He wasn’t. Over the course of several years, during much of which he worked for the government, Gonzalez and his crew of hackers and other affiliates gained access to roughly 180 million payment-card accounts from the customer databases of some of the most well known corporations in America: OfficeMax, BJ’s Wholesale Club, Dave & Buster’s restaurants, the T. J. Maxx and Marshalls clothing chains. They hacked into Target, Barnes & Noble, JCPenney, Sports Authority, Boston Market and 7-Eleven’s bank-machine network. In the words of the chief prosecutor in Gonzalez’s case, “The sheer extent of the human victimization caused by Gonzalez and his organization is unparalleled.”

At his sentencing hearing in March, where he received two concurrent 20-year terms, the longest sentence ever handed down to an American for computer crimes, the judge said, “What I found most devastating was the fact that you two-timed the government agency that you were cooperating with, and you were essentially like a double agent.”

IN APRIL, I visited Gonzalez at the Wyatt Detention Center in Central Falls, R.I., situated by a river and a pleasant place as jails go. Once muscular and tan, Gonzalez, who turned 27 and 28 behind bars, was pallid and thin. His khaki uniform hung on him baggily, and his eyes were bloodshot behind wire-rim glasses. Occasionally a mischievous smile played on his face; otherwise, he looked through the wire-glass partition with a sympathetic but inscrutably intense stare.

He didn’t want to talk about his crimes at first, so in a soft voice he told me about his ex-girlfriend, who had stopped visiting him (“I can’t blame her”), about what he’d been reading (“Stalingrad,” by Antony Beevor; “Into Thin Air,” by Jon Krakauer; essays by Ralph Waldo Emerson), about his thoughts on recent high-profile computer breaches in the news. The public’s ignorance about his chosen criminal field baffled him. He had become a fan of National Public Radio at Wyatt, and had recently listened to a discussion of hackers on “Fresh Air.” (“Terry Gross is a great host,” he wrote me earlier in a letter, but “these authors and co-authors can’t possibly be making decent earnings. Are they?”) He talked about his childhood and family. His father, Alberto Sr., is a landscaper who as a young man left Cuba on a raft and was picked up by a Coast Guard cutter in the Florida straits. He and Albert share a birthday with Gonzalez’s 5-year-old nephew, “whom I love more than anyone in this world,” Gonzalez said. His nephew’s mother, Maria, Gonzalez’s sister and only sibling, “always learned by listening to our parents’ advice.” He didn’t.

Gonzalez bought his first PC, with his own money, when he was 12. He took an interest in computer security after it was infected with a downloaded virus. “We had to call the technician who sold it to us, and he came over,” he said in one letter. “I had all these questions for him: ‘How do I defend myself from this? Why would someone do this?’ ” He got over his indignation easily enough, and by the time he was 14 had hacked into NASA, which resulted in a visit by F.B.I. agents to his South Miami high school. Undeterred, Gonzalez formed a cooperative of “black hats” — curiosity-driven hackers with an antiauthoritarian bent — and acquired a reputation. He gave an interview to the online magazine ZDNet under his new screen name, soupnazi: “Defacing a site to me is showing the admins [and] government . . . that go to the site that we own them,” he said. On the side he was also purchasing clothing and CDs online with stolen credit-card numbers. He ordered the merchandise delivered to empty houses in Miami, and then had a friend drive him to pick it up during lunch period.

By the time he dropped out of Miami Dade College during his freshman year, Gonzalez had taught himself, by reading software manuals, how to hack into Internet service providers for free broadband. He discovered he could go further than that and co-opted the log-ins and passwords of managers and executives. “On their computers would always be a huge stash of good information, network diagrams, write ups,” he said, audibly enthralled at the memory. “I would learn about the system architecture. It was as if I was an employee.”

Gonzalez’s closest friend, Stephen Watt, who is now serving a two-year prison sentence for coding a software program that helped Gonzalez steal card data, describes Gonzalez as having “a Sherlock Holmes quality to him that is bounded only by his formal education.” Like the other hackers who would go on to form the inner circle of Gonzalez’s criminal organization, Watt met Gonzalez when both were teenagers, on EFnet, an Internet relay chat network frequented by black hats. Watt and Gonzalez interacted strictly online for a year, though each lived in South Florida. Once they began spending time together, in Florida and New York, Watt, who is 27, noticed that Gonzalez’s talents as an online criminal carried over into his life away from the computer. “He could spot wedding rings at 50 yards. He could spot a Patek Philippe at 50 yards. He would have been a world-class interrogator. He was very good at figuring out when people were lying.”

Like many hackers, Gonzalez moved easily between the licit and illicit sides of computer security. Before his first arrest, in the A.T.M. lobby, Gonzalez made his way from Miami to the Northeast after he hacked into a New Jersey-based Internet company and then persuaded it to hire him to its security team. The transition from fraudster to informant was not too different
.
Goto The Great Cyberheist - 3