By 2007, Albert, with varying degree of help from Chris, Jonathan, and Damon — and a "sniffer" program, written by Stephen, that found weaknesses in security systems — had hacked a staggering array of companies: TJX Companies, which owns the T.J. Maxx and Marshalls chains; Dave & Buster's; Sports Authority; Citibank; a corporate payroll company called Heartland Payment Systems; and others. They worked with two mysterious, powerful hackers in Russia who helped direct them to targets.
After the gang members stole customers' credit card numbers, they had two options. With some of the data, they made fake cards and used them to withdraw cash from ATMs in Miami and elsewhere.
But the vast majority were fenced online. To sell the cards, Albert had hooked up with a 25-year-old Ukrainian named Maksym Yastremskiy, known online as "maksik." Maksym bought cards in bulk and then laundered Albert's payments through a site called eGold before depositing money into Latvian bank accounts.
In chats, Albert marveled at media coverage of his crimes. "I'm surprised [this latest theft] wasn't on the news, every hack i've made is on the news heh," he typed.
With his profits, Albert soon moved with his girlfriend into the swanky National Hotel, leaving Damon to toil in the shabby condo. He leased a 2006 BMW 300i and threw a $75,000 birthday party for himself. He made plans to invest in Stephen's dream project: a New York rock club.
Jonathan James wasn't living that life. He and his brother Josh lived rent-free at their childhood home, which their mother had left them when she died. Their dad had moved into his own apartment in South Beach. If his son was profiting from Albert's crimes, Bobby didn't see much evidence. "Jonathan took living with no cash to a new extreme," he says. "He was even scarfing wireless internet from the neighbors."
On July 25, 2007, a team of Secret Service agents huddled inside a posh resort in Kemer, a seaside town in southwestern Turkey. Across the hall, Turkish secret agents slipped into a luxury suite and grabbed a Lamborghini laptop.
The laptop's owner, the Ukrainian Maksym Yastremskiy, was dancing at a nightclub nearby.
The Turks handed over the machine, and the U.S. agents began downloading data. When they finished, they put the computer back in Maksym's room and slipped out of the resort.
The agents had waited years for the hacker to travel to a friendly country where they could carry out this operation; in Ukraine, he was protected by corrupt officials. Turkish police arrested Maksym the next day. By July 30, he had provided his passwords and given investigators full access to his computer. Still, it wasn't easy to pin down his accomplices. Albert's team used secure communication networks that gave users long numerical IDs, not easier-to-identify nicknames.
"We had this evidence of these strings of numbers being connected to a crime," lead prosecutor Kim Peretti said in a recent interview with BankInfoSecurity.com. "But connecting the numbers to a person was really difficult."
Detectives focused on Maksym's chats with one American — 201679996 — who had sold him millions of stolen credit card numbers. They spent the next few months studying the data with experts at Carnegie Mellon University. By late 2007, they had linked the numbers to a Russian email address with a startling name: [email protected].
Alarm bells rang across the Secret Service. Was their prize informant playing them? Then investigators found a chat in which 201679996 referred to himself as "segvec" — another nickname Albert had used in his ShadowCrew days. That sealed it.
The Secret Service immediately began investigating Albert. Soon they arrested an Estonian hacker and accessed two Latvian servers where they found more than 40 million unsold credit card numbers linked to the break-ins at U.S. companies.
After Maksym's arrest, Albert probably considered running. But he made no move to erase his links to the Ukrainian hacker. "I would have wiped all my drives clean, shredded all my paper, taken any evidence there was out of my possession," former hacker Mitnick says. "Then all you have is the logs, and they can't conclusively link that to you. I don't get it."
For months, Albert holed up in the National Hotel. He had cash — more than $400,000 on hand and another $1.1 million buried in plastic tubs in his parents' back yard.
On May 7, 2008, eight months after Maksym's arrest, the feds made their move, raiding Chris Scott's and Jonathan James' homes, Jonathan's girlfriend's apartment, and Albert's hotel room, condo, and parents' home.
They arrested Albert and Chris the same day. Damon was soon in custody too. Stephen Watt's role in the crime wasn't determined until August.
Jonathan wasn't arrested during the raids. For almost two weeks, he tried to understand why the FBI had targeted him again. Then, on May 18, a federal indictment against Albert Gonzalez was posted online. Jonathan read it and was shocked: Albert had been working for the feds since 2003.