The two great friends talked every day and shared information about all of their exploits -- sexual, narcotic and hacking -- according to prosecutors. Now another thing they'll have to share information about is their experience in federal prison.
While accused TJX hacker kingpin Albert Gonzalez awaits a possible sentence of 17 years or more in prison, one of his best friends and accomplices was sentenced on Tuesday in Boston to two years for his role in what the feds are calling “the largest identity theft in our nation’s history.”
Stephen Watt, a 25-year-old former Morgan Stanley software engineer, pleaded guilty last December to creating a custom sniffing program dubbed “blabla” that Gonzalez and other hackers used to siphon millions of credit and debit card numbers from TJX's network. The breach cost TJX $200 million, according to its 2009 SEC filing.
Watt's lawyer had sought a sentence of probation.
But instead the 7-foot-tall coder who once had a bright professional future got two years in federal prison and three years of probation. A spokeswoman for the U.S. attorney's office in Massachusetts said the judge also ordered Watt to pay restitution to TJX in the amount of $171.5 million.
According to a source familiar with the case, U.S. District Judge Nancy Gertner indicated that her sentence was based in part on the enormity of the harm that was caused to the public by the crime and Watt's undeniable assistance in causing that harm.
"She believed in the end that a probation sentence would not be sufficient to satisfy the general deterrence to prevent harm to the public," the source said.
His lawyer, Michael Farkas, declined to comment on the sentencing.
Farkas asserted in his court filings that Watt was a minor and peripheral player in the credit card theft ring that Gonzalez dubbed “Operation Get Rich or Die Tryin” that began in 2005 to breach numerous vulnerable national retailers and card processors.
Watt, who graduated from high school at 16 with a 4.37 grade point average, was driven by intellectual curiosity and friendship, not greed, his lawyer said, and had no idea his program would be put to criminal use.
Prosecutors never alleged that Watt received money for the software he wrote, or directly profited from the hacks. But they brandished more than 300 pages of chats the two friends exchanged that belied Watt's stated ignorance.
“You have got to convince typedeaf to do some work for me,” Gonzalez wrote Watt in one of them, referencing the handle of another hacker. ”If he was able to hack some euro dumps we can make a fortune. I hacked a place and took ~30k euro dumps and this last week I made ~11k from only selling ~968 dumps.” (Dumps are the carding underground’s term for credit or debit card magstripe data, including account numbers.)
As Gonzalez and his accomplices hacked target after target, he sent Watt links to news stories describing a tidal wave of debit fraud spreading around the world.
Authorities found Watt's customized code stored on a server Gonzalez leased in Latvia, as well as 16.3 million stolen card numbers. Another 27.5 million stolen numbers were found on a server in Ukraine.
They said Watt was a witness to the ill-gotten gains his code produced. He attended a $75,000 birthday party Gonzalez threw for himself, and discussed launching a nightclub with Gonzalez’s backing. Gonzalez worried that because his money was mostly in cash, it would draw suspicion to the club. He offered to produce a check for $300,000 for Watt to make the transaction appear more legitimate.
Watt and Gonzalez met online when Watt was still in high school and bonded over a shared fascination with computers. While still a teen, Farkas says, Watt worked for Florida software firm Identitech. He was hired by Morgan Stanley in New York 2004 earning $90,000 as a software engineer.
After he moved to New York, he began experimenting with drugs and frequenting clubs. He left Morgan Stanley in 2007 for a higher-paying job at Imagine Software, developing real-time trading programs for financial firms, earning about $130,000.
This is where he was working on Aug. 13, 2008, when authorities swooped in to search the premises. Watt, who is married, was fired and is now banned from working in the securities industry.
Currently unemployed, his lawyer says he's been living in an apartment his mother paid off while awaiting sentencing.
“Watt will have to start over, and hope that his skills not only will land him on his feet,” Farkas wrote in a court filing earlier this year, “but that they will do so in a field that is at least somewhat as financially promising as the career that he has lost.”
See also
- TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison
- TJX Hacker Will 'Never Commit Any Crime Again'
- Document Reveals TJX Hacker's Assistance to Prosecutors
- TJX Hacker to Plead Guilty to Heartland Breach
- TJX Hacker Charged With Heartland, Hannaford Breaches
- TJX Suspect Was Near Plea Agreement Until New Charges Halted Talks
- Accused TJX Hacker Agrees to Guity Plea — Faces 15 to 25 Years
- Card Processor Admits to Large Data Breach
- Former Teen Hacker's Suicide Linked to TJX Probe
- I Was a Cybercrook for the FBI
- Bullion and Bandits: The Improbable Rise and Fall of E-Gold
- Hacking Godfather 'Maksik' Sentenced to 30 Years by Turkish Court
- Stakeouts, Lucky Breaks Snare 6 More in Citibank ATM Heist
