A Simple Scheme to Rob 45,700,000 People

Three years ago a group of computer geeks slipped into the servers at Framingham-based TJX — the parent company of T. J. Maxx — and orchestrated the world’s biggest identity heist. Now, as the hackers head to prison and the secrets of their scam are revealed, one question remains: Are you any safer?

It was in this world that Watt met and befriended Albert Gonzalez. Like Watt, Gonzalez was a gifted but outcast Florida kid. Growing up in Miami as the son of a Cuban landscaper, Gonzalez saved up his allowance to buy a computer. Once active in his local church, he quickly became enthralled with the machine — one church adviser noticed that Gonzalez thought of his computer as his best friend. His mother, Maria, saw it more distressingly as an “obsessive vice,” and urged him to see a psychologist. “No, I am not crazy,” her son angrily replied.

In fact, within that nascent online culture, Gonzalez found something that helped him feel quite sane: community. He soon graduated from playing games to finding friends and confidants online. “We have a very identical perspective of the real world,” Watt says today, recalling that what bound him to Gonzalez was “the feeling of alienation that you have when you feel like you’re smarter than most people and lack a group of friends that can adequately understand you or communicate with you…. It’s an intellectual thing, and a feeling of despair. Trust is important to both of us, and we could trust each other.”

Gonzalez (who declined to comment for this story) also earned the trust of a coterie of misfits on the Net, many of whom shared a passion for an illegal hobby: stealing credit and debit card numbers. Gonzalez possessed a unique talent in this world: By charming his way through chat rooms, he was able to harness the abilities of disparate groups of coders and hackers, assembling ad hoc teams that could work together. “Albert was not as technical as some,” Watt remembers, “but he was an unparalleled genius as a project manager. In terms of macro- and micro- management, he knew how to connect people and use their respective strengths. He was a team leader in every sense. He knew how to bring elements of an intrusion together in a successful manner.”

By 2002, Gonzalez had become one of the leaders of an international ring of criminal hackers who hung out on a secretive Internet forum called Shadowcrew. Here, so-called carders swapped nefarious services, from counterfeiting driver’s licenses and Social Security cards to “swiping” payment card numbers by hacking into the computer systems of retail stores. But Gonzalez had trouble covering his trail. In 2003 he was arrested in New Jersey for possessing 15 fraudulent payment cards. Ever the project manager, however, he shrewdly engineered a way out of jail time: He became a government informant.

As part of an 18-month cybercrime investigation called Operation Firewall, coordinated by the FBI and the Secret Service, Gonzalez worked behind the scenes, trolling the hacker underworld and relaying information on people and deals back to the feds. Ultimately, his work helped lead to the arrest of 28 members of the Shadowcrew gang. “He had an uncanny way of getting into systems,” recalls E. J. Hilbert, a former FBI cybercrimes agent who worked with Gonzalez.

Because Gonzalez remained undercover, the convicted hackers had no way of knowing he had played a role in giving them up. In fact, Gonzalez’s cachet among carders was actually growing. By working with federal agents, he had learned about the government’s tactics, picking up information that was making him more powerful — and valuable — among the carders. Before long, he was planning a new attack on a vulnerable target.  


  • Bla

    Editor refused to make the following requested correction: “TJX should be thanking me” -> “TJX should be thanking me for helping to clean out their technical staff.” as seen on the website of aut