SQL is the lingua franca of online commerce. A hacker who learns to manipulate it can penetrate a company with frightening dependability. And he doesn’t need to be anywhere near a store or a company’s headquarters to do so. Since SQL injections go through a Web site, they can be done from anywhere.

Gonzalez urged Watt and Toey to experiment with SQL. Watt wasn’t interested. “I had objections to what he was doing on a moral level — and on top of that, I took an intellectual exception,” Watt says. “If Albert said we were going to go after the Church of Scientology or Blackwater, I would have dove in headfirst.” Toey, however, said he felt he owed Gonzalez. He began poking around on the sites of businesses that seemed vulnerable — or for which he had a philosophical distaste. “I just didn’t like what they did,” he said of the clothing chain Forever 21. The clothes were poorly made, he said, and the employees poorly paid. “It’s just everything I hate about this country in one store.”

Under the assault of Toey’s expertise and contempt, Forever 21 didn’t stand a chance. “I went to their Web site, and I looked at their shopping-cart software, and within five minutes, I found a problem,” he said, with his customary concision. “Within 10 minutes we were on their computers and were able to execute commands freely. From there we leveraged access until we were the domain administrators. Then I passed it over to Albert.”

What came next was the truly inspired step. Gonzalez focused on TJX in part because it stored old transactions, but he found that many of the cards were expired. He needed a way to get to cards right after customers used them. It was possible, he learned, to breach the point-of-sale terminals at stores, the machines on checkout counters through which you swipe your card at the supermarket, the gas station, the department store — just about anywhere you buy something.

Gonzalez and Toey took reconnaissance trips to stores around Miami to look at the brands and makes of their terminals. He downloaded schematics and software manuals. Earlier, Jonathan Williams visited an OfficeMax near Los Angeles, loosened a terminal at a checkout counter and walked out of the store with it. Hackers working with an Estonian contact of Gonzalez’s hacked into the Maryland-based Micros Systems, the largest maker of point-of-sale systems, and stole software and a list of employee log-ins and passwords, which they sent to Gonzalez.

Now once Toey got him into a system, Gonzalez no longer had to sift through databases for the valuable stuff. Instead, he could go straight to the servers that processed the cards coming from the terminals, in the milliseconds before that information was sent to banks for approval. He tried this on JCPenney, the clothing chain Wet Seal and the Hannaford Brothers grocery chain, in the last instance compromising more than four million cards. His Estonian contact used the technique on Dave & Buster’s. “Every time a card was swiped, it would be logged into our file,” Toey says. “There was nothing anyone could do about it.”

When they pieced together how Gonzalez organized these heists later, federal prosecutors had to admire his ingenuity. “It’s like driving to the building next to the bank to tunnel into the bank,” Seth Kosto, an assistant U.S. attorney in New Jersey who worked on the case, told me. When I asked how Gonzalez rated among criminal hackers, he replied: “As a leader? Unparalleled. Unparalleled in his ability to coordinate contacts and continents and expertise. Unparalleled in that he didn’t just get a hack done — he got a hack done, he got the exfiltration of the data done, he got the laundering of the funds done. He was a five-tool player.”

Gonzalez and Toey were returning from a trip to Toys “R” Us to check out its terminals one afternoon in the spring of 2008 when a sports car with tinted windows pulled up behind them at a red light. Gonzalez became suspicious and turned into a bus lane. The sports car followed. When the light turned green, Gonzalez didn’t move. The car didn’t move. After waiting for minutes, in a static game of chicken, car horns blaring, Gonzalez suddenly accelerated into oncoming traffic before doing a U-turn and turning into an alley. The pursuing car flew by, Gonzalez pulled out behind him, sped up alongside the car and peered inside. Gonzalez and Toey made out a police light on the dashboard. It was a surveillance car
.