Gonzalez reconnected with an old friend from EFnet, Christopher Scott, who was willing to do grunt work. Scott began cruising the commercial stretches of Route 1 in Miami, looking for war-driving targets. His experiments at BJ’s Wholesale Club and DSW met with success. He stole about 400,000 card accounts from the former, a million from the latter. He described the breaches and passed card numbers to Gonzalez.

The following summer, Scott parked outside a pair of Marshalls stores. He enlisted the help of Jonathan James, a minor celebrity among Miami black hats for being the first American juvenile ever incarcerated for computer crimes. (At 15, he hacked into the Department of Defense; he lived under house arrest for six months.) Scott cracked the Marshalls WiFi network, and he and James started navigating the system: they co-opted log-ins and passwords and got Gonzalez into the network; they made their way into the corporate servers at the Framingham, Mass., headquarters of Marshalls’ parent company, TJX; they located the servers that housed old card transactions from stores. Scott set up a VPN — the system Gonzalez and the Secret Service used to ensnare Shadowcrew — so they could move in and out of TJX and install software without detection. When Gonzalez found that so many of the card numbers they were getting were expired, he had Stephen Watt develop a “sniffer” program to seek out, capture and store recent transactions. Once the collection of data reached a certain size, the program was designed to automatically close, then encrypt, compress and forward the card data to Gonzalez’s computer, just as you might send someone an e-mail with a zip file attached. Steadily, patiently, they siphoned the material from the TJX servers. “The experienced ones take their time and slowly bleed the data out,” a Secret Service analyst says.

By the end of 2006, Gonzalez, Scott and James had information linked to more than 40 million cards. It wasn’t a novel caper, but they executed it better than anyone else had. Using similar methods, they hacked into OfficeMax, Barnes & Noble, Target, Sports Authority and Boston Market, and probably many other companies that never detected a breach or notified the authorities. Scott bought a six-foot-tall radio antenna, and he and James rented hotel rooms near stores for the tougher jobs. In many cases, the data were simply there for the taking, unencrypted, unprotected.

“For a long time, probably too long a time, computer security was something that was just dollars and cents off the bottom line — it doesn’t bring in money,” Heymann told me when I asked why war-driving hackers were able to steal data so easily. “At the same time, in these cases, companies were beginning to warehouse vast amounts of information” far more swiftly than they were coming to understand the vulnerabilities of their systems. A result was what he called “a primeval muck that creates a period when dramatic, costly attacks can get at vast amounts of resources.”

At the same time that Gonzalez was stealing all this bank-card data, he was assembling an international syndicate. His favored fence was a Ukrainian, Maksym Yastremskiy, who would sell sets of card numbers to buyers across the Americas, Europe and Asia and split the proceeds with him. Gonzalez hired another EFnet friend, Jonathan Williams, to cash out at A.T.M.’s across the country, and a friend of Watt’s in New York would pick up the shipments of cash in bulk sent by Williams and Yastremskiy. Watt’s friend would then wire the money to Miami or send it to a post-office box there set up by James through a proxy. Gonzalez established dummy companies in Europe, and to collect payment and launder money he opened e-gold and WebMoney accounts, which were not strictly regulated (e-gold has since gone out of business). He also rented servers in Latvia, Ukraine, the Netherlands and elsewhere to store the card data and the software he was using for the breaches. Finally, he joined up with two Eastern European hackers who were onto something visionary. Known to him only by their screen names, Annex and Grig, they were colluding to break into American card-payment processors — the very cash arteries of the retail economy
.