Hacker / security expert charged with massive credit card theft

Computerworld - A California man who served jail time for hacking hundreds of military and government computers nine years ago was charged yesterday with new computer crimes: stealing tens of thousands of credit card accounts by breaking into bank and card processing networks.

Max Ray Butler, 35 of San Francisco, a.k.a Max Vision, and also known by his online nicknames of Iceman, Digits and Aphex, was indicted Tuesday by a federal grand jury in Pittsburgh on three counts of wire fraud and two counts of transferring stolen identity information. Arrested last week in California, where he remains, Butler could face up to 40 years in prison and a $1.5 million fine if he is convicted on all five counts.

According to the indictment, Butler hacked multiple computer networks of financial institutions and card processing firms, sold the account and identity information he stole from those systems, and even received a percentage of the money that others made selling merchandise they'd purchased with the stolen card numbers. The U.S. Secret Service ran the investigation into the hacks and resulting scams, which took place between June 2005 and September of this year.

Butler was charged in Pittsburgh because he'd sold data on 103 credit card accounts to a Pennsylvanian who was cooperating with authorities.

He and others also operated a Web site used as a meeting place for criminals who bought and sold credit card and personal identity information. "As of September 5, 2007, Cardsmarket had thousands of members worldwide," the indictment read. Although the site was still online as of Wednesday morning, the forums had been deleted. A message posted by a forum administrator identified as achilous said he had erased the threads when news of Butler's arrest broke.

"Everybody who hasn't already done so, I would strongly advise that you delete all PMs you have saved," achilous advised. "Also, any unsecured data you have, now would be the time to make sure it is very strongly encrypted. These precautions seemed justified given the severity of the situation. It may only be a matter of time before a government agency takes over this forum, and I did not want them to get the raw SQL database containing all the threads and posts."

Although some documents in the case remain sealed, including one or more affidavits, news reports cited grand jury witnesses who had told of Butler selling tens of thousands of stolen credit card accounts. A former partner who had been arrested in May reportedly claimed that Butler supplied him with a thousand numbers each month for more than two years, according to the Pittsburgh Tribune-Review.