John Schiefer, 26, pleaded guilty in U.S. District Court in Los Angeles to accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications and wire and bank fraud, according to a news release from Attorney General Thomas O'Brien.
Schiefer admitted to seizing control of hundreds of thousands of computers and using those compromised machines -- known collectively as botnets -- to search for vulnerabilities in other computers, capture sensitive data and conduct identity fraud, prosecutors said.
He and his cohorts installed packet sniffers on victims' computers, which were used to intercept private communications -- such as usernames and passwords -- delivered between the victims' machines and financial or retail institutions, prosecutors said.
Schiefer and his accomplices used that data to pose as the victims and make unauthorized purchases. They also sold the information to others.
If convicted, Schiefer -- who is free on bail -- faces up to 60 years in prison and fines of $1.75 million.
He was charged under the Federal Wiretap Act, Assistant U.S. District Attorney Mark Krause told SCMagazineUS.com on Thursday.
"He [said] he did it for the money, but he also enjoyed the thrill of having control over these computers, of being a big shot in the community, and being able to orchestrate these schemes," Krause said.
As part of his guilty plea, Schiefer acknowledged he infected computers in the PStore, a Microsoft interface for storing and backing up user data, and used them as part of his botnet.
In addition, he earned roughly $20,000 from a Dutch advertising company by signing up as a consultant, where he proceeded to install company software on computers he controlled without first getting customer consent, as required by the company.
Schiefer has agreed to compensate the company for the money it paid him.