A California man who served jail time for hacking hundreds of military and government computers nine years ago was charged yesterday with new computer crimes: stealing tens of thousands of credit card accounts by breaking into bank and card processing networks.

Max Ray Butler, 35 of San Francisco, a.k.a Max Vision, and also known by his online nicknames of Iceman, Digits and Aphex, was indicted Tuesday by a federal grand jury in Pittsburgh on three counts of wire fraud and two counts of transferring stolen identity information. Arrested last week in California, where he remains, Butler could face up to 40 years in prison and a $1.5 million fine if he is convicted on all five counts.

According to the indictment, Butler hacked multiple computer networks of financial institutions and card processing firms, sold the account and identity information he stole from those systems, and even received a percentage of the money that others made selling merchandise they'd purchased with the stolen card numbers. The U.S. Secret Service ran the investigation into the hacks and resulting scams, which took place between June 2005 and September of this year.

Butler was charged in Pittsburgh because he'd sold data on 103 credit card accounts to a Pennsylvanian who was cooperating with authorities.

He and others also operated a Web site used as a meeting place for criminals who bought and sold credit card and personal identity information. "As of September 5, 2007, Cardsmarket had thousands of members worldwide," the indictment read. Although the site was still online as of Wednesday morning, the forums had been deleted. A message posted by a forum administrator identified as achilous said he had erased the threads when news of Butler's arrest broke.

"Everybody who hasn't already done so, I would strongly advise that you delete all PMs you have saved," achilous advised. "Also, any unsecured data you have, now would be the time to make sure it is very strongly encrypted. These precautions seemed justified given the severity of the situation. It may only be a matter of time before a government agency takes over this forum, and I did not want them to get the raw SQL database containing all the threads and posts."

Although some documents in the case remain sealed, including one or more affidavits, news reports cited grand jury witnesses who had told of Butler selling tens of thousands of stolen credit card accounts. A former partner who had been arrested in May reportedly claimed that Butler supplied him with a thousand numbers each month for more than two years, according to the Pittsburgh Tribune-Review.

Achilous called Christopher Aragon, 47, the Californian named in the Tribune-Review story, a "rat" for fingering Butler. Aragon was arrested with another man, Guy Shitrit, 23, in Newport Beach, Calif. on May 12 at a local shopping mall after buying more than $13,000 worth of Coach handbags using counterfeited American Express, credit cards at Bloomingdales. Police found more than 70 bogus credit cards on the pair.

After he was arrested, Aragon was banned from the Cardsmarket forums, said achilous, for "security" reasons.

Prosecutors in Pittsburgh said that Butler used high-powered antenna in "war-driving" style attacks to hack wireless access to computer networks at organizations that included the Pentagon Federal Credit Union and Citibank.

Butler is no stranger to the judicial system. In 2000, he pleaded guilty to charges that he hacked military and other government computers three years prior, including those belonging to the U.S. Air Force, U.S. Navy, and NASA. He was also accused of breaching the network of id Software, developers of the PC games "Doom" and "Quake," and stealing several hundred access passwords to a California Internet service provider.

Butler pleaded guilty to one felony count, even though he continued to proclaim his innocence, saying that he had found an unpatched vulnerability in government networks then written software to scan for the hole and close it. Prosecutors at the time, however, said Butler also added a "back door" to every system his software penetrated, giving him secret access to the networks.

Ironically, Butler, then 28, was a well-known security researcher before his arrest, frequently posting to security mailing lists. He had also created arachNIDS, a once-popular open source collection of attack signatures used intrusion detection systems. During court hearings in 2000, it also came to light that he had been an FBI informant for at least two years, and perhaps as many as five years, before his arrest.

Butler was sentenced in May 2001 and served 18 months in federal prison and three years' probation.

Labels: attack, hackers, risk mitigation