Over a month haselapsedsince the years-long investigation and prosecution of TJX hacker Albert Gonzalez came to a dramatic end, with Gonzalez sentenced to 20 years in prison for the largest identity theft case in U.S. history.
Stephen Watt
Now a little-noted postscript to that high-profile case is unfolding away from the media spotlight, as a handful of convicted accomplices in Gonzalez’s schemes, who’ve been free on bail since the case began, say goodbye to their families and friends, and check themselves into federal prison for years — paying the price for their various roles in the massive crimes.
On Friday, 27-year-old Christopher Scott, who helped Gonzalez crack TJX and other retail chains, willsurrenderfor a 7-year sentence, leaving behind his wife and young step-daughter. Later this month, Damon Patrick Toey, 25, will also surrender for a 5-year-sentence for helping Gonzalez breach the networks of numerous companies and sell stolen card data.
Of all the defendants now walking into the prison system under their own power, however, one stands out as an unlikely figure in the multi-milliondollar hacking conspiracy: a former black hat hacker who gave up computer intrusions to carve out a successful career on Wall Street — only to be drawn into a small but fateful role in Gonzalez’s crimes.
Stephen Watt, 26, wrote a custom packet-sniffing program dubbed blabla for Gonzalez, as a favor for his best friend, he says. Gonzalez and other accomplices then used the code to siphon more than 100 million credit and debit card numbers from TJXs corporate network.On Friday, Watt will check into the SeaTac FederalDetentionCenter in Seattle to begin a 2-year prison term for that code. When he’s released, he’ll have a $171.5 million restitution order waiting for him –to repay financiallossesclaimedby TJX in the hack attack.
Restitution for Gonzalez and Scott has yet to be determined. Toey has been ordered to pay a $100,000 fine in addition to his sentence.
Prosecutors don’t dispute Watt’s claim that he wasn’t paid for the code, nor do they assert that he earned any profit from the stolen card data. But U.S. District Judge Nancy Gertner felt the enormity of the TJX intrusion, which she called “mightily, mightily malicious and irresponsible,” demanded jail time.
The sentence would serve a clear message to Watt and others, Gertner said during one hearing, that “you cannot be a cog in this wheel knowing that someone else is stealing . . . even if you didn’t get a dime for it.”
If Watt had remained in prison after his 2008 arrest, he’d likely be out by now for time served. But he never believed he’d get prison time for what prosecutors and the judge acknowledge was a minor role in Gonzalez’s criminal enterprise.
Though he was once headed for a promising future on Wall Street developing software for real-time trading systems, he hasn’t worked since federal agents raided his cubicle at Imagine Software in August 2008, and is now barred from the securities industry for life — all for malicious code that he says took him about 10 hours to write and test.
“I have no remorse for anything I’ve done when it comes to some sort of moral vantage point,” he told Threat Level earlier this year. “I have nothing whatsoever that’s causing me to lose sleep, other than the harm and potential embarrassment this has done potentially to my wife and mother.”
His mother, an immigrant from Bosnia, footed the down-payment for his Manhattan apartment and paid off the mortgage from her retirement fund when he lost his job. She stands to lose it all to restitution payments should he sell his co-op.
Watt’s path to prison began in 1999 when he was around 15 and living in Melbourne, Florida. He met Gonzalez online on an IRC channel called #feed-the-goats that was home to “Global Hell” — a hacking group whose claim to fame was defacements of government and corporate web sites.
Gonzalez, who was 17, used the name “Soup Nazi,” after the popular Seinfeld character; while Watt adopted the moniker “Jim Jones,” after the People’s Temple leader who led 900 cult members to their deaths with Kool-aid in 1978. Patrick Toey, another TJX accomplice, hung out on the IRC channel, too.
Albert Gonzalez at the 2001 DefCon hackers' convention in Las Vegas
“It’s rather embarrassing to even talk about [those days], given how technically unsophisticated we were and how we evolved since this time,” Watt says.
Watt and Gonzalez, who lived in Miami, shared an obsession with computers and an interest in security vulnerabilities. During high school, Gonzalez hacked into India government computers, as well as NASA machines, according to court documents. But his activities appear to have been limited to web intrusion and war-driving techniques. During his later criminal spree into TJX and other companies, he relied on Watt and others to code malware and exploits and left the most invasive hacks to unnamed Russian hackers cited in the indictments.
As Watt and Gonzalez grew up, their paths diverged, though they remained close friends. After graduating from high school, Gonzalez enrolled in Miami Dade Junior College to study computers, but dropped out during the first semester because his grades were poor, and the curriculum bored him. In 2000 at age 16, Watt graduated from high school with a 4.37 grade point average, and finished college at 19. He worked briefly for Florida software firm Identitech after high school and then, while in college, took a summer job with Qualys, a computer security firm, doing research and development for the company’s network scanning tool. A spokesman for Qualys characterized Watt’s work for the company as a summer internship, but wouldn’t say anything more.
It was around this time that Watt took on his most famous hacking identity as the “Unix Terrorist.”
The hacking community was in transition at the time, as many of the first generation of hackers “aged out” of their mischievous activity into professional, white-hat security jobs.
Watt hated the direction the hacking community was headed, and, with like-minded black hats, launched “Project Mayhem,” after the anarchic group in the novel Fight Club. Project Mayhem targeted security professionals judged by Watt and his friends to be media whores and poseurs — people who boasted skills that exceeded their talents.
The group hacked the computers and e-mail servers of targets and posted their private data and correspondence online. Their greatest wrath, however, was reserved for white-hat security researchers who advocated disclosing security vulnerabilities to vendors so they could be fixed, rather than allowing hackers to silently exploit them.
“They were making subconscious and conscious efforts to not only destroy our amusement and our power trips,” Watt says, “but they were also basically eroding the lulz.”
Mayhem sought nothing less than “worldwide physical destruction to the security industry infrastructure,” according to a statement the group made at the time.
“They may have been viewed as carrying forward some flavor of the hacker ideals,” says Ryan Russell, director of information security at Big Fix.Russell, aka “Blue Boar,” was likelyone of Project Mayhem’s targets. He was working for Security Focus when hackers broke into the network that hosted his personal server, then posted his private files online. They also sent spoofed e-mails to reporters and others purporting to be from him.
Project Mayhem’s “anti-sec” stance wasn’t completely unwelcome in the security world; there was a sentiment among some in the DefCon crowd that the security community’s focus on profit was at odds with hacking’s roots. But Mayem’s statements were often offensive and sometimes viewed as racist, Russell says, which undermined them. “If they ever had a serious message, the overtones completely washed it out,” he says.
Years later, writing as the Unix Terrorist in a 2007 edition of Phrack Magazine Watt described the rewards of Mayhem’s mayhem:
“Driving people over the precipices of depair [sic] and frustration is a great way to pass one’s time, but definitely falls short of the pleasure of discrediting or humiliating or otherwise defaming and slandering the ill-earned reputations of the various charlatans and hypocrites in the scene,” he wrote. “Publishing the mail spoolz of the wicked, archiving the hard drives of the lame, and rm’ing the weak are all activities I find inspirational.”
But Project Mayhem took a lot of energy, and after he relocated to Manhattan in October 2003, in the steps of Gonzalez who had already moved north, Watt began to lose interest in the game. He was living with a girlfriend at the time and working minimum-wage demolition jobs while looking for tech work. He’d labor 9 to 10 hours a day doing asbestos removal and other jobs, work out at the gym, then sit at the computer until 2 am serving justice on white hats.
“It was very exhausting,” he says. “It drove me to the brink of my sanity and reserves of physical energy.”
He eventually dropped out of the group, though his reputation followed him. He lost two job prospects doing security code auditing and penetration testing — after someone connected him to his Mayhem activity. In 2002, Watt had appeared on stage at the DefCon hacker conference as the “Unix Terrorist” touting the purloined files that Mayhem had seized from white hats, and his deep voice and towering height made him easily memorable.
While Watt was causing trouble in the security community, Gonzalez was meting out a different kind of destruction as an administrator of an online carding forum called Shadowcrew.
Criminals from around the world convened in the forum to plot hacks and traffic in stolen bank card data and other goods. In July 2003, Gonzalez, who used the name “Cumbajohnny” on Shadowcrew, got busted in Manhattan with an accomplice while making fraudulent withdrawals from Chase Manhattan ATMs. The police who nabbed Gonzalez were stunned by his tales of online carding rings, and called in the Secret Service to speak with him. The agents convinced Gonzalez to work undercover as Cumbajohnny to nab other carders, helping the agency run the site as a sting operation from servers in its New Jersey office.
Watt says he didn’t know Gonzalez had been busted or was working for the Secret Service at the time. But he had an inkling, through other people, that Gonzalez was involved in the carding community.
“It always left a little bit of bad taste in my mouth, but I’m not the sort to lecture other people, so I just ignored it,” Watt says.
Gonzalez ran Shadowcrew for the Secret Service for about half a year before the site was brought down in a coordinated bust in October 2004 that spanned several states and Canada and nabbed more than two dozen suspects. Watt says Gonzalez tipped off some of his friends in advance of the bust, after the Secret Service agreed to spare certain people.
“These were the people that he was closest to and had the highest degree of friendship and respect for,” Watt says. “It wasnt anyone who is now a co-conspirator in the TJX stuff that I know of.” (The Secret Service has refused to comment on Gonzalez’s work for the agency.)
After the takedown, Gonzalez warned Watt that he might hear negative tales about him — due to his role in the sting — and asked for Watt’s support.
“He gave me some details about what happened and something to the effect that . . . there are going to be people who arent happy, and people will make a lot of wild accusations,” Watt recalls. “I wasn’t happy that he was cooperating against other people. But he was my best friend . . . and I was not willing to lose that. He had never done anything but protect my best interest, so that was my reason for sticking with him.”
Gonzalez moved back to Miami shortly thereafter but continued to work as a paid informant for the Secret Service, earning $75,000 a year, while living with his parents. He didn’t discuss the work with Watt, and Watt didn’t inquire.
Watt was walking a different path. In May 2004, he landed a programming job with Morgan Stanley working on application infrastructure and in-house security toolkits. After hours, he sidelined in club and party promotions. He was 20 years old and earning $65,000 a year. His lifestyle began to change. He spent much of his time on weekends partying and imbibing a smorgasbord of drugs LSD, heroin, methamphetamines, PCP. His technical skills deteriorated as he lost touch with the hacking scene.
Nonetheless, about a year later the Secret Service approached him through Gonzalez, and asked if he’d write code for them. Watt was interested, as long as the work didn’t involve busting criminals. He went to Washington, DC, in early 2005 to meet with agents, but when he arrived, “they wanted me to provide them with human info and do some snitching on people in the carding community,” he says. He’d never been involved in the carding community, he says, and “left the office refusing multiple times . . . to have anything to do with [the agents].”
Thereafter, the agency occasionally reached out to ask him to code a software tool or an exploit, but he wasn’t interested.
Then Gonzalez personally asked for a similar favor: a customized packet sniffer. Watt agreed. Gonzalez went on to use the sniffer in his massive credit card theft from TJX that spanned about 18 months in 2005 and 2006.
Watt says he didn’t know the code would be used to intercept credit card data. “I assumed it would have something to do with web traffic or instant messaging conversations or logins of some other protocol not related to the credit card information,” he says. “[Gonzalez] made a very conscious and concerted effort to make sure all the conspirators were isolated from each other to avoid incrimination to any of these people and also to ensure his own safety in the process. So the idea that he would have communicated to me [what he was doing] is completely absurd and false.”
Prosecutors say chat logs recovered from Gonzalez’s computer show Watt had knowledge of what Gonzalez was doing, at least broadly.
“You have got to convince typedeaf to do some work for me,” Gonzalez wrote Watt at one point, referencing the handle of another hacker. “If he was able to hack some euro dumps we can make a fortune. I hacked a place and took ~30k euro dumps and this last week I made ~11k from only selling ~968 dumps.” (Dumps are the undergrounds term for credit or debit card magstripe data, including account numbers.)
What’s not in dispute is that Gonzalez was making a lot of money in crime, and Watt was making a good legitimate living on Wall Street, earning up to $130,000 at the time of his arrest.
In June 2006, with their arrests still years in the future, Watt and Gonzalez threw a $75,000 joint birthday party in Manhattan to celebrate both their birthdays, which were a few days apart. Gonzalez flew up from Miami for the party, which included 250 guests in a private loft rented for the occasion.
Most of the guests were strangers to Gonzalez, outside of his TJX accomplices Damon Toey and Jeremy Jethro. The rest were “hot, well-dressed [models] and interesting personalities from Manhattan” that Watt says he rounded up.
Occasionally he and Gonzalez talked about a club Watt wanted to open. Gonzalez suggested he could invest $300,000 in the club.
“He never discussed laundering additional funds,” Watt says. “There was nothing talked about piping in anything illegal.”
It was just Gonzalez, swimming in what would turn out to be stolen cash, offering to help his best friend with what Watt calls “a pipe dream.” That dream, of course, is gone now for both of the friends.
(Stephen Watt photo courtesy Michael Farkas)
See Also:
- TJX Hacker Gets 20 Years in Prison
- TJX Accomplice Sentenced to 7 Years in Prison
- Final Conspirator in Credit Card Hacking Ring Gets 5 Years
- Secret Service Paid TJX Hacker $75000 a Year
- Former Morgan Stanley Coder Gets 2 Years in Prison for TJX Hack
- Gonzalez Accomplice Gets Probation for Selling Browser Exploit
- Document Reveals TJX Hacker’s Assistance to Prosecutors
