June 30, 2009, 9:33 PM — Max Ray Butler, a former security analyst turned hacker, yesterday pleaded guilty in federal court in Pittsburgh to breaking into numerous financial institutions and card-processing networks and stealing credit card and identity data on hundreds of thousands of individuals.
The guilty plea came after Butler had requested nearly a dozen extensions for time to file pre-trial motions after his arrest in September 2007 on three counts of wire fraud and two counts of transferring stolen identity information. The charges carry a maximum of 40 years in prison and a $1.5 million fine. It's possible that Butler will receive a substantially lighter sentence by agreeing to plead guilty.
Butler, 37, was arrested in San Francisco, but the case is being heard in Pittsburgh because one of his accomplices who is cooperating with authorities in the case is based in Pennsylvania.
Butler has already served an 18-month prison term after he was convicted in May 2001 on charges of breaking into and accessing U.S. Department of Defense computers. He was also part of a group of four individuals that was investigated by the FBI and the U.S. Secret Service in January 2004 for compromising software code in the Half Life video game.
Court documents filed in connection with Butler's most recent arrest describe what appears to have been an elaborate scheme and an equally painstaking 16-month effort to nab him. The thefts and break-ins to which Butler pleaded guilty took place between June 2005 and September 2007. During that time, Butler, who used the online nicknames "Iceman," "Digits," "Darkest" and "Aphex," broke into the networks of numerous institutions, including Citibank and the Pentagon Federal Credit Union, and stole data on hundreds of thousands of credit cards.
Butler then sold the data to several of his accomplices via a Web site called Cardersmarket that he set up in 2005 along with another individual named Christopher Aragon. According to the court documents, Aragon would manufacture or re-encode credit cards with the stolen card information provided by Butler. Aragon and his "crew" would use the cards to fraudulently purchase thousands of dollars worth of merchandise at retailers such as Wal-Mart and Dillard's. The merchandise would then be resold by others, including Aragon's wife, through venues such as eBay. Butler would receive a cut from the proceeds of such sales typically through pre-paid Green Dot credit cards.
The 6-foot, 5-inch, often pony-tailed Butler, would carry out his hacking activity from multiple locations, including hotel rooms and apartments in San Francisco that he would rent under the name Daniel Chance.
Two of Butler's accomplices, who were arrested before him, described how they along with Butler and Aragon would rent hotel rooms four days at a time to hack into nearby businesses. The group would use an "expensive, high-powered antenna" to intercept wireless communications and break into networks, the court documents said. Butler would often gain access to full profiles and PIN numbers of account holders via such intrusions. One of them described how Butler had rigged his computers so he could permanently wipe out any incriminating evidence on them with just two keystrokes.
Though Butler appears to have taken what he thought were fairly elaborate measures to conceal his activities, what he didn't know was that federal authorities had two informants posing as members of Cardersmarket. One of them, identified in court documents only as CI#2, was given administrative responsibilities for the Cardersmarket Web site by Butler. The two informants gathered detailed information on the activities of the group and against Butler.
On one occasion, for instance, one of the informants was asked by a Secret Service agent to buy 23 stolen credit cards from Butler for $480. On another occasion the same informant was asked to purchase an additional 38 cards for $456. The eGold account to which the money was transferred and the computers that were used in the transactions were later traced back to Butler.
Despite using various nicknames in an apparent attempt to conceal his identity, Butler himself provided federal authorities with direct information linking his true identity with the assumed names.
In one intercepted chat communication between Butler and CI#2, Butler says "so obviously I am digits also. Might as well say it straight since I blew cover in ICQ (talking about our forum)," he says. "It is a pain in the ass trying to keep that separate from people I know and trust and like such as yourself," he says.
After Aragon's arrest in August 2007, Butler shut down Cardersmarket with a message to members that he was "retiring." The forum came back up shortly thereafter under the management of a supposedly new administrator who in fact was Butler himself. At the time of his arrest the Cardersmarket Web site was still up.
