TJX ringleader pleads guilty

Share this article:

One of the leaders of an international ring of credit card thieves on Friday pleaded guilty to multiple federal charges, including conspiracy, computer fraud, access device fraud and identity theft.

Albert Gonzalez, 28, of Miami, was part of a group that hacked into TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority, according to the U.S. Department of Justice (DoJ). Gonzalez had been indicted in August 2008 in Massachusetts on charges related to the hacks.

Gonzalez and his co-conspirators were able to steal more than 40 million credit and debit card numbers from retailers by breaking retail credit card payment systems through a series of sophisticated techniques, including "wardriving" and installation of sniffer programs, according to the DoJ. 

The gang sold the numbers and raided ATMs using the stolen data, often withdrawing tens of thousands of dollars at a time, according to the DoJ. They hid their activity by using internet-based currencies and channeling funds through bank accounts in Eastern Europe.

"Technology has forever changed the way we do business, virtually erasing geographic boundaries," U.S. Secret Service Director Mark Sullivan said in a statement. "However, this case demonstrates that even in the cyber world, there is no such thing as anonymity."

Even with the success of this operation, it is unlikely to forestall much criminal activity on the internet, experts said.

“They definitely got a big guy here,” Avivah Litan, vice president and distinguished analyst at Gartner, told Monday. “But there are a lot more to fill his tracks. It should be a deterrent for future criminals, but it probably won't be.”

Criminals are tending to launch more under-the-radar attacks, instead of big breaches garnering tens of millions of records, Litan said. Criminals now frequently target business bank accounts that cash managers handle on behalf of small companies, county governments and other organizations by planting trojans on user desktops to steal account credentials.

“They‘ve set their sights on small business cash accounts at banks and launch lots of small attacks, instead of one big attack,” Litan said.

Gonzalez will be sentenced Dec. 8. He faces up to 25 years in prison. He also agreed to forfeit more than $2.7 million, along with a condo in Miami, a 2006 BMW 330i, a Tiffany diamond ring and several Rolex watches, according to the DoJ. The forfeited cash includes more than $1 million Gonzalez had buried in his backyard.

Gonzalez's attorney, Rene Palomino, couldn't be reached Monday for comment.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.