Cloned Boy
Professional
- Messages
- 1,160
- Reaction score
- 881
- Points
- 113
The story of Max Butler is a real journey through the world of cybercrime. The story of a genius who was doomed to take the path of breaking the law. Unlike many hackers who were forced to cooperate with law enforcement after their capture, Max's relationship with the FBI began on the other side. At the beginning of his journey, he was a valuable employee of the Federal Reserve in the field of online security. However, the hacker passion led him down a crooked path, where he became the master of one of the largest black markets for stolen credit cards.
To understand his story and truly understand one of the most unusual fates not only in the world of hackers, but also in crime, let's look into his past and, as always, start from afar. Meet Max Butler. On the other side of the law.
In addition, there are already videos about Quentin Tarantino, Britney Spears and Scarlett Johansson, and a video about George Orwell and the Coca-Cola company is coming soon. The approach to video production is the same there as here, studying everything that can be reached and issuing informative and interesting material. So, if you are interested in this topic or me personally as the author, then the link is for you in the description.
If not, then forget everything said earlier and continue watching "Beyond the Law". Butler was born on July 10, 1972 and grew up in Meridian, Idaho. He had a complete family, his father - the owner of a small computer store, mother and younger sister. Since childhood, he was surrounded by various computer hardware and enjoyed helping his father.
He came of age at a time when the world literally began to move to the Internet. At the age of 8, Butler was already learning to program in BASIC, and by his early teens he was a fan of phreaking - fraud with phone numbers. When Max was 14, his parents divorced. His father left, and the teenager stayed to live with his mother and sister. Butler was an atypical geek and often participated in fights.
He was tall and played sports. This period in his biography is described as a state between complete detachment and real madness. At the same time, he received his first suspended sentence for breaking into a school chemistry lab and wreaking havoc in the corridors and offices using all available means found there. Butler pleaded guilty to intentional damage to property, first-degree burglary, and grand theft.
A forensic psychiatrist diagnosed him with bipolar disorder and prescribed pills. After the trial, Max moved to his father in the city of Boise, also in Wydaho, and entered a local high school, and also helped his father with his business, happily assembling computers. His father immediately canceled all his medications, since he did not believe in the psychiatrist's diagnosis and believed that the prescribed drugs were addictive. Butler had big plans for the future, he wanted to go to a prestigious university to study programming.
He probably would have succeeded if it weren't for a love story. In one of Boyce's clubs, Butler met a blonde peer named Emmy and fell in love right away. She reciprocated his feelings, and they began to spend a lot of time together. Emmy was applying to Boyce State University, and Butler decided to apply with her because he didn't want to break up.
He easily passed the exams for the computer science department, and also enrolled in additional courses in data structuring, chemistry, and mathematical analysis. At that time, all the students were into a simple game called Matt, essentially a text-based virtual world without pictures, but with a chat. The game was full of serious passions and fights between magicians, dragons, and elves, and Max and Emmy also participated in this.
It was in the game that Butler noticed that his girlfriend was flirting with other men. This angered him, so he forbade the girl to play. But she continued, and even more. Online, in the presence of many teammates, she announced the separation to the jealous Max. Right there, in the chat, he responded to her in detail about how he would kill an unfaithful girlfriend. Even then, some users contacted the police.
For some time, Max continued to attack Emmy with phone calls, begging her to come back, and when he refused, he began to threaten her again. On October 30, 1990, he dialed her number again and calmly asked to meet. Emmy thought that Max had finally cooled down and agreed. Then their versions differ. The girl claimed that he kept her in his house for an hour and periodically strangled her. Max himself denied everything.
Emmy filed a lawsuit, and the trial lasted until the spring. Butler refused to admit that he strangled Emmy and said that she could leave at any time. He was given a restraining order to prevent him from approaching her and a choice of 45 days in prison or release on bail if found guilty. The sentence was postponed for a month, and during that month, Max managed to do more things. While driving, he saw Emmy and her new boyfriend, whom she met in that game.
Max pressed the gas pedal and sped past the couple, violating the terms of the restraining order. On May 13, 1991, Max Butler was sentenced to five years in prison on charges of assault with a deadly weapon - his hands. He never admitted his guilt. After his parole in 1995, the era of the computer Internet was flourishing.
After he was released, he moved to Seattle with his father, but because of his criminal record, Max was not hired for good jobs. And if they did, they quickly kicked him out because some suspicious activity began on the computers and servers of these companies. Butler actively shared pirated music, software and games in an Internet chat. Tired of such a life, he decided to start a new one. He changed his name and moved to San Francisco.
In San Francisco, Max settled in with old friends from the city of his childhood, who rented a luxurious mansion and, like Max, were determined to grab their piece of the pie in cyberspace. Life began to improve, he got a job as a system administrator, he liked the job, liked helping people, but the past knocked on the door again. Max Butler was sued for piracy for 300 thousand dollars by the Association of Software Publishers. The amount was reduced to 3.5 thousand dollars when he agreed to consult the Association on cybersecurity, and this case attracted the attention of the FBI.
In 1997, Max, who now had the last name Vision, became an informant for the feds, he helped to find real cybercriminals. At that time, he considered himself a white hacker, using his skills for good. At that time, Butler was hired by the legitimized former hacker Matt Harrigan.
He founded the company MicrocosmComputerResource, a firm that specialized in cybersecurity and searching for vulnerabilities in the systems of large corporations. Among other companies, it was distinguished by its marketing approach. Yesterday these people stole your data, and today they protect it. So Butler embarked on the path to correction. He worked for the FBI, received 100-150 dollars an hour in Harrigan's company, and a little later happily married Kim Winters, who moved to a nice apartment in San Jose.
And all this began to collapse when, in the process of work, Max discovered a major breach in the foundation of the Internet. BIND is a scalable domain name system that converts the links we are used to into numeric addresses that the network operates with. By 1998, its code was outdated, and they decided to rewrite it. But there was still one line in it that gave attackers a potential opportunity to hack.
Sending too large a request would overflow the memory buffer, giving skilled and patient hackers a direct route to where they wanted to go, to the short-term storage area called the stack, the place where the processor saves all of its actions. Every time a program switches the computer to a subroutine, the processor places the current address on the stack, so it knows where to return to after the program is finished.
A hacker who has gained access to the stack can rewrite the last return address to the location of his malicious code. Thus, after executing the subroutine, the computer will return via a malicious link, and since Bandage runs as an administrator, this means that the computer is now at the mercy of whoever got through this breach.
Max was one of the first to discover this line and, of course, notified the FBI, but the state machine was too sluggish and the danger that someone would launch an attack through the breach was so great that Butler could think of nothing better than to launch it himself. He wrote a program that found unpatched computers, got there through the breach, rewrote the defective line, protecting the computer but leaving a backdoor for Butler.
For five days, Max enjoyed power over cyberspace. He captured so many government computers that his own was shutting down from overheating. He even got to the developers of Quake 3, downloaded their source code and, having patched the security holes, wrote them a letter. For him, this was an exciting adventure, during which, carried away by a real hunting passion, he literally wrote down checkpoints, as if he were playing a computer game.
BMF bases, universities, the computer of the presidential assistant. Five days later, due to the volume of traffic, he was discovered by a professor at the university Max had once wanted to attend. And Butler wrote to the professor that he was patching an unprecedented hole in the defense. However, after that, he stopped the attack and began to spread information about it.
He published a large article in which he described in detail how to protect against hacking due to a gauze error. He continued to write reports to the FBI, called the supervising agent, who once said that they needed to meet. And he was identified by one little thing. Butler installed pop-up messages with a notification about the takeover of a new system, and from this notification they were able to determine the IP address, which led directly to his apartment in San Jose.
Four agents came to the house when his wife Kim was not at home. They immediately told Max that they knew everything, told him how they found out and, of course, did not believe Butler's version that he did all this to protect himself. But he was so sincere that the agents softened and asked him to tell everything. And Max naively told, thinking that the feds believed him, but it was not so.
He was charged with unauthorized access to US Air Force computers and offered a deal. The sentence could have been suspended if he ratted out his boss Matt Harrigan, but Butler refused and in September 2000 pleaded guilty, receiving 18 months of real prison and three years of supervised release. A few months later, Kim left him. 18 months in Taft prison did not go to waste for Butler.
There he met a talented con man named Norington, who was ruined by his addiction to alcohol. Norington almost served out his 11-month sentence and immediately took note of Max's talents. They walked in the yard every day, fantasizing about doing business together. Butler could hack brokerage firms, and they connected to trading accounts and transferred them to offshore banks. One big catch and they will have enough money for the rest of their lives.
This is the kind of talk hackers do when they go to prison and first interact with career criminals. Once they get out, the schemes are usually forgotten. That was the case with Butler, initially. In 2002, he was transferred from Taft to a halfway house in Oakland. He had two weeks to find a job or go back to prison, so Butler offered his services at a reduced rate.
The last half-dozen employers I had paid me at least $100 an hour for my time, he wrote on a job board for computer security jobs. Now I'm asking only $7. At the same time, Kim, having found herself a new man, divorced him. With no money, Butler watched sadly as the project developed for them as cybersecurity specialists, while he was left out of work, forced to fix computers for pennies, as in his youth.
However, Norrinton soon contacted him and proposed a plan. Butler would become a blackhead hacker, he would sponsor him and they would steal lots and lots of money. True, his Norrinton did not have money to sponsor yet, but he knew where to get it. So another player got involved, Chris Aragon, a former bank robber, carder and swindler from a very respectable American family and with an impressive criminal past.
In 1996, he served his second term for transporting drugs for cartels and decided to quit crime, organizing a leasing business for startups. In 2001, he went bankrupt and again found himself at a crossroads. This is how he crossed paths with Norrinton, and then with Butler personally. During their first entanglements, Norrinton disappeared with the money, but Aragon and Butler developed a friendly relationship.
Butler emerged from prison just as the cybercrime gold rush was happening. In 2002, the first generation of carding forums brought an entrepreneurial spirit to the Underground that had never been seen before. For the first time, a Denver scammer could buy stolen credit card numbers from a hacker in Moscow, ship them to Shanghai to be turned into counterfeit cards, then pick up a fake driver’s license made in Ukraine before heading to a mall to cash out.
But hacking from home was for idiots and teenagers; it was too easy for law enforcement to track IP addresses and subpoena ISPs for location information. So, Aragon says, once a month he and Butler would head to downtown San Francisco, where the pair would stay in hotels for up to a week.
They would bring Butler’s antenna into the room and set it up on a tripod taped to the floor near the window. Butler would spend some time trying to find a high-speed wireless connection with a strong signal that he could log on to and use anonymously. If that didn’t work, Aragon would run to the front desk to ask for another number, explaining that he couldn’t get a cellphone signal or was too afraid of heights to stay on the twentieth floor.
Butler, fresh from his time in prison, began targeting other hackers, Aragon recalled. He would lurk in online chat rooms, sniffing out the most vulnerable cybercriminals and tapping into their systems. He would scrape everything—stolen IDs, passwords, PINs. The most valuable commodities were the dumps—the data from the magnetic strip on the back of credit cards. Once Butler had enough dumps, Oragon went to work, churning out counterfeit cards using a foil heat press and magnetic tape.
Once the ink was dry, Oragon and his friends would go shopping for luxury items that could be easily sold. Speed was of the essence; they had to grab the freshest shipments, press them into plastic, and buy as many as they could before other scammers started using the same data.
After months of scamming scammers, Butler moved on to smaller regional banks and credit unions that couldn’t afford top-notch security. He sold his wares to Aragon for $5,000 to $10,000 a month, and Aragon, back in Orange County, had hired a shady crew for his business, an assistant to print the cards, and attractive young women to shop at high-end department stores. Their job was to buy designer handbags, jeans, shoes, and watches to resell on eBay in exchange for a percentage of the profits.
By the end of 2003, Aragona's business was providing him with rent for a mansion and a prestigious private school for his children. But as the money rolled in, the former bank robber found less useful uses for it: parties, cocaine, ecstasy, weed, and trips to Vegas. Butler preferred an ascetic lifestyle.
A big-screen TV was his only weakness. Aragon's bad habits caused a rift in his friendship with Butler. Max worried that Aragon's drug use was making him reckless and began demanding a larger share of the profits. And in April 2004, Aragon tried to pass some suspicious cards at the front desk of a San Francisco hotel. He was arrested, given three years' probation, and banned from the hotel for life.
For Butler, this was his cue to start looking for other buyers for his wares. For most cybercriminals of the time, this would have meant creating an account on Shadow Crew, a 4,000-member go-kart site. Butler logged in as Iceman, but soon sensed something was wrong and left the forum. One of the site’s administrators, named Kumbaggione, urged members to use an invite-only virtual private network to avoid surveillance.
This gave Kumbaggione a window into the members’ activities. The suggestion obviously bothered Butler, and his instincts were right. Four months later, Kumbaggione was exposed as a snitch when the Secret Service arrested 28 members of Shadow Crew and shut down the site. Operation Firewall, as it was dubbed, was the largest law enforcement operation against the computer underground in history.
U.S. Attorney General John Ashcraft declared the operation the first major victory in the war on carders. Butler’s prudence had saved him. Despite the emergence of new online forums, he decided to create his own, secure Carders Market. He included standard features. Vendors presented their product to an approved reviewer, who conducted test transactions. Fake IDs and counterfeit plastic were scrutinized for unclear logos, missing microprinting, and signature panels that couldn’t withstand a ballpoint pen.
Buyers were rated for each transaction, and sellers who didn’t deliver found a “Gut” tag on their profile, the equivalent of a one-star review on eBay. Butler assembled a team of hand-picked administrators, trusted leaders of the forum with the power to delete posts, ban users, and appoint reviewers. One, Golumfan, had survived Operation Firewall and had an impeccable reputation in the criminal underworld.
Another, Zebra, was a teenager from New York who Butler thought might someday become his partner. Butler also elevated Aragon to administrator status, presumably to shield himself from the effects of his drug trips. In May 2000, the U.S. Sentencing Commission changed the penalties for possession of stolen credit cards. Previous sentencing guidelines had punished thieves proportionally to how much money they stole.
That worked fine for low-level credit card fraudsters, but not at the top of the distribution chain, where the big players operated with thousands of purchased numbers. Clearing them of guilt was like giving a drug kingpin probation because his brick of heroin hadn’t yet found its way into an addict’s veins. So under the new rule, each stolen card number, used or not, was worth an arbitrary minimum of $500 at sentencing.
Caught with 1,000 numbers—about a day’s work for a decent salesperson—means you’ve moved $500,000 in cash, a felony punishable by 10 years in prison. Carders Market was an instant success—Butler launched the site under his own name, Iceman, and created two more usernames, Digits and Darkets, under which the feds say he sold merchandise.
Butler moved from banks to credit-card processing centers and to small restaurants and retailers, where he became an expert at smuggling sniffers into point-of-sale terminals. He handed out price lists to potential buyers: $12 for a Visa Classic, $19.50 for a Visa Gold, $16.50 for a MasterCard, $36 for an American Express. Ask for volume discounts.
Within a year, 1,500 buyers and sellers had signed up for Carters Market, as many as any of his competitors’ sites. But Butler wanted more; he wanted to expand. He hatched an audacious plan to control the entire black market in stolen credit cards. He’d spent nearly two decades honing his hacking skills. He’d stolen toll-free calls from local phone companies and infiltrated the computers of the U.S. Air Force.
Now, in August 2006, he was ready to pull off his most audacious gambit to date, taking over the online black markets where cybercriminals bought and sold everything from stolen identities to counterfeiting equipment. Collectively, these sites generated millions of dollars in commerce each year, and Butler had a plan to take it all under his control.
Much of the Internet’s illegal loot was sourced through four marketplaces – Scandinavian Carding, The Watched, Tolk Cash, Dark Market, and Carding World – where online criminals bought and sold credit card numbers, Social Security numbers, and other stolen data. Butler was taking them down one by one. First, he hacked their defenses, either by tricking their SQL database servers into running his own commands or by simply getting in with a cracked password.
Once inside, he siphoned off their contents, including the usernames, passwords, and email addresses of everyone who bought and sold on the sites. Then he destroyed their databases. He worked for two days straight. When he was tired, he’d pass out on a fold-out bed in his apartment for an hour or two, then get up and go back to work. Butler sent an email under the handle Iceman to all the thieves whose accounts he’d usurped. “Like it or not?” he wrote.
“You are now a user of his own website, cardersmarket.Com.” And so Butler created one of the largest criminal marketplaces the Internet had ever seen, with 6,000 users. The takeover was strictly business. The stolen data market was fragmented across many sites, all of which were riddled with snitches and security holes. By taking control of the entire criminal underworld, Butler had created a marketplace he could trust.
More importantly, it satisfied his competitive streak. Offline, Butler was a good-natured guy, but in the privacy of his safehouse, Eisman pursued his online enterprise with a ruthless zeal. He wasn’t really after the money, he just wanted to prove he was smarter, bolder, and tougher than everyone else.
The hostile takeover was Butler’s crowning achievement, but it was also the beginning of his downfall. His actions made him a target for law enforcement, for whom he embodied a new breed of professional cybercriminal who was becoming a far greater scourge on the Internet than amateur hackers. The rise of carding forums allowed thieves around the world to buy data, equipment, and services.
Since 2005, hackers and corrupt insiders have stolen more than 140 million records from U.S. banks and other companies, costing the FBI about $67 billion annually. In 2002, FBI Director Robert Mueller named cybercrime one of the bureau’s top priorities, behind only terrorism and foreign espionage. Butler’s takeover put him squarely in the federal zone.
In the days that followed, his defeated rivals resented the forced merger, fought to reclaim their users, and staged halfhearted counterattacks. If Butler was cowed by the forces mobilized against him, he didn’t show it. Then a young Mongolian immigrant fluent in Russian was hired by Butler to attract users from Russians and forums. In October 2006, a USA Today reporter contacted Butler to inquire about the Carder's Market acquisition and concerns that the merger could unleash a new wave of cybercrime.
Butler, like Eisman, told him that Carder's Market was simply a service he was offering to the public. Butler's comments were not included in the article, but his original partner, Aragon, nearly had a stroke when he heard about them. He had watched Butler spend his time sparring with critics on the Dark Web and carrying out money-losing altruistic acts, such as taking down a child porn site.
Now he was giving interviews to the press. “You’re crazy,” Aragon told him. Aragon worried that Butler was losing focus on the end goal—a big score that could catapult them both out of the criminal business for good. But while Aragon was eager to return to the life of a legitimate entrepreneur, Butler wasn’t looking to escape the criminal world he now ran. On
September 29, 2006, about 500 Capital One employees received an email from a Lending News reporter named Gordon Reilly asking for interviews about a recent leak of Capital One customer records. In the email, Reilly said he got their name from a report published in Funational Edge and included a link to the original article.
When recipients clicked the link—about 125 of them—they were taken to a blank page. While they were puzzling over the blank site, a hidden payload passed through Capital One’s Mauser brand and landed on their computers. In reality, there was no data breach at the fifth-largest credit card issuer in the U.S., but Reilly, or someone using that name, was working to make it happen.
When Capital One’s security team learned of the fraud, they called the FBI, which referred the case to the National Cyber Forensics and Training Alliance. The nonprofit, which goes by the acronym NCFTA and was founded in 2002, acted like the Justice League of hacking, bringing together FBI professionals and security officers from banks and tech companies to share best practices and intelligence.
FBI agents weren’t surprised to find that FunationalEdgeNews.Com was registered under a pseudonym, but when they examined the account records, they discovered that it was registered to the same account as another site they’d been monitoring, CardersMarket.Com. The feds were already familiar with Eisman, the mysterious founder of Carder’s Market.
In 2006, one of their agents landed a coveted job as an admin on Dark Market under the alias Master Splinter after months of work. The government was preparing a massive attack on the site when, out of nowhere, Iceman shut it down and directed its members to his own Carder's Market. Not only that, he tracked Splinter's IP address to the NSFTE offices and told everyone in the underground about the rat.
The Capital One attack implied that Iceman wasn't just running a lewd website for cybercriminals, he was a thief himself. Butler acted as if he knew the feds were after him. In November 2006, he announced Iceman's retirement, made it clear that he had handed over control of Carters Market to an admin under the alias TheCorruptedDan, and then resigned. He soon brought the site back under a new name, Apex, after beefing up his physical security by moving safe houses.
But the feds were working on the other side. They were targeting Jonathan Zebra Giannone, the same young hacker who had been one of the original administrators of Carders Market. Zebra had made a fatal mistake in June 2005, when he sold Gollum Fun, a 21-number Bank of America Platinum card, for $600. Unbeknownst to Zebra, Gollum Fun, whose real name was Brad Shannon Johnson, had recently been caught passing counterfeit checks in Charleston and had agreed to serve as an undercover informant.
He worked out of a Secret Service office. Butler quickly identified the rat and banned him, but not in time to save Zebra. On March 8, 2007, the kid was convicted of wire fraud and identity theft. Zebra was called to talk to his cell at the Lessington County Jail in South Carolina a week after his trial.
Two agents told him, We want to know who the Iceman is. The agents called Zebra’s attorney, who agreed to testify in the hopes of getting leniency for his client. In a series of meetings over the next three weeks, authorities say, Zebra told them everything he knew. Iceman lived in San Francisco, ran a bustling dumping business, sometimes using the alias “Digets” to sell his wares.
And, most important, he had a partner named Christopher Aragon. The Secret Service knew little about Aragon, but the FBI had a file on him. Jeff Norrington had already been arrested on new fraud charges in Orange County in 2005. While in custody, he willingly told the FBI all about Aragon and his partner, Max Butler.
Now all the feds had to do was get enough evidence against Aragon to issue a search warrant. But they were beat to it. On Saturday, May 12, Aragon was arrested by local police at a convenience store 20 miles from his home in Cape Country Beach, California, along with an accomplice who had been buying bags with his counterfeit cards. Detectives obtained a search warrant for his home and a nearby warehouse and seized hundreds of cards, a computer, counterfeiting equipment, and sample quantities of cocaine, marijuana, and ecstasy.
Using Aragon’s meticulous business records as a road map, they checked out his cashiers and other accomplices, making seven more arrests, including Aragon’s wife, Clara, who was reselling the bags on eBay. Aragon’s mother was forced to take custody of their two grandchildren. The arrest of his friend scared Butler. He deleted Aragon’s account at Carthers Market, threw out his cell phone, and found another safe house: Oakwood Gary Courtyard, a corporate apartment building in San Francisco’s Tenderloin district.
On June 7, Butler picked up a red Mustang, loaded it with his computer and bag, and drove to Oakwood. But he didn’t notice the Secret Service agents watching him. A month later, Butler was tired of the constant paranoia. It was time to emerge from the shadows. His surveillance was up, and it would be easier to find work now. But Butler couldn’t bring himself to just quit Carders Market, and he didn’t trust any of his remaining administrators enough to hand over the reins.
Not even Zay Corruptedon, who devoted 14 hours a day to the site and sometimes acted suspiciously. Butler didn’t know it, but his time was running out. In July and August, the Secret Service had already questioned Mongol, a former Russian translator who was on probation after being arrested with counterfeit cards. Meanwhile, the FBI had won a secret injunction allowing agents to track the IP addresses of visitors to the Carters Market server. It was the modern equivalent of taking down license plates outside a mob hangout.
And the feds knew it was no coincidence that some of them traced back to broadband subscribers a block away from Oakwood. Butler, they realized, was accessing his neighbors’ Wi-Fi. On Wednesday, Sept. 5, Butler dropped his girlfriend off at the post office and headed into Oakwood. He walked up to the fourth floor, opened the door, and collapsed on his bed, falling asleep.
Around 2 p.m., the front door burst open and six Secret Service agents swarmed in. They handcuffed Butler and took him to a nearby federal building for questioning. Some of the agents seemed surprised by Eisman’s politeness and charm. Butler was not the cold, calculating crime lord they’d been tracking for a year. On the way to prison, one agent even expressed confusion.
“You seem like a nice guy,” she said, “and that will help you. But I have one question for you. Why do you hate us?” Butler was speechless, because he had never hated the Secret Service, or the FBI, or even the informants at Carders Market. Iceman had. But Iceman had never been the real thing. He was a disguise, a persona Butler wore like a suit when he was in cyberspace.
The real Max Butler had never hated anyone in his life, and he was calm. His computers were locked down, his encryption was secure. He was able to relax a little as the agents let him get dressed and then led him down the hallway in handcuffs. Along the way, they passed a group of three people waiting for the Secret Service to secure a safe house. They weren’t the feds. They were Carnegie Mellon University’s Computer Emergency Response Team, or CERT.
And they were there to crack Butler's cryptography. For the past two weeks, the CERT team had been running through various scenarios of what they might encounter in Butler's safe house. Now the team leader examined the equipment. Butler's server was connected to five hard drives. Two of them had been disabled when an agent tripped over a cable on the floor, but the server itself was still running, and that was all that mattered.
A few months later, Aragon's lawyer gave him the bad news. The Secret Service had hacked Butler's servers and knew more about the hacker than Aragon did, which meant that Aragon probably wouldn't get a deal even if he wanted one. The lawyer also said that Butler had about 1 million credit card numbers on his hard drive.
Aragon was shocked. They'd spent all these years looking for one big win, and Butler was sitting on enough dumps to set them up for the rest of their lives. Butler had never said a word to Aragon about his stash. Aragon’s anger faded when he realized the implications for Butler. He was charged with the equivalent of a $500 million heist. Butler was potentially facing the first life sentence for a hacker in U.S. history.
“I couldn’t figure out what this guy was doing,” Aragon later said. “Why didn’t he just go get a job? Then, years later, it hit me. Max just liked hacking.” Christopher Aragon was sentenced to 25 years without parole. Seven members of Aragon’s old crew pleaded guilty and received sentences ranging from a few months to seven years.
His wife received two years and eight months. Max Butler spent a year in jail awaiting trial. His attorney tried to get Butler released on bail, but the judge refused after the feds suggested Butler had a huge stash of hidden cash and could easily use his connections to disappear under a new identity. To prove he was a flight risk, they played their trump card: correspondence between Butler and a Secret Service informant who had infiltrated Carders Market.
In it, Butler detailed the steps he had taken to cover his tracks after Aragon’s arrest, demonstrating his ability to impersonate others and elude law enforcement. The contents of the correspondence were concealed, but the messages left no doubt as to the informant’s identity. It was The Corrupted Don.
After pleading guilty to two counts of wire fraud and stealing nearly two million credit card numbers that were used to make $86 million in fraudulent purchases, Butler was sentenced to 13 years in prison, the longest sentence ever handed down for hacking in the United States at the time. Following his prison term, Butler also faced five years of supervised release and was ordered to pay $27.5 million in restitution to his victims.
In 2018, Butler was indicted on a new charge of running a drone smuggling operation. The indictment stated that in October 2014, he obtained a banned cellphone and allegedly used it to obtain stolen debit card numbers from the internet, which he used to steal money that he paid to other inmates.
Prosecutors allege that a former cellmate named Jason Dane Tidwell communicated with Butler through an encrypted messaging app and that in the spring of 2016, Butler allegedly asked Ti Duell to buy a remote-controlled drone with some of the money he made from a debit card scam so he could fly contraband with the drone.
One inmate, Phillip Tyler Hammons, admitted to picking up the packages and implicating Butler in the plan. Butler claimed that Hammons was the mastermind behind the scheme. Butler was released from prison in Victorville on April 14, 2021. He will be on supervised release until 2026.
To understand his story and truly understand one of the most unusual fates not only in the world of hackers, but also in crime, let's look into his past and, as always, start from afar. Meet Max Butler. On the other side of the law.
In addition, there are already videos about Quentin Tarantino, Britney Spears and Scarlett Johansson, and a video about George Orwell and the Coca-Cola company is coming soon. The approach to video production is the same there as here, studying everything that can be reached and issuing informative and interesting material. So, if you are interested in this topic or me personally as the author, then the link is for you in the description.
If not, then forget everything said earlier and continue watching "Beyond the Law". Butler was born on July 10, 1972 and grew up in Meridian, Idaho. He had a complete family, his father - the owner of a small computer store, mother and younger sister. Since childhood, he was surrounded by various computer hardware and enjoyed helping his father.
He came of age at a time when the world literally began to move to the Internet. At the age of 8, Butler was already learning to program in BASIC, and by his early teens he was a fan of phreaking - fraud with phone numbers. When Max was 14, his parents divorced. His father left, and the teenager stayed to live with his mother and sister. Butler was an atypical geek and often participated in fights.
He was tall and played sports. This period in his biography is described as a state between complete detachment and real madness. At the same time, he received his first suspended sentence for breaking into a school chemistry lab and wreaking havoc in the corridors and offices using all available means found there. Butler pleaded guilty to intentional damage to property, first-degree burglary, and grand theft.
A forensic psychiatrist diagnosed him with bipolar disorder and prescribed pills. After the trial, Max moved to his father in the city of Boise, also in Wydaho, and entered a local high school, and also helped his father with his business, happily assembling computers. His father immediately canceled all his medications, since he did not believe in the psychiatrist's diagnosis and believed that the prescribed drugs were addictive. Butler had big plans for the future, he wanted to go to a prestigious university to study programming.
He probably would have succeeded if it weren't for a love story. In one of Boyce's clubs, Butler met a blonde peer named Emmy and fell in love right away. She reciprocated his feelings, and they began to spend a lot of time together. Emmy was applying to Boyce State University, and Butler decided to apply with her because he didn't want to break up.
He easily passed the exams for the computer science department, and also enrolled in additional courses in data structuring, chemistry, and mathematical analysis. At that time, all the students were into a simple game called Matt, essentially a text-based virtual world without pictures, but with a chat. The game was full of serious passions and fights between magicians, dragons, and elves, and Max and Emmy also participated in this.
It was in the game that Butler noticed that his girlfriend was flirting with other men. This angered him, so he forbade the girl to play. But she continued, and even more. Online, in the presence of many teammates, she announced the separation to the jealous Max. Right there, in the chat, he responded to her in detail about how he would kill an unfaithful girlfriend. Even then, some users contacted the police.
For some time, Max continued to attack Emmy with phone calls, begging her to come back, and when he refused, he began to threaten her again. On October 30, 1990, he dialed her number again and calmly asked to meet. Emmy thought that Max had finally cooled down and agreed. Then their versions differ. The girl claimed that he kept her in his house for an hour and periodically strangled her. Max himself denied everything.
Emmy filed a lawsuit, and the trial lasted until the spring. Butler refused to admit that he strangled Emmy and said that she could leave at any time. He was given a restraining order to prevent him from approaching her and a choice of 45 days in prison or release on bail if found guilty. The sentence was postponed for a month, and during that month, Max managed to do more things. While driving, he saw Emmy and her new boyfriend, whom she met in that game.
Max pressed the gas pedal and sped past the couple, violating the terms of the restraining order. On May 13, 1991, Max Butler was sentenced to five years in prison on charges of assault with a deadly weapon - his hands. He never admitted his guilt. After his parole in 1995, the era of the computer Internet was flourishing.
After he was released, he moved to Seattle with his father, but because of his criminal record, Max was not hired for good jobs. And if they did, they quickly kicked him out because some suspicious activity began on the computers and servers of these companies. Butler actively shared pirated music, software and games in an Internet chat. Tired of such a life, he decided to start a new one. He changed his name and moved to San Francisco.
In San Francisco, Max settled in with old friends from the city of his childhood, who rented a luxurious mansion and, like Max, were determined to grab their piece of the pie in cyberspace. Life began to improve, he got a job as a system administrator, he liked the job, liked helping people, but the past knocked on the door again. Max Butler was sued for piracy for 300 thousand dollars by the Association of Software Publishers. The amount was reduced to 3.5 thousand dollars when he agreed to consult the Association on cybersecurity, and this case attracted the attention of the FBI.
In 1997, Max, who now had the last name Vision, became an informant for the feds, he helped to find real cybercriminals. At that time, he considered himself a white hacker, using his skills for good. At that time, Butler was hired by the legitimized former hacker Matt Harrigan.
He founded the company MicrocosmComputerResource, a firm that specialized in cybersecurity and searching for vulnerabilities in the systems of large corporations. Among other companies, it was distinguished by its marketing approach. Yesterday these people stole your data, and today they protect it. So Butler embarked on the path to correction. He worked for the FBI, received 100-150 dollars an hour in Harrigan's company, and a little later happily married Kim Winters, who moved to a nice apartment in San Jose.
And all this began to collapse when, in the process of work, Max discovered a major breach in the foundation of the Internet. BIND is a scalable domain name system that converts the links we are used to into numeric addresses that the network operates with. By 1998, its code was outdated, and they decided to rewrite it. But there was still one line in it that gave attackers a potential opportunity to hack.
Sending too large a request would overflow the memory buffer, giving skilled and patient hackers a direct route to where they wanted to go, to the short-term storage area called the stack, the place where the processor saves all of its actions. Every time a program switches the computer to a subroutine, the processor places the current address on the stack, so it knows where to return to after the program is finished.
A hacker who has gained access to the stack can rewrite the last return address to the location of his malicious code. Thus, after executing the subroutine, the computer will return via a malicious link, and since Bandage runs as an administrator, this means that the computer is now at the mercy of whoever got through this breach.
Max was one of the first to discover this line and, of course, notified the FBI, but the state machine was too sluggish and the danger that someone would launch an attack through the breach was so great that Butler could think of nothing better than to launch it himself. He wrote a program that found unpatched computers, got there through the breach, rewrote the defective line, protecting the computer but leaving a backdoor for Butler.
For five days, Max enjoyed power over cyberspace. He captured so many government computers that his own was shutting down from overheating. He even got to the developers of Quake 3, downloaded their source code and, having patched the security holes, wrote them a letter. For him, this was an exciting adventure, during which, carried away by a real hunting passion, he literally wrote down checkpoints, as if he were playing a computer game.
BMF bases, universities, the computer of the presidential assistant. Five days later, due to the volume of traffic, he was discovered by a professor at the university Max had once wanted to attend. And Butler wrote to the professor that he was patching an unprecedented hole in the defense. However, after that, he stopped the attack and began to spread information about it.
He published a large article in which he described in detail how to protect against hacking due to a gauze error. He continued to write reports to the FBI, called the supervising agent, who once said that they needed to meet. And he was identified by one little thing. Butler installed pop-up messages with a notification about the takeover of a new system, and from this notification they were able to determine the IP address, which led directly to his apartment in San Jose.
Four agents came to the house when his wife Kim was not at home. They immediately told Max that they knew everything, told him how they found out and, of course, did not believe Butler's version that he did all this to protect himself. But he was so sincere that the agents softened and asked him to tell everything. And Max naively told, thinking that the feds believed him, but it was not so.
He was charged with unauthorized access to US Air Force computers and offered a deal. The sentence could have been suspended if he ratted out his boss Matt Harrigan, but Butler refused and in September 2000 pleaded guilty, receiving 18 months of real prison and three years of supervised release. A few months later, Kim left him. 18 months in Taft prison did not go to waste for Butler.
There he met a talented con man named Norington, who was ruined by his addiction to alcohol. Norington almost served out his 11-month sentence and immediately took note of Max's talents. They walked in the yard every day, fantasizing about doing business together. Butler could hack brokerage firms, and they connected to trading accounts and transferred them to offshore banks. One big catch and they will have enough money for the rest of their lives.
This is the kind of talk hackers do when they go to prison and first interact with career criminals. Once they get out, the schemes are usually forgotten. That was the case with Butler, initially. In 2002, he was transferred from Taft to a halfway house in Oakland. He had two weeks to find a job or go back to prison, so Butler offered his services at a reduced rate.
The last half-dozen employers I had paid me at least $100 an hour for my time, he wrote on a job board for computer security jobs. Now I'm asking only $7. At the same time, Kim, having found herself a new man, divorced him. With no money, Butler watched sadly as the project developed for them as cybersecurity specialists, while he was left out of work, forced to fix computers for pennies, as in his youth.
However, Norrinton soon contacted him and proposed a plan. Butler would become a blackhead hacker, he would sponsor him and they would steal lots and lots of money. True, his Norrinton did not have money to sponsor yet, but he knew where to get it. So another player got involved, Chris Aragon, a former bank robber, carder and swindler from a very respectable American family and with an impressive criminal past.
In 1996, he served his second term for transporting drugs for cartels and decided to quit crime, organizing a leasing business for startups. In 2001, he went bankrupt and again found himself at a crossroads. This is how he crossed paths with Norrinton, and then with Butler personally. During their first entanglements, Norrinton disappeared with the money, but Aragon and Butler developed a friendly relationship.
Butler emerged from prison just as the cybercrime gold rush was happening. In 2002, the first generation of carding forums brought an entrepreneurial spirit to the Underground that had never been seen before. For the first time, a Denver scammer could buy stolen credit card numbers from a hacker in Moscow, ship them to Shanghai to be turned into counterfeit cards, then pick up a fake driver’s license made in Ukraine before heading to a mall to cash out.
But hacking from home was for idiots and teenagers; it was too easy for law enforcement to track IP addresses and subpoena ISPs for location information. So, Aragon says, once a month he and Butler would head to downtown San Francisco, where the pair would stay in hotels for up to a week.
They would bring Butler’s antenna into the room and set it up on a tripod taped to the floor near the window. Butler would spend some time trying to find a high-speed wireless connection with a strong signal that he could log on to and use anonymously. If that didn’t work, Aragon would run to the front desk to ask for another number, explaining that he couldn’t get a cellphone signal or was too afraid of heights to stay on the twentieth floor.
Butler, fresh from his time in prison, began targeting other hackers, Aragon recalled. He would lurk in online chat rooms, sniffing out the most vulnerable cybercriminals and tapping into their systems. He would scrape everything—stolen IDs, passwords, PINs. The most valuable commodities were the dumps—the data from the magnetic strip on the back of credit cards. Once Butler had enough dumps, Oragon went to work, churning out counterfeit cards using a foil heat press and magnetic tape.
Once the ink was dry, Oragon and his friends would go shopping for luxury items that could be easily sold. Speed was of the essence; they had to grab the freshest shipments, press them into plastic, and buy as many as they could before other scammers started using the same data.
After months of scamming scammers, Butler moved on to smaller regional banks and credit unions that couldn’t afford top-notch security. He sold his wares to Aragon for $5,000 to $10,000 a month, and Aragon, back in Orange County, had hired a shady crew for his business, an assistant to print the cards, and attractive young women to shop at high-end department stores. Their job was to buy designer handbags, jeans, shoes, and watches to resell on eBay in exchange for a percentage of the profits.
By the end of 2003, Aragona's business was providing him with rent for a mansion and a prestigious private school for his children. But as the money rolled in, the former bank robber found less useful uses for it: parties, cocaine, ecstasy, weed, and trips to Vegas. Butler preferred an ascetic lifestyle.
A big-screen TV was his only weakness. Aragon's bad habits caused a rift in his friendship with Butler. Max worried that Aragon's drug use was making him reckless and began demanding a larger share of the profits. And in April 2004, Aragon tried to pass some suspicious cards at the front desk of a San Francisco hotel. He was arrested, given three years' probation, and banned from the hotel for life.
For Butler, this was his cue to start looking for other buyers for his wares. For most cybercriminals of the time, this would have meant creating an account on Shadow Crew, a 4,000-member go-kart site. Butler logged in as Iceman, but soon sensed something was wrong and left the forum. One of the site’s administrators, named Kumbaggione, urged members to use an invite-only virtual private network to avoid surveillance.
This gave Kumbaggione a window into the members’ activities. The suggestion obviously bothered Butler, and his instincts were right. Four months later, Kumbaggione was exposed as a snitch when the Secret Service arrested 28 members of Shadow Crew and shut down the site. Operation Firewall, as it was dubbed, was the largest law enforcement operation against the computer underground in history.
U.S. Attorney General John Ashcraft declared the operation the first major victory in the war on carders. Butler’s prudence had saved him. Despite the emergence of new online forums, he decided to create his own, secure Carders Market. He included standard features. Vendors presented their product to an approved reviewer, who conducted test transactions. Fake IDs and counterfeit plastic were scrutinized for unclear logos, missing microprinting, and signature panels that couldn’t withstand a ballpoint pen.
Buyers were rated for each transaction, and sellers who didn’t deliver found a “Gut” tag on their profile, the equivalent of a one-star review on eBay. Butler assembled a team of hand-picked administrators, trusted leaders of the forum with the power to delete posts, ban users, and appoint reviewers. One, Golumfan, had survived Operation Firewall and had an impeccable reputation in the criminal underworld.
Another, Zebra, was a teenager from New York who Butler thought might someday become his partner. Butler also elevated Aragon to administrator status, presumably to shield himself from the effects of his drug trips. In May 2000, the U.S. Sentencing Commission changed the penalties for possession of stolen credit cards. Previous sentencing guidelines had punished thieves proportionally to how much money they stole.
That worked fine for low-level credit card fraudsters, but not at the top of the distribution chain, where the big players operated with thousands of purchased numbers. Clearing them of guilt was like giving a drug kingpin probation because his brick of heroin hadn’t yet found its way into an addict’s veins. So under the new rule, each stolen card number, used or not, was worth an arbitrary minimum of $500 at sentencing.
Caught with 1,000 numbers—about a day’s work for a decent salesperson—means you’ve moved $500,000 in cash, a felony punishable by 10 years in prison. Carders Market was an instant success—Butler launched the site under his own name, Iceman, and created two more usernames, Digits and Darkets, under which the feds say he sold merchandise.
Butler moved from banks to credit-card processing centers and to small restaurants and retailers, where he became an expert at smuggling sniffers into point-of-sale terminals. He handed out price lists to potential buyers: $12 for a Visa Classic, $19.50 for a Visa Gold, $16.50 for a MasterCard, $36 for an American Express. Ask for volume discounts.
Within a year, 1,500 buyers and sellers had signed up for Carters Market, as many as any of his competitors’ sites. But Butler wanted more; he wanted to expand. He hatched an audacious plan to control the entire black market in stolen credit cards. He’d spent nearly two decades honing his hacking skills. He’d stolen toll-free calls from local phone companies and infiltrated the computers of the U.S. Air Force.
Now, in August 2006, he was ready to pull off his most audacious gambit to date, taking over the online black markets where cybercriminals bought and sold everything from stolen identities to counterfeiting equipment. Collectively, these sites generated millions of dollars in commerce each year, and Butler had a plan to take it all under his control.
Much of the Internet’s illegal loot was sourced through four marketplaces – Scandinavian Carding, The Watched, Tolk Cash, Dark Market, and Carding World – where online criminals bought and sold credit card numbers, Social Security numbers, and other stolen data. Butler was taking them down one by one. First, he hacked their defenses, either by tricking their SQL database servers into running his own commands or by simply getting in with a cracked password.
Once inside, he siphoned off their contents, including the usernames, passwords, and email addresses of everyone who bought and sold on the sites. Then he destroyed their databases. He worked for two days straight. When he was tired, he’d pass out on a fold-out bed in his apartment for an hour or two, then get up and go back to work. Butler sent an email under the handle Iceman to all the thieves whose accounts he’d usurped. “Like it or not?” he wrote.
“You are now a user of his own website, cardersmarket.Com.” And so Butler created one of the largest criminal marketplaces the Internet had ever seen, with 6,000 users. The takeover was strictly business. The stolen data market was fragmented across many sites, all of which were riddled with snitches and security holes. By taking control of the entire criminal underworld, Butler had created a marketplace he could trust.
More importantly, it satisfied his competitive streak. Offline, Butler was a good-natured guy, but in the privacy of his safehouse, Eisman pursued his online enterprise with a ruthless zeal. He wasn’t really after the money, he just wanted to prove he was smarter, bolder, and tougher than everyone else.
The hostile takeover was Butler’s crowning achievement, but it was also the beginning of his downfall. His actions made him a target for law enforcement, for whom he embodied a new breed of professional cybercriminal who was becoming a far greater scourge on the Internet than amateur hackers. The rise of carding forums allowed thieves around the world to buy data, equipment, and services.
Since 2005, hackers and corrupt insiders have stolen more than 140 million records from U.S. banks and other companies, costing the FBI about $67 billion annually. In 2002, FBI Director Robert Mueller named cybercrime one of the bureau’s top priorities, behind only terrorism and foreign espionage. Butler’s takeover put him squarely in the federal zone.
In the days that followed, his defeated rivals resented the forced merger, fought to reclaim their users, and staged halfhearted counterattacks. If Butler was cowed by the forces mobilized against him, he didn’t show it. Then a young Mongolian immigrant fluent in Russian was hired by Butler to attract users from Russians and forums. In October 2006, a USA Today reporter contacted Butler to inquire about the Carder's Market acquisition and concerns that the merger could unleash a new wave of cybercrime.
Butler, like Eisman, told him that Carder's Market was simply a service he was offering to the public. Butler's comments were not included in the article, but his original partner, Aragon, nearly had a stroke when he heard about them. He had watched Butler spend his time sparring with critics on the Dark Web and carrying out money-losing altruistic acts, such as taking down a child porn site.
Now he was giving interviews to the press. “You’re crazy,” Aragon told him. Aragon worried that Butler was losing focus on the end goal—a big score that could catapult them both out of the criminal business for good. But while Aragon was eager to return to the life of a legitimate entrepreneur, Butler wasn’t looking to escape the criminal world he now ran. On
September 29, 2006, about 500 Capital One employees received an email from a Lending News reporter named Gordon Reilly asking for interviews about a recent leak of Capital One customer records. In the email, Reilly said he got their name from a report published in Funational Edge and included a link to the original article.
When recipients clicked the link—about 125 of them—they were taken to a blank page. While they were puzzling over the blank site, a hidden payload passed through Capital One’s Mauser brand and landed on their computers. In reality, there was no data breach at the fifth-largest credit card issuer in the U.S., but Reilly, or someone using that name, was working to make it happen.
When Capital One’s security team learned of the fraud, they called the FBI, which referred the case to the National Cyber Forensics and Training Alliance. The nonprofit, which goes by the acronym NCFTA and was founded in 2002, acted like the Justice League of hacking, bringing together FBI professionals and security officers from banks and tech companies to share best practices and intelligence.
FBI agents weren’t surprised to find that FunationalEdgeNews.Com was registered under a pseudonym, but when they examined the account records, they discovered that it was registered to the same account as another site they’d been monitoring, CardersMarket.Com. The feds were already familiar with Eisman, the mysterious founder of Carder’s Market.
In 2006, one of their agents landed a coveted job as an admin on Dark Market under the alias Master Splinter after months of work. The government was preparing a massive attack on the site when, out of nowhere, Iceman shut it down and directed its members to his own Carder's Market. Not only that, he tracked Splinter's IP address to the NSFTE offices and told everyone in the underground about the rat.
The Capital One attack implied that Iceman wasn't just running a lewd website for cybercriminals, he was a thief himself. Butler acted as if he knew the feds were after him. In November 2006, he announced Iceman's retirement, made it clear that he had handed over control of Carters Market to an admin under the alias TheCorruptedDan, and then resigned. He soon brought the site back under a new name, Apex, after beefing up his physical security by moving safe houses.
But the feds were working on the other side. They were targeting Jonathan Zebra Giannone, the same young hacker who had been one of the original administrators of Carders Market. Zebra had made a fatal mistake in June 2005, when he sold Gollum Fun, a 21-number Bank of America Platinum card, for $600. Unbeknownst to Zebra, Gollum Fun, whose real name was Brad Shannon Johnson, had recently been caught passing counterfeit checks in Charleston and had agreed to serve as an undercover informant.
He worked out of a Secret Service office. Butler quickly identified the rat and banned him, but not in time to save Zebra. On March 8, 2007, the kid was convicted of wire fraud and identity theft. Zebra was called to talk to his cell at the Lessington County Jail in South Carolina a week after his trial.
Two agents told him, We want to know who the Iceman is. The agents called Zebra’s attorney, who agreed to testify in the hopes of getting leniency for his client. In a series of meetings over the next three weeks, authorities say, Zebra told them everything he knew. Iceman lived in San Francisco, ran a bustling dumping business, sometimes using the alias “Digets” to sell his wares.
And, most important, he had a partner named Christopher Aragon. The Secret Service knew little about Aragon, but the FBI had a file on him. Jeff Norrington had already been arrested on new fraud charges in Orange County in 2005. While in custody, he willingly told the FBI all about Aragon and his partner, Max Butler.
Now all the feds had to do was get enough evidence against Aragon to issue a search warrant. But they were beat to it. On Saturday, May 12, Aragon was arrested by local police at a convenience store 20 miles from his home in Cape Country Beach, California, along with an accomplice who had been buying bags with his counterfeit cards. Detectives obtained a search warrant for his home and a nearby warehouse and seized hundreds of cards, a computer, counterfeiting equipment, and sample quantities of cocaine, marijuana, and ecstasy.
Using Aragon’s meticulous business records as a road map, they checked out his cashiers and other accomplices, making seven more arrests, including Aragon’s wife, Clara, who was reselling the bags on eBay. Aragon’s mother was forced to take custody of their two grandchildren. The arrest of his friend scared Butler. He deleted Aragon’s account at Carthers Market, threw out his cell phone, and found another safe house: Oakwood Gary Courtyard, a corporate apartment building in San Francisco’s Tenderloin district.
On June 7, Butler picked up a red Mustang, loaded it with his computer and bag, and drove to Oakwood. But he didn’t notice the Secret Service agents watching him. A month later, Butler was tired of the constant paranoia. It was time to emerge from the shadows. His surveillance was up, and it would be easier to find work now. But Butler couldn’t bring himself to just quit Carders Market, and he didn’t trust any of his remaining administrators enough to hand over the reins.
Not even Zay Corruptedon, who devoted 14 hours a day to the site and sometimes acted suspiciously. Butler didn’t know it, but his time was running out. In July and August, the Secret Service had already questioned Mongol, a former Russian translator who was on probation after being arrested with counterfeit cards. Meanwhile, the FBI had won a secret injunction allowing agents to track the IP addresses of visitors to the Carters Market server. It was the modern equivalent of taking down license plates outside a mob hangout.
And the feds knew it was no coincidence that some of them traced back to broadband subscribers a block away from Oakwood. Butler, they realized, was accessing his neighbors’ Wi-Fi. On Wednesday, Sept. 5, Butler dropped his girlfriend off at the post office and headed into Oakwood. He walked up to the fourth floor, opened the door, and collapsed on his bed, falling asleep.
Around 2 p.m., the front door burst open and six Secret Service agents swarmed in. They handcuffed Butler and took him to a nearby federal building for questioning. Some of the agents seemed surprised by Eisman’s politeness and charm. Butler was not the cold, calculating crime lord they’d been tracking for a year. On the way to prison, one agent even expressed confusion.
“You seem like a nice guy,” she said, “and that will help you. But I have one question for you. Why do you hate us?” Butler was speechless, because he had never hated the Secret Service, or the FBI, or even the informants at Carders Market. Iceman had. But Iceman had never been the real thing. He was a disguise, a persona Butler wore like a suit when he was in cyberspace.
The real Max Butler had never hated anyone in his life, and he was calm. His computers were locked down, his encryption was secure. He was able to relax a little as the agents let him get dressed and then led him down the hallway in handcuffs. Along the way, they passed a group of three people waiting for the Secret Service to secure a safe house. They weren’t the feds. They were Carnegie Mellon University’s Computer Emergency Response Team, or CERT.
And they were there to crack Butler's cryptography. For the past two weeks, the CERT team had been running through various scenarios of what they might encounter in Butler's safe house. Now the team leader examined the equipment. Butler's server was connected to five hard drives. Two of them had been disabled when an agent tripped over a cable on the floor, but the server itself was still running, and that was all that mattered.
A few months later, Aragon's lawyer gave him the bad news. The Secret Service had hacked Butler's servers and knew more about the hacker than Aragon did, which meant that Aragon probably wouldn't get a deal even if he wanted one. The lawyer also said that Butler had about 1 million credit card numbers on his hard drive.
Aragon was shocked. They'd spent all these years looking for one big win, and Butler was sitting on enough dumps to set them up for the rest of their lives. Butler had never said a word to Aragon about his stash. Aragon’s anger faded when he realized the implications for Butler. He was charged with the equivalent of a $500 million heist. Butler was potentially facing the first life sentence for a hacker in U.S. history.
“I couldn’t figure out what this guy was doing,” Aragon later said. “Why didn’t he just go get a job? Then, years later, it hit me. Max just liked hacking.” Christopher Aragon was sentenced to 25 years without parole. Seven members of Aragon’s old crew pleaded guilty and received sentences ranging from a few months to seven years.
His wife received two years and eight months. Max Butler spent a year in jail awaiting trial. His attorney tried to get Butler released on bail, but the judge refused after the feds suggested Butler had a huge stash of hidden cash and could easily use his connections to disappear under a new identity. To prove he was a flight risk, they played their trump card: correspondence between Butler and a Secret Service informant who had infiltrated Carders Market.
In it, Butler detailed the steps he had taken to cover his tracks after Aragon’s arrest, demonstrating his ability to impersonate others and elude law enforcement. The contents of the correspondence were concealed, but the messages left no doubt as to the informant’s identity. It was The Corrupted Don.
After pleading guilty to two counts of wire fraud and stealing nearly two million credit card numbers that were used to make $86 million in fraudulent purchases, Butler was sentenced to 13 years in prison, the longest sentence ever handed down for hacking in the United States at the time. Following his prison term, Butler also faced five years of supervised release and was ordered to pay $27.5 million in restitution to his victims.
In 2018, Butler was indicted on a new charge of running a drone smuggling operation. The indictment stated that in October 2014, he obtained a banned cellphone and allegedly used it to obtain stolen debit card numbers from the internet, which he used to steal money that he paid to other inmates.
Prosecutors allege that a former cellmate named Jason Dane Tidwell communicated with Butler through an encrypted messaging app and that in the spring of 2016, Butler allegedly asked Ti Duell to buy a remote-controlled drone with some of the money he made from a debit card scam so he could fly contraband with the drone.
One inmate, Phillip Tyler Hammons, admitted to picking up the packages and implicating Butler in the plan. Butler claimed that Hammons was the mastermind behind the scheme. Butler was released from prison in Victorville on April 14, 2021. He will be on supervised release until 2026.
