Feeds

TJX mastermind chances his arm with deep cover infiltration appeal

A Scanner Darkly-style defense

Securing Web Applications Made Simple and Scalable

Albert Gonzalez, mastermind of the infamous TJ Maxx hack, has sought to get a judge to set aside his earlier guilty plea and conviction in the case by arguing he carried out the hack while working as a paid government informant.

Gonzalez, 29, who escaped jail time back in 2004 over his involvement in the sale of 1.5 million stolen credit and ATM card numbers while a member of the Shadowcrew group by ratting out his erstwhile partners in cybercrime, went on to bigger and better things. While supposedly working for the Secret Service, he acted as ringleader in a massive credit card theft and laundering operation involving an estimated 170 million credit cards between around July 2005 and his arrest in May 2008.

His crew took advantage of network insecurities (particularly weakly encrypted wireless networks in retail shops) to infiltrate systems and ultimately plant packet sniffers on the networked of TJ Maxx, Heartland Payment Systems and others. Extracted data was used to make cloned cards or sold through black market cybercrime forums. Proceeds of these crime were then laundered.

Gonzalez was jailed for 20 years in March 2010. Now, and only after unsuccessfully claiming he wasn't entirely responsible for his actions because he suffers from Asperger's Syndrome, Gonzalez contends he was only following his brief as an informant – acting on the inside to infiltrate cybercrime networks. The fact that, by his own earlier admissions, he was at the top of the pyramid he was supposedly infiltrating gets overlooked.

What isn't in dispute is that while getting paid at least $1,200 a month by his Secret Service handlers and helping to gather evidence of minor players in the cybercrime scene, Gonzalez was simultaneously running his Operation Get Rich or Die Tryin' cybercrime project.

"I still believe that I was acting on behalf of the United States Secret Service and that I was authorised and directed to engage in the conduct I committed as part of my assignment to gather intelligence and seek out international cybercriminals," Gonzalez said in a 25-page petition filed last month and republished by Wired here. "I now know and understand that I have been used as a scapegoat to cover someone's mistakes."

The petition provides a fascinating insight into the life of a cybercrime informant and cites example that would support the contention that Secret Service informants turned a blind eye to some low-level scams carried out by Gonzalez. For example, short of money, he used illegal means to find $5,000 in order to pay off a debt to a carder.

It's a much bigger stretch, however, to come away with the conclusion that the Secret Service had granted Gonzalez carte blanche to carry out the biggest cybercrime operation ever uncovered.

Gonzalez claims that Secret Service agents fluffed his ego to the extent that he got carried away and lost sight of the bigger picture.

"All of this inflated my ego and made me feel very important and made me feel like I was really a part of the Secret Service with the backing and support of the government agency. One day I was unknown and nothing and the next day I am being hailed as a genius and giving presentations to Secret Service agents in Washington, DC. All of this was mind-boggling for me."

But why are we only hearing about all this now, on a form of appeal, months after Gonzalez pleaded guilty (presumably when faced with overwhelming evidence) and was sent to jail? The convict claims he is only raising the issue now because he was not aware of the "public authority" defence.

Like many convicts, he blames his lawyer for an oversight that led to his imprisonment.

Gonzalez's former lawyer, Rene Palomino, told Wired that there was no basis for an argument that his former client acted with government approval, stating that there are no legal grounds for Gonzalez to withdraw his plea and get a trial. He also said the defence had looked closely at the question of whether evidence against Gonzalez obtained from the computer of carder Maksym "Maksik" Yastremskiy following his arrest and alleged torture in Turkey might be ruled as inadmissible. "We researched the issue regarding the evidence, and there were no grounds for suppression," Palomino told Wired. "Everything that was legally possible that could have been done for him was done for him. Nothing was left undone."

Gonzalez entered into a plea-bargaining agreement with his eyes wide open, his former lawyer argued. "He knew what he was getting into when he signed off on this agreement," Palomino concluded. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.