Confessed hacker Albert Gonzalez’s turn as a Secret Service informant led him down a dark path of obsession, culminating in the largest identity-theft spree in history.
Frances Gonzalez Lago, Gonzalez’s sister, wrote his sentencing judge that her brother’s work as an informant for the agency between 2003 and and 2008 seemed to act as a reward for his obsession with computers. “All this seemed okay at the time, but psychologically it was feeding an obsession that in the end would become my brother’s downfall,” she told the court.
The information appears in a 24-page sentencing memo originally filed Tuesday by Gonzalez’s attorney, Martin Weinberg, before it was sealed, along with several exhibits. The memo was unsealed on Friday, with several pages redacted. Threat Level disclosed on Tuesday the information that was revealed in the redacted pages.
Weinberg is appealing to the court to sentence the 28-year-old hacker to 15 years. Gonzalez has pleaded guilty to hacking into TJX, Dave & Busters restaurant chain and numerous other businesses. He faces a possible sentence of between 15 and 25 years under the terms of his plea agreement.
The sentencing memo depicts Gonzalez as an obsessive personality who derived his sense of worth from his computer skills and couldn’t seem to distinguish himself from his PC. When Gonzalez’s computer was infected with a virus, Weinberg writes in the memo, he “referred to the event as if it were he, himself, who had gotten the virus.”
Gonzalez’s self-defeating and uncontrollable behaviors were “destined to produce only one possible outcome: the compulsive criminal behavior that inevitably lead [sic] to his capture and punishment,” according to a psychological evaluation commissioned by Gonzalez’s attorneys.
The evaluation, prepared by Dr. Barry Roth, was submitted with the memo and is based on about 10 hours interviewing Gonzalez on November 16 and December 2. It indicates that the hacker is “very bright quick in some ways, but, very slow and ill-equipped in other ways.” He’s “bedeviled by insecurity,” and his personal life has been characterized by social “awkwardness” and “impairment.”
He “spiraled down the slippery slope, descending into greater and greater misdeeds. As it were, his journey through the circles of hell was paved with good intentions,” Roth writes, noting that his behavior is consistent with descriptions of those who suffer from Asperger’s Disorder.
“He was most likely born with a nervous system vulnerable to the pervasive developmental disabilities characterized by unconventional, and by norms of society, flawed and impaired social and cognitive skills; side-by-side with an idiot-Savant genius for computers and information technology.”
Gonzalez was scheduled for sentencing on Monday, but this week the judge ordered a postponement until March, in light of the newly submitted psychiatric report. The government is asking the judge for authorization to perform its own psychiatric evaluation of the hacker, a request Gonzalez’s attorney opposes.
In his sentencing memo, Weinberg further makes the case for leniency by writing that Gonzalez was not like the CEOs and hedge-fund managers who made headlines by stealing their clients’ money and bankrupting victims’ retirement savings. Unlike those white-collar criminals, Gonzalez was not motivated by “cold calculations of pure greed” for money — such as the $1.1 million he buried in a barrel in his parents’ backyard — but by the thrill of achieving greater and greater feats through the computer.
“No pension plans were wiped out,” Weinberg writes. “No investors lost their life’s savings. No one’s lives and financial security were destroyed. No publicly traded companies were destroyed.”
The vast majority of data stolen from TJX was “neither sold to or used by third parties to the detriment of card holders.” Of 36 million card numbers obtained from TJX, at least 25 million — approximately 70 percent — were for expired accounts, and were therefore unusable by the thieves. Of 5,132 credit cards taken from the Dave & Buster’s intrusion, only 675 of the cards — about 13 percent — were used by the thieves.
Furthermore, Weinberg writes, the government has never been able to deduce “the extent to which the stolen TJX data was ever used to an individual cardholder’s detriment, as opposed to simply remaining on the [hacker's] server.” He says it has simply estimated losses derived from the company’s SEC filings.
Gonzalez became obsessed with computing at an early age, and his life and attitude changed in middle school when he switched from being an extrovert to being a loner, who passed up dating girls to focus on the computer, Weinberg claims.
His mother, Maria, says in her own letter to the judge that she considered taking her son to a psychologist for an evaluation at the time, but Gonzalez refused. At one point, his parents moved his computer into his sister’s room to curtail his usage, but Gonzalez would simply sneak into the room in the middle of the night to use the machine. According to the letter written by Dr. Roth, Gonzalez’s father also “arranged a fake arrest with friends in the police force” as a sort of addiction intervention.
None of this helped wean him from the computer, however. During high school, Gonzalez hacked into computers of India’s government, as well as NASA machines, according to Roth. He wasn’t punished — the FBI and NASA merely came to his high school and basically said, “Don’t do it anymore,” Roth notes.
After graduating from high school, Gonzalez enrolled in Miami Dade Junior College to study computers. He dropped out during the first semester because his grades were poor and he grew bored with the pedestrian curriculum. After this, he moved to New York and found work with an unnamed internet company until the firm went out of business. He then worked for Siemens for a year until he was laid off when the company relocated to Pennsylvania. He was 21 at that point, and had developed a drug and alcohol problem, according to his lawyer. He was arrested in 2003 in Manhattan after withdrawing money from ATMs using numerous cloned bank cards.
When the Secret Service learned of his role as an administrator on Shadowcrew (one of the underground carding community’s leading forums for selling stolen card data), they turned him into an informant. He worked undercover to help snag more than a dozen cyberthieves in an investigation dubbed Operation Firewall. Gonzalez also gave lectures to law enforcement groups and the American Banking Association about the methods and technologies used by cyberthieves.
But all the while, he was maintaining his criminal contacts on the side and devising methods to break into multiple companies. His crime spree ended only when he was arrested for the second time in May 2008 for hacking into Dave & Buster’s. He was later charged in August 2008 with the TJX hack.
Gonzalez claims that his thinking has become much clearer during his 18 months in prison, without the effects of alcohol, drugs and computers.
“Now that he has had time to reflect on his crimes, his mind freed from the tyranny of computers and drugs and alcohol, he understands the sense of violation that the consumers whose credit card numbers were stolen (and on some occasions used) must have felt and is truly remorseful,” his lawyer writes.
The mother of Gonzalez’s former girlfriend, Jennifer Bulas, also appealed to the court on his behalf. Lydia Bulas is identified in the defense filings as a retired Treasury Department criminal investigator who conducted money-laundering investigations for 27 years. Her conclusion is that Gonzalez “has learned his lesson.”
He is “very remorseful and will definitely never commit any crime again,” she wrote.