TJX Hacker Claims U.S. Authorized His Crimes
(WIRED) Albert Gonzalez, the hacker who masterminded the largest credit card heists in U.S. history, is asking a federal judge to throw out his earlier guilty pleas and lift his record-breaking 20-year prison sentence, on allegations that the government authorized his years-long crime spree.
Gonzalez, 29, admitted last year that he and accomplices hacked into TJX, Office Max, Dave & Busters, Heartland Payment Systems and other companies to steal more than 130 million credit and debit card numbers, in what the government deemed the biggest computer crime case ever prosecuted in the United States. He’s currently serving time at the Milan low-security federal prison in southeastern Michigan, with a release date in the year 2025.
The government has acknowledged that Gonzalez was a key undercover Secret Service informant at the time of the breaches. Now, in a March 24 habeas corpus petition filed in the U.S. District Court in Massachusetts, Gonzalez asserts that the Secret Service authorized him to commit the crimes.
“I still believe that I was acting on behalf of the United States Secret Service and that I was authorized and directed to engage in the conduct I committed as part of my assignment to gather intelligence and seek out international cyber criminals,” he wrote. “I now know and understand that I have been used as a scapegoat to cover someone’s mistakes.”
In his 25-page petition, he faults one of his attorneys for failing to prepare a “Public Authority” defense, by which someone who commits a crime argues that he did so with the approval of government authorities.
He says his attorneys never discussed a Public Authority defense with him. Had he known the option existed, he would never have pleaded guilty.
Habeas motions, known as 2255 motions, can be used by convicted prisoners to assert defective counsel or other jurisdictional and constitutional issues outside of a direct appeal. Gonzalez is acting as his own attorney in the petition.
Gonzalez became a confidential informant for the Secret Service when he was arrested in New York in 2003 after withdrawing cash from ATMs using stolen card numbers. While working closely with agents for more than four years to put other carders behind bars, he was simultaneously running a criminal enterprise he dubbed “Operation Get Rich or Die Tryin’,” according to court documents.
He was arrested in 2008 and eventually pleaded guilty to conspiracy and computer fraud, among other charges. He received two sentences last March amounting to 20 years and a day in prison — the lengthiest punishment ever imposed for computer or identity theft crimes.
At one of his sentencing hearings, Gonzalez told the court that he deeply regretted his crimes and was remorseful for having taken advantage of the personal relationships he’d forged.
“Particularly one I had with a certain government agency … that gave me a second chance in life,” he said.
But in the motion to withdraw his plea, he asserts that “each and every illegal act” he was charged with was conducted during covert operations that were controlled and operated by the Secret Service.
He writes that when he was arrested in May 2008 by Miami police, he “was expecting Secret Service to come and take custody of me and squash the charges.” Instead, he was charged with crimes that he says he committed on the government’s behalf.
Gonzalez’s former attorney, Rene Palomino, disputes assertions that the Secret Service approved Gonzalez’s crimes.
“He was given the opportunity of a lifetime to work for the Secret Service,” Palomino says. “He chose to become a criminal, bottom line, and become a double agent working both sides — the criminal side and the legal side.”
In his petition, Gonzalez faults Palomino and co-counsel Martin Weinberg with failing to file a notice of appeal as he requested after his sentencing and, more important, failing to file a motion to suppress evidence obtained from a Ukrainian carder’s laptop after his arrest in Turkey.
Gonzalez says that in 2007 the carder, Maksym “Maksik” Yastremskiy, was tortured by Turkish officials in order to obtain the passphrase to decrypt his computer.
Yastremskiy was considered the top card vendor in the underground and allegedly earned more than $11 million selling stolen credit and debit card data. He was lured to a meeting in Turkey with an undercover operative, where he was nabbed.
Gonzalez says prior to Yastremskiy’s arrest, he had been passing information about the carder’s activities to his government handlers and was even congratulated by Secret Service agent Steve Ward over lunch after the arrest. He also writes that Ward told him that the Turks had “beat Yastremskiy’s ass and made him give up the passphrase.”
Data gleaned from the laptop, along with other information, allowed authorities to zero in on two hackers who appeared to be Yastremskiy’s biggest suppliers of stolen card data from top retailers such as TJX, OfficeMax and Dave & Busters. One of the suppliers, “Segvec,” was eventually identified as Gonzalez.
When he was arrested in 2008, Gonzalez told Palomino about Yastremskiy’s alleged beating and asked him to investigate. But when Palomino sought funds from Gonzalez’s parents to fly to Turkey, Gonzalez’s parents said they couldn’t afford it.
Without an affidavit, Palomino told Gonzalez, he couldn’t file a motion to suppress. Palomino was “ineffective” for failing to file the motion, Gonzalez writes. Had he done so, the evidence would have been suppressed, and the government “would have had no case against me.”
In his petition, Gonzalez further argues that he should be allowed to withdraw his plea because the government failed to uphold its part of the agreement. He was told that if he pleaded guilty, the government would ask the court to consolidate the three cases against him — in New York, New Jersey and Massachusetts — into a single case before one judge, allowing him to receive a single sentence.
Prosecutors did request a consolidation from the court, but the court agreed to consolidate only two of the cases. Gonzalez ended up receiving two sentences — 20 years, and 20 years and a day — which he is serving concurrently.
Palomino insists his former client has no grounds for withdrawing his plea.
“This was a negotiated plea,” says Palomino. “He knew what he was getting into when he signed off on this agreement.”
Regarding his failure to file a motion to suppress evidence obtained under torture, Palomino says, “We researched the issue regarding the evidence, and there were no grounds for suppression. Everything that was legally possible that could have been done for him was done for him. Nothing was left undone.”
The filing provides a glimpse at some of Gonzalez’s undercover work and at the relationship he formed with his handlers, Secret Service agents David Esposito and Steve Ward, who he says paid him $1,200 a month in cash for the work he performed.
Using the online names “Cumbajohnny” and “Segvec,” Gonzalez engaged carders in underground chat rooms and helped set them up to be busted. During his undercover time, he went to California for a week for one operation and to Chicago, where he helped set up a honeypot.
He was also invited to Secret Service headquarters in Washington, D.C., to give a presentation on malware and computer-security vulnerabilities. He proved himself so trustworthy, that he was invited to agent briefings and became privy to “highly confidential information.”
He even went bike riding and bar hopping with his handlers in the evening after work.
“They treated me like one of their own and did everything but give me a gun and a badge,” Gonzalez writes. “On one occasion, even the possibility of a gun for protection was discussed if the need ever arose.”
In 2004, he participated in his biggest sting operation from a military base at Cavens Point, New Jersey. Called Operation Firewall, the groundbreaking sting focused on carders on an underground forum called Shadowcrew and led to arrests of more than 20 people.
After Operation Firewall ended, Gonzalez moved back to Miami, where he’d grown up, and continued to work undercover for the agency on the “Shadow Ops” operation. A former associate of Gonzalez told Threat Level previously that it was during this period that he began earning $75,000 a year working for the Secret Service. It was also during this period that he committed the bulk of the crimes for which he was later charged.
Gonzalez writes that when the agents asked him to commit acts he knew were illegal, he complied, “to please the Agents who had shown me such respect and friendship.” He said the agents told him they had his back and would intervene if he was ever arrested.
“At that point I would have done anything they asked me to do,” he writes. “I was overwhelmed and felt like I could do no wrong.”
Gonzalez says the agents even turned a blind eye when he committed crimes in order to resolve a $5,000 debt with an unnamed Russian carder. Gonzalez incurred the debt before he began working for the feds and didn’t have the funds to clear it.
He says he told the agents that if he didn’t repay the debt, he’d lose credibility in the underground and thus his effectiveness as an informant. Agent Ward allegedly told him, “Go do your thing and pay the debt, just don’t get caught.”
“All of this inflated my ego and made me feel very important and made me feel like I was really a part of the Secret Service with the backing and support of the Government Agency,” Gonzalez writes.
“One day I was unknown and nothing, and the next day I am being hailed as a genius and giving presentations to Secret Service Agents in Washington, D.C. All of this was mind boggling for me.”
A Secret Service official told Threat Level that because the case was going through the appellate process he was unable to comment.
- Hacker Sentenced to 20 Years Breach for Credit Card Processor
- TJX Hacker Gets 20 Years in Prison
- Albert Gonzalez Pleads Guilty in Heartland, 7-111 Breaches
- Secret Service Paid TJX Hacker $75,000 a Year
- Document Reveals TJX Hacker’s Assistance to Prosecutors
- Ukrainian Carding King ‘Maksik’ Was Lured to Arrest
- In Gonzalez Hacking Case, a High-Stakes Fight Over a Ukrainian’s Laptop
- TJX Hacker Charged with Heartland, Hannaford Breaches