Admitted TJX hacker Albert Gonzalez has identified two Russian accomplices who helped him hack into numerous companies and steal more than 130 million credit and debit card numbers.
Gonzalez told prosecutors that the hackers breached at least four card processing companies, as well as a series of foreign banks, a brokerage house and several retail store chains, according to a sentencing memo filed by his lawyer on Tuesday that was incorrectly redacted.
The document reveals that six months after his May 2008 arrest, Gonzalez located and provided prosecutors with the "complicated" and "lengthy" password to decrypt his laptop, which contained "a vast array of historical data and communications" that helped the government indict other members of Gonzalez's team, and could be used in future search warrants. It also reveals that Gonzalez drew prosecutors a map that helped them find more than $1.1 million that he had buried in his parents' backyard.
Gonzalez is scheduled to be sentenced on Dec. 21 for intrusions into TJX, Dave & Busters restaurant chain and numerous other companies, though his sentencing is likely to be delayed. On Tuesday, the government asked for an 8-12 week continuance to give Gonzalez a psychological examination, in response to a new defense claim that the hacker might suffer from Asperger's syndrome, and may not have the "capacity to knowingly evaluate the wrongfulness of his actions."
Under the terms of his plea agreement, the government has agreed to ask for between 15 to 25 years in prison in the New York and Massachusetts cases, though the U.S. probation office has determined that he qualifies for a life sentence under federal guidelines.
The sentencing memo, written by defense attorney Martin Weinberg, lays out Gonzalez's case for why he thinks the judge should sentence him to the low-end of 15 years, and buttresses his case with extensive detail about the information Gonzalez provided prosecutors about his accomplices and their activities.
The two Russian hackers, who have until now been named in court documents only as "Hacker1" and "Hacker2", are identified in the new memo only by their online handles "Grigg" and "Annex." The document indicates that Gonzalez identified four credit card processors that were “under attack” by the Russian hacking team at the time of his arrest, though it does not identify the processors.
Gonzalez was charged in August in New Jersey with hacking into Heartland Payment Systems, a card processing company, as well as Hannaford Brothers, 7-Eleven and two unidentified national retailers and compromising data on more than 130 million card accounts. There have long been suspicions that other card processors, besides Heartland, were breached by Gonzalez and his cohorts, for which he's not been charged.
Although parts of the sentencing memo were supposed to be redacted in the public version posted in the court's online system, the version of the document submitted by Gonzalez's attorney contained only a cosmetic redaction -- black lines that left the underlying text intact for anyone to copy and paste. A similar mishap occurred recently with a TSA screening manual posted online by a government worker.
Gonzalez's attorney declined to respond to questions about the memo.
Gonzalez began cooperating with the government on November 6, 2008, even though he knew it would not likely win him a sentence below federal guidelines because the Russian hackers were unlikely ever to be identified or arrested. He provided the government with "extensive information" during five lengthy meetings between November and January 2009, including all-day sessions.
During the sessions, Gonzalez met with Assistant U.S. Attorney Stephen Heymann, Kimberly Peretti of the Justice Department's computer crime division, as well as two agents from the U.S. Secret Service and a representative of Carnegie Mellon's Computer Emergency Response Team, which often provides technical analysis of malware and other assistance to law enforcement agencies. Notes that agents took at these sessions added up to 212 pages, according to the memo.
In addition to providing information about the Russian hackers, Gonzalez identified the companies -- retailers, banks and card processing companies -- "that he believed were at risk largely from his knowledge that they had been compromised" by the two Russian hackers.
According to the memo, Gonzalez described how "Grigg" and "Annex" hacked into Hannaford Brothers through a vulnerability in the computer systems of Hannaford's parent company Delhaize. He gave prosecutors the information nine months before he was indicted in August 2009 on charges that he and the two Russians hacked into Hannaford.
"Gonzalez made complete disclosure of information ranging from how weaknesses in the corporate security systems were identified, how data was exported from the companies, how it was stored on foreign servers in the Ukraine and Latvia, how stolen data was de-encrypted and by whom, how profits were received via web-currency, who was involved in the flow of currency, and the identities of two persons who were used as couriers of money to Gonzalez," according to the document.
By identifying intrusions that "had not yet been detected," his lawyer wrote, Gonzalez helped the companies institute protective measures to secure their data and prevent future breaches.
Gonzalez also provided prosecutors with "detailed disclosure of others involved in the offenses, including other hackers, persons who facilitated money exchanges, persons who de-encrypted data, receivers of stolen property and even three individuals who were involved in minor roles in his own group -- people he was close to -- each of whom has been indicted, in part based on Gonzalez’ proffers and in part based on the content of Gonzalez’ computer."
Those defendants included Stephen Watt, Humza Zaman, and Jeremy Jethro, some of whom have pleaded guilty. Watt was charged with providing a sniffer program used to steal data from TJX and other companies. Zaman faced conspiracy charges related to operating as a money courier for Gonzalez. Jethro faces a misdemeanor conspiracy charge for selling Gonzalez an Internet Explorer zero-day exploit for $60,000.
The probation office calculated that Gonzalez should receive a life sentence for his crimes, based primarily on the number of credit cards the hacker compromised in two of his three indictments -- 40 million cards. Under sentencing guidelines, every stolen card is counted as a theft of at least $500, whether it was used or not, making Gonzalez's capers equivalent to stealing 20 billion. His lawyer argues that's an unfair and arbitrary valuation, given that approximately 70 percent of the 36 million cards stolen from TJX were expired.
Gonzalez has indicated that he plans to plead guilty in the New Jersey case involving Heartland and Hannaford Brothers. He will be sentenced separately in that case.
*Update: An earlier version of this article reported Gonzalez's claim that his assistance led to charges against an additional man, in a case under seal. That man's attorney says no such charges were filed.
*
Photo of Albert Gonzalez courtesy U.S. law enforcement
See also:
- TJX Hacker to Plead Guilty to Heartland Breach
- TJX Hacker Charged with Heartland, Hannaford Breaches
- TJX Suspect Was Near Plea Agreement Until New Charges Halted Talks
- Accused TJX Hacker Agrees to Guity Plea — Faces 15 to 25 Years
- Card Processor Admits to Large Data Breach
- TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison
- Former Teen Hacker's Suicide Linked to TJX Probe
- I Was a Cybercrook for the FBI
- Bullion and Bandits: The Improbable Rise and Fall of E-Gold
- Hacking Godfather 'Maksik' Sentenced to 30 Years by Turkish Court
- Stakeouts, Lucky Breaks Snare Six More in Citibank ATM Heist
