PITTSBURGH – A skilled San Francisco-based computer hacker who once sought to unite the cyber underworld under his benign rule pleaded guilty to federal wire fraud charges here Monday, admitting he stole nearly 2 million credit card numbers from banks, businesses and other hackers, which were used to rack up $86 million in fraudulent charges.

Max Ray Butler, 36, faces up to 60 years in prison for the two felonies under law, but his actual sentence will be influenced by a number of factors, not least a plea agreement with federal prosecutors that was filed under seal Monday.

Wearing an ill-fitting orange jail uniform and round glasses, his hair cut short and neat, the six-foot-plus Butler towered over the burly deputy marshals that brought him into the court room. Once he settled into his seat, he spoke softly and evenly as he answered questions from the judge, frequently drawing admonishments to speak up for the benefit of the court reporter.

"I actually did the actions that are relevant in the indictment, and I am guilty," Butler said, at one point.

Butler identified himself in court as "Max Vision," the name he gave himself in the 1990s when he became a superstar in the computer security community. At that time Butler was billing himself out as a $100-an-hour computer security consultant, and he earned the respect of his peers for creating and curating an open source library of attack signatures used to detect computer intrusions.

But it turned out Butler was staging recreational hacks on the side, and in 2001 he was sent to federal prison for 18 months for launching a scripted attack that closed security holes on thousands on Pentagon systems, and left backdoors behind for his own use.

While in prison, Butler met more serious criminals, and he was befriended by a professional swindler named Jeffrey Norminton. After his release, Norminton introduced him to an Orange County, California entrepreneur and former bank robber named Chris Aragon.

Butler admitted Monday that he began hacking banks, merchants and other hackers to steal credit card numbers, which he sold to Aragon and others. Aragon, who's pending trial on related state charges in southern California, turned that stolen data into near-perfect counterfeit cards, complete with holograms, and recruited a crew of shoppers who used the cards to snap up designer merchandise for resale on eBay. Aragon earned at least $1 million in the business, police say.

Butler became a priority to federal law enforcement officials in 2006, when, under the handle "Iceman," he staged a brazen takeover of the online carder forums where hackers and fraudsters buy and sell stolen data, fake IDs and specialized underground services.

He hacked into the forums, wiped out their databases, and absorbed their content and membership into his own site, called CardersMarket.

On one of the sites he hacked, called DarkMarket, Butler later discovered that an administrator named "Master Splyntr" was logging in from an FBI office in Pittsburgh. Butler partnered with a Canadian hacker to try and expose Master Splyntr as a fed, but his claim was largely dismissed in the underground as inter-forum rivalry. DarkMarket went on to become a full-blown undercover FBI operation, and the FBI and Secret Service began an investigation into "Iceman."

(I wrote about Butler in the January issue of Wired. I'm now working on a book about him and the carder forums, due out from Crown in 2010).

Using informants and some genuine electronic gumshoe work, the feds identified Iceman as Butler about a year later, and arrested him in September 2007 at a corporate apartment he used as a hacking safe house.

When the feds seized Butler's hard drive, they found five terabytes of encrypted data on his harddrive, the government said Monday. They later cracked Butler's crypto, and discovered 1.8 million stolen credit card numbers belonging to 1,000 different banks. The banks tallied the fraudulent charges on the cards at $86.4 million.

But Butler's defense attorney told U.S. District Judge Maurice B. Cohill Jr. Monday that Butler and his associates weren't' responsible for all of the fraudulent charges.

Butler, noted federal public defender, Michael Novara, frequently cracked the computers of other members of the underground, and stole their stuff. Some of the credit card numbers found on Butler's hard drive had been in the hands of cyber thieves before Butler began his hacking spree.

"Max is kind of a hacker's hacker," said Novara. "There was a lot of stuff on his computer that he was not responsible for, and did not intend to use."

"I don't think I ever heard the expression, 'a hacker's hacker' before," said Judge Cohill, with a smile.

Sources say Butler's plea deal will also wrap up a separate federal case in Virginia, in which Butler is charged with staging the first documented "spear phishing" attack against employees of a financial institution, gaining access to the corporate network of Capital One bank.

Butler was calm and attentive at Monday's proceeding, which opened with federal prosecutor Luke Dembosky crossing to the defense table to shake hands with the hacker, who smiled and nodded.

Through his attorney, Butler released a two-paragraph statement following his plea.

"Max Vision, known in this case as Max Butler, pled guilty today as a first step toward getting this sad chapter of his life behind him. It is unfortunate that his life circumstances in 2005 led him to participate in this criminal conduct, and he very much regrets doing so," he wrote.

"Max has always preferred using his extraordinary computer skills – his computer vision – for the good of society and the cyber world, and he hopes that he will be given the opportunity in the future to once again don the white hat."

Asked afterward what kind of sentence the government expects for Butler, Dembosky was vague with reporters. "Suffice to say, it won't be probation.

See Also: