'Iceman' pleads guilty to massive computer hacking

Max Ray Butler, a former security analyst turned hacker, yesterday pleaded guilty in federal court in Pittsburgh to breaking into numerous financial institutions and card-processing networks and stealing credit card and identity data on hundreds of thousands of individuals.

The guilty plea came after Butler had requested nearly a dozen extensions for time to file pre-trial motions after his arrest in September 2007 on three counts of wire fraud and two counts of transferring stolen identity information. The charges carry a maximum of 40 years in prison and a $1.5 million fine. It's possible that Butler will receive a substantially lighter sentence by agreeing to plead guilty.

Butler, 37, was arrested in San Francisco, but the case is being heard in Pittsburgh because one of his accomplices who is cooperating with authorities in the case is based in Pennsylvania.

Butler has already served an 18-month prison term after he was convicted in May 2001 on charges of breaking into and accessing U.S. Department of Defense computers. He was also part of a group of four individuals that was investigated by the FBI and the U.S. Secret Service in January 2004 for compromising software code in the Half Life video game.

Court documents filed in connection with Butler's most recent arrest describe what appears to have been an elaborate scheme and an equally painstaking 16-month effort to nab him. The thefts and break-ins to which Butler pleaded guilty took place between June 2005 and September 2007. During that time, Butler, who used the online nicknames "Iceman," "Digits," "Darkest" and "Aphex," broke into the networks of numerous institutions, including Citibank and the Pentagon Federal Credit Union, and stole data on hundreds of thousands of credit cards.

Butler then sold the data to several of his accomplices via a Web site called Cardersmarket that he set up in 2005 along with another individual named Christopher Aragon. According to the court documents, Aragon would manufacture or re-encode credit cards with the stolen card information provided by Butler. Aragon and his "crew" would use the cards to fraudulently purchase thousands of dollars worth of merchandise at retailers such as Wal-Mart and Dillard's. The merchandise would then be resold by others, including Aragon's wife, through venues such as eBay. Butler would receive a cut from the proceeds of such sales typically through pre-paid Green Dot credit cards.

The 6-foot, 5-inch, often pony-tailed Butler, would carry out his hacking activity from multiple locations, including hotel rooms and apartments in San Francisco that he would rent under the name Daniel Chance.

Two of Butler's accomplices, who were arrested before him, described how they along with Butler and Aragon would rent hotel rooms four days at a time to hack into nearby businesses. The group would use an "expensive, high-powered antenna" to intercept wireless communications and break into networks, the court documents said. Butler would often gain access to full profiles and PIN numbers of account holders via such intrusions. One of them described how Butler had rigged his computers so he could permanently wipe out any incriminating evidence on them with just two keystrokes.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.