PITTSBURGH — A skilled San Francisco computer intruder was sentenced here Friday to 13 years in federal prison for stealing nearly two million credit card numbers from banks, businesses and other hackers — in what is the longest hacking sentence in U.S. history.
Max Ray Vision, 37, was also ordered to pay $27.5 million in restitution, and to serve five years under court supervision following his release, during which time he’ll be allowed to use computers only for legitimate employment or education.
Vision, who changed his name from Max Butler shortly before his arrest, ran an online forum for thousands of identity thieves called CardersMarket, where he sold credit card magstripe data to the underground for about $20 a card. He was caught with 1.8 million stolen credit card numbers belonging to a thousand different banks, who tallied the fraudulent charges on the cards at $86.4 million.
The hacker faced up to life in prison under federal sentencing guidelines. But prosecutor Luke Dembosky on Friday recommended the significantly lower 13-year sentence, noting that Vision has provided substantial assistance to the government during his time in pre-trial custody.
“I was quite impressed by the cooperation shown by Mr. Butler,” agreed U.S. District Judge Maurice Cohill Jr.
Dressed in orange jail clothes, the soft-spoken hacker said little at Friday’s hearing, which at times felt more like an awards ceremony than a sentencing. Vision’s lawyer, prosecutor and judge took turns praising the hacker for his computer skills, and his apparent remorse over his crimes.
“I have a lot of regrets, but I think my essential failing was that I lost touch with the accountability and responsibility that comes with being a member of society,” Vision wrote in a letter (.pdf) to the judge on Thursday.
“I’ve changed,” Vision said in court Friday.
“He’s a likable person,” said prosecutor Dembosky. “Almost wide-eyed and optimistic in his view of the world.”
Vision’s 13-year term is the longest U.S. hacking sentence, though that record likely will be eclipsed next month when confessed TJX hacker Albert Gonzalez faces the first of two sentencing hearings. One of Gonzalez’s plea agreements contemplates a term of 17 to 25 years in prison.
The defendant’s sentence is longer than the one given to Michigan hacker Brian Salcedo. He was handed a then-unprecedented, nine-year term in 2004 for cracking the corporate network of the Lowe’s chain of home improvement stores.
In the late 1990s, Vision was a superstar in the computer security community, billing himself as an $100-an-hour computer security consultant. He gave the FBI information on security and piracy threats, and earned the respect of his peers for creating and curating an open source library of attack signatures used to detect computer intrusions.
But it turned out Vision was staging recreational hacks on the side, and in 2001 he was sent to federal prison for 18 months for launching a scripted attack that closed security holes on thousands of Pentagon systems, and left backdoors and packet-sniffers behind for his own use.
While in prison, Vision met more serious criminals, and after his release one of them introduced him to an Orange County, California entrepreneur and former bank robber named Chris Aragon, who became Vision’s partner.
Aragon, who’s pending trial on related state charges in Southern California, used Vision’s stolen credit card data to create near-perfect counterfeit cards, complete with holograms, and recruited a crew of shoppers who used the cards to snap up designer merchandise for resale on eBay. Aragon earned at least $1 million in the business, police say.
Vision also sold the credit card data online under the handles “Generous” and “Digits.” He stole data from restaurant point-of-sale terminals and other targets, including competing hackers.
“From what I know, his actual income from this entire event is probably not even a million dollars,” federal public defender Michael Novara said Friday.
The hacker became a priority to federal law enforcement officials in 2006 when, under the handle “Iceman,” he staged a brazen takeover of the competing online carder forums where hackers and fraudsters buy and sell stolen data, fake IDs and specialized underground services.
He hacked into the forums, wiped out some of their databases, and absorbed their content and membership into his own site, CardersMarket.
On one of the sites he hacked, called DarkMarket, Vision later discovered that an administrator named “Master Splyntr” was logging in from an FBI office here in Pittsburgh. The defendant partnered with a Canadian hacker to try and expose Master Splyntr as a fed, but his claim was largely dismissed in the underground as inter-forum rivalry. DarkMarket went on to become a full-blown undercover FBI operation, and the FBI and Secret Service began an investigation into “Iceman.”
Using informants and some genuine electronic gumshoe work, the feds identified Iceman as Vision about a year later, and arrested him in September 2007 at a corporate apartment he used as a hacking safe house. When the feds seized his computer, they found five terabytes of encrypted data. Experts at Carnegie Mellon University’s Computer Emergency Response Team eventually cracked Vision’s crypto.
Vision’s plea deal wraps up a separate federal case in Virginia, where Vision was charged with staging the first documented “spear phishing” attack against employees of a financial institution by unlawfully accessing the corporate network of Capital One bank.
With credit for time served and good behavior, Vision could be released in December 2018.
