Alleged data thief long known for computer mastery

By Megan Woolhouse and Todd Wallack
Globe Staff / August 20, 2009

E-mail this article

Invalid email address
Invalid email address

Sending your article

Your article has been sent.

  • Email|
  • Print|
  • Reprints|
  • |
Text size +

Albert Gonzalez’s computer skills were known to federal authorities years before he became what they say is the mastermind of the biggest credit card data heist in US history.

In the late 1990s, FBI agents one day cleared out the library at South Miami Senior High School to speak privately with one student - Gonzalez - about his computer use. School officials won’t say what transpired that day, but whatever the agents said, it may not have been enough to steer him from a life of cybercrime.

“His troubles with the FBI began in high school,’’ said John Branstetter, his former English teacher at the Miami school.

This week, Gonzalez, 28, was charged by the US attorney’s office in Newark in connection with the theft of more than 130 million credit card numbers. He was already sitting in a federal jail in Brooklyn, N.Y., awaiting trial on charges he hacked into a Dallas-based restaurant chain’s computer network. He is also accused in Massachusetts of stealing more than 40 million credit card numbers from nine retailers, including TJX Cos. of Framingham - which operates TJMaxx and Marshalls stores - and BJ’s Wholesale Club, based in Natick.

“He’s a sophisticated hacker operating at a very high level,’’ said Kimberly Kiefer Peretti of the Justice Department’s Criminal Division’s Computer Crime and Intellectual Property Section. “The damage is significant.’’

By selling stolen credit card information, Gonzalez regularly reaped as much as $100,000 in a single weekend, court records state, allowing the former altar boy to indulge in the lifestyle of a playboy for years before he was caught.

Prosecutors say he dubbed his computer scheme “Operation Get Rich or Die Tryin’’ - an apparent reference to a CD and movie project by rapper 50 Cent - and once threw a $75,000 birthday party for himself. For a while, he even duped the Secret Service, authorities said, working for them as an informant while committing crimes under online pseudonyms.

Exactly how a mediocre high school student became the accused leader of a sophisticated international cybercrime ring has baffled many who knew Gonzalez. Branstetter described him as a moderately shy teenager.

“Alfred is very gifted in computers and not anything else,’’ he said. Still, Branstetter added, Gonzalez “was fun and funny.’’

He grew up in Miami in a tidy tile-roofed house with working-class Cuban-American parents and an older sister. Family members declined to comment for this story, but a person who knows them said Gonzalez’s father worked in landscaping. Branstetter recalled that Gonzalez held a job at a Kenny Rogers fast food chain after school.

After graduating from high school in 1999, Gonzalez was arrested for marijuana possession by South Miami police. He later moved to the New York-New Jersey area, where federal investigators said he participated in an international message board called ShadowCrew, an online haven for hackers eager to buy, sell, and trade stolen credit card data.

In 2003, he was arrested by the Secret Service on charges of fraud, but avoided prison time by becoming an informant. He helped the agency penetrate the underworld of credit fraud and even gave lectures on cybercrime to Secret Service employees. Around that time, Gonzalez moved back to Miami.

It wasn’t until several years later that, Secret Service agents say, they learned Gonzalez was two-timing them - continuing to plot computer crimes under various online pseudonyms, including “soupnazi,’’ an apparent reference to the Seinfeld television show. According to court records, Gonzalez also tipped off at least one other hacker about an undercover investigation.

Court records offer a window into how the credit card schemes allegedly worked.

Gonzalez and a colleague would go “wardriving’’ on and around US Highway 1 in Miami, using a laptop computer to spot vulnerable wireless computer networks as they drove, records say. During one such outing, Gonzalez and a partner - who was also in his 20s - stumbled on an unprotected network run by BJ’s Wholesale Club; they were able to tap into it and obtain customer account numbers, authorities said in court documents.

Over the next few years, Gonzalez’s ring hit a series of other stores, including Barnes & Noble and Sports Authority, officials said. But the biggest breach occurred after one of Gonzalez’s partners accessed wireless networks for two Marshalls stores in the Miami area, the say.

During that time, money was allegedly rolling in for Gonzalez. According to a federal investigator, he would sell stolen card numbers to cohorts, who would often use them at ATMs. They kept a cut of the proceeds for themselves and sent the bulk of the money to Gonzalez, the investigator said.

“They were cashing out $50,000 to $100,000 a weekend; he was the rainmaker,’’ said the investigator, who did not want to be named because he was not authorized to speak publicly about the case.

Gonzalez would receive bundles of cash by express mail at a drop box, as well as large deposits to his online accounts, court records say. He once lamented that he had to tally $340,000 by hand, the records state.

Gonzalez’s alleged activities came to an abrupt halt on May 7, 2008, when he was arrested by Secret Service agents and charged in connection with hacking into a computer network at Dave and Buster’s, a restaurant chain based in Dallas. Investigators found him in a room at the upscale National Hotel in Miami Beach. He had three laptops, $22,000 in cash, and a gun, authorities said. They also found more than $1 million in cash in his parents’ backyard.

Last August, Gonzalez was implicated in yet another scheme, this time involving the theft of more than 40 million credit and debit card numbers in the TJX case. Ten other people were also charged in the breach, which cost TJX about $200 million. Authorities identified Gonzalez as the head of what they called the “single largest and most complex identity theft case’’ in US history.

And it was - until this week.

On Monday, investigators said Gonzalez had outdone himself. He and two unnamed hackers stand accused of stealing more than 130 million credit card numbers from additional retailers, including the Hannaford Brothers supermarket chain based in Maine and Heartland Payment Systems of New Jersey, which processes payments for thousands of stores nationwide.

Gonzalez’s lawyers dispute the charges against their client in New York and Massachusetts. One of his attorneys, Martin Weinberg, declined to comment on the New Jersey charges.

In announcing the charges Monday, prosecutors called it the largest data theft in US history.

Megan Woolhouse can be reached at; Todd Wallack at

    waiting for twitterWaiting for to feed in the latest...