1.5 million stolen credit and ATM card numbers. Although considered the mastermind of the scheme (operating on the site under the screen name of "CumbaJohnny"), he was not indicted. According to the indictment, there were 4,000 people who registered with the Shadowcrew.com website. Once registered, they could buy stolen account numbers or counterfeit documents at auction, or read "Tutorials and How-To's" describing the use of
cryptography in magnetic strips on credit cards, debit cards and ATM cards so that the numbers could be used. Gonzalez was initially charged with possession of 15 fake credit and debit cards Gonzalez and 10 others sought targets while
wardriving and seeking vulnerabilities in
wireless networks along
U.S. Route 1 in Miami. They compromised cards at
BJ's Wholesale Club,
DSW,
Office Max,
Boston Market,
Barnes & Noble,
Sports Authority and
T.J. Maxx. The indictment referred to Gonzalez by the
screen names "cumbajohny", "201679996", "
soupnazi", "segvec", "kingchilli" and "stanozlolz."
Arrest Gonzalez was arrested on May 7, 2008, on charges stemming from hacking into the
Dave & Buster's corporate network from a
point of sale location at a restaurant in
Islandia, New York. The incident occurred in September 2007. About 5,000 card numbers were stolen. Fraudulent transactions totaling $600,000 were reported on 675 of the cards. Authorities became suspicious after the conspirators kept returning to the restaurant to reintroduce their hack, because it would not restart after the company computers shut down. in
Miami Beach, Florida. In various related raids, authorities seized $1.6 million in cash (including $1.1 million buried in plastic bags in a three-foot drum in his parents' backyard), Officials said that, at the time of his arrest, Gonzalez lived in a nondescript house in Miami. • Damon Patrick Toey pleaded guilty to wire fraud, credit card fraud, and aggravated
identity theft and received a five-year sentence. • Christopher Scott pleaded guilty to conspiracy, unauthorized access to computer systems, access device fraud and identity theft. He was sentenced to seven years.
Heartland Payment Systems hack In August 2009, Gonzalez was indicted in Newark, New Jersey on charges dealing with hacking into the
Heartland Payment Systems,
Citibank-branded
7-Eleven ATM's and
Hannaford Brothers computer systems. Heartland bore the brunt of the attack, in which 130 million card numbers were stolen. Hannaford had 4.6 million numbers stolen. Two other retailers were not disclosed in the indictment; however, Gonzalez's attorney told StorefrontBacktalk that two of the retailers were
J.C. Penney and
Target Corporation. Heartland reported that it had lost $12.6 million in the attack including legal fees. Gonzalez allegedly called the scheme "Operation Get Rich or Die Tryin." Gonzalez and his cohorts targeted large companies and studied their check out terminals and then attacked the companies from internet-connected computers in New Jersey, Illinois,
Latvia, the
Netherlands and
Ukraine. They covered their attacks over the Internet using more than one messaging screen name, storing data related to their attacks on multiple Hacking Platforms, disabling programs that logged inbound and outbound traffic over the Hacking Platforms, and disguising, through the use of
proxies, the
Internet Protocol addresses from which their attacks originated. Palomino said one of the unnamed Russian hackers in the Heartland case was Maksym Yastremskiy, who was also indicted in the T.J. Maxx incident but is now serving 30 years in a
Turkish prison on a charge of hacking Turkish banks in a separate matter. Investigators said Yastremskiy and Gonzalez exchanged 600 messages and that Gonzalez paid him $400,000 through
e-gold. After the indictment, Heartland issued a statement saying that it does not know how many card numbers were stolen from the company nor how the U.S. government reached the 130 million number.
Plea bargain On August 28, 2009, Gonzalez's attorney filed papers with the
United States District Court for the District of Massachusetts in Boston indicating that he would plead guilty to all 19 charges in the U.S. v. Albert Gonzalez, 08-CR-10223, case (the TJ Maxx case). According to reports this
plea bargain would "resolve" issues with the New York case of U.S. v. Yastremskiy, 08-CR-00160 in
United States District Court for the Eastern District of New York (the Dave and Busters case). Gonzalez asked for leniency on the grounds that he had
Asperger syndrome, and his attorney submitted a report from a psychiatrist describing Gonzalez's actions as "consistent with description of the Asperger's disorder" and "Internet addiction." On March 25, 2010, U.S. District Judge
Patti Saris sentenced Gonzalez to 20 years in prison for hacking into and stealing information from TJX, Office Max, the Dave & Busters restaurant chain, Barnes & Noble and a string of other companies. The next day, U.S. District Court Judge
Douglas P. Woodlock sentenced him to 20 years in connection with the Heartland Payment Systems case. The sentences were ordered to run
concurrently, meaning that Gonzalez would serve a total of 20 years for both cases. Gonzalez was also ordered to forfeit more than $1.65 million, a condominium in Miami, a blue 2006
BMW 330i automobile,
IBM and
Toshiba laptop computers, a
Glock 27 firearm, a
Nokia cell phone, a
Tiffany diamond ring and three
Rolex watches. On March 25, 2011, Gonzalez filed a motion in U.S. District Court in Boston to withdraw his guilty plea. He claimed that during the time he committed his crimes, he had been assisting the
United States Secret Service in seeking out international cybercriminals and said his attorneys failed to advise him that he could have therefore used a "public authority" defense. The Secret Service declined to comment on Gonzalez's motion. == See also ==