Feeds

TJX mastermind chances his arm with deep cover infiltration appeal

A Scanner Darkly-style defense

Top 5 reasons to deploy VMware with Tegile

Albert Gonzalez, mastermind of the infamous TJ Maxx hack, has sought to get a judge to set aside his earlier guilty plea and conviction in the case by arguing he carried out the hack while working as a paid government informant.

Gonzalez, 29, who escaped jail time back in 2004 over his involvement in the sale of 1.5 million stolen credit and ATM card numbers while a member of the Shadowcrew group by ratting out his erstwhile partners in cybercrime, went on to bigger and better things. While supposedly working for the Secret Service, he acted as ringleader in a massive credit card theft and laundering operation involving an estimated 170 million credit cards between around July 2005 and his arrest in May 2008.

His crew took advantage of network insecurities (particularly weakly encrypted wireless networks in retail shops) to infiltrate systems and ultimately plant packet sniffers on the networked of TJ Maxx, Heartland Payment Systems and others. Extracted data was used to make cloned cards or sold through black market cybercrime forums. Proceeds of these crime were then laundered.

Gonzalez was jailed for 20 years in March 2010. Now, and only after unsuccessfully claiming he wasn't entirely responsible for his actions because he suffers from Asperger's Syndrome, Gonzalez contends he was only following his brief as an informant – acting on the inside to infiltrate cybercrime networks. The fact that, by his own earlier admissions, he was at the top of the pyramid he was supposedly infiltrating gets overlooked.

What isn't in dispute is that while getting paid at least $1,200 a month by his Secret Service handlers and helping to gather evidence of minor players in the cybercrime scene, Gonzalez was simultaneously running his Operation Get Rich or Die Tryin' cybercrime project.

"I still believe that I was acting on behalf of the United States Secret Service and that I was authorised and directed to engage in the conduct I committed as part of my assignment to gather intelligence and seek out international cybercriminals," Gonzalez said in a 25-page petition filed last month and republished by Wired here. "I now know and understand that I have been used as a scapegoat to cover someone's mistakes."

The petition provides a fascinating insight into the life of a cybercrime informant and cites example that would support the contention that Secret Service informants turned a blind eye to some low-level scams carried out by Gonzalez. For example, short of money, he used illegal means to find $5,000 in order to pay off a debt to a carder.

It's a much bigger stretch, however, to come away with the conclusion that the Secret Service had granted Gonzalez carte blanche to carry out the biggest cybercrime operation ever uncovered.

Gonzalez claims that Secret Service agents fluffed his ego to the extent that he got carried away and lost sight of the bigger picture.

"All of this inflated my ego and made me feel very important and made me feel like I was really a part of the Secret Service with the backing and support of the government agency. One day I was unknown and nothing and the next day I am being hailed as a genius and giving presentations to Secret Service agents in Washington, DC. All of this was mind-boggling for me."

But why are we only hearing about all this now, on a form of appeal, months after Gonzalez pleaded guilty (presumably when faced with overwhelming evidence) and was sent to jail? The convict claims he is only raising the issue now because he was not aware of the "public authority" defence.

Like many convicts, he blames his lawyer for an oversight that led to his imprisonment.

Gonzalez's former lawyer, Rene Palomino, told Wired that there was no basis for an argument that his former client acted with government approval, stating that there are no legal grounds for Gonzalez to withdraw his plea and get a trial. He also said the defence had looked closely at the question of whether evidence against Gonzalez obtained from the computer of carder Maksym "Maksik" Yastremskiy following his arrest and alleged torture in Turkey might be ruled as inadmissible. "We researched the issue regarding the evidence, and there were no grounds for suppression," Palomino told Wired. "Everything that was legally possible that could have been done for him was done for him. Nothing was left undone."

Gonzalez entered into a plea-bargaining agreement with his eyes wide open, his former lawyer argued. "He knew what he was getting into when he signed off on this agreement," Palomino concluded. ®

Remote control for virtualized desktops

More from The Register

next story
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority
Let’s Encrypt to give HTTPS-everywhere a boost in 2015
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
Got an iPhone or iPad? LOOK OUT for MASQUE-D INTRUDERS
UNjailbroken iOS 7, 8 open to evil, says secbiz FireEye
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.