The hacker who went into the cold

One night in July 2003, a little before midnight, a plainclothes NYPD detective, investigating a series of car thefts in upper Manhattan, followed a suspicious-looking young man into the ATM lobby of a bank.

The detective watched as the man pulled a debit card from his pocket and withdrew hundreds of dollars in cash.

Then he pulled out another card and did the same thing. Then another, and another. The guy wasn’t stealing cars, but the detective figured he was stealing something.

Indeed, the young man was in the act of “cashing out,” as he would later admit. He had programmed a stack of blank debit cards with stolen card numbers and was withdrawing as much cash as he could from each account.

He was doing this just before 12 am, because that’s when daily withdrawal limits end, and a “casher” can double his take with another withdrawal a few minutes later.

The detective asked his name, and though the man went by many aliases on the Internet, he told the truth. “Albert Gonzalez,” he said.

After Gonzalez was arrested, word quickly made its way to the New Jersey US attorney’s office in Newark, which, along with agents from the Secret Service’s Electronic Crimes Task Force, had been investigating credit- and debit-card fraud involving cashers in the area, without much luck.

Gonzalez was debriefed and soon found to be a rare catch. Not only did he have data on millions of card accounts stored on the computer back in his New Jersey apartment, but he also had a knack for patiently explaining his expertise in online card fraud.

Gonzalez, law-enforcement officials would discover, was a moderator and rising star on Shadowcrew.com, an archetypal criminal cyberbazaar that sprang up during the Internet commerce boom in the early 2000s.

Shadowcrew had hundreds of members across the United States, Europe and Asia. It was, as one federal prosecutor put it to me, “an eBay, Monster.com and MySpace for cybercrime.”

After a couple of interviews, Gonzalez agreed to help the government so he could avoid prosecution. “I was 22 years old and scared,” he’d tell me later.

Gonzalez became one of the most valuable cybercrime informants the government has ever had. After his help enabled officials to indict more than a dozen members of Shadowcrew, Gonzalez’s minders at the Secret Service urged him to move back to his hometown, Miami, for his own safety.

After aiding another investigation, he became a paid informant in the Secret Service field office in Miami in early 2006.

The Secret Service agent who would come to know Gonzalez best, Agent Michael (a nickname derived from his real name), was transferred to Miami, and he worked with Gonzalez on a series of investigations on which Gonzalez did such a good job that the agency asked him to speak at seminars and conferences.

“It seemed he was trying to do the right thing,” Agent Michael said.