Damon Patrick Toey, the "trusted subordinate" of TJX hacker Albert Gonzalez, was sentenced in Boston on Thursday to 5 years in prison.
He also received a $100,000 fine and three years' supervised release, according to the Justice Department.
Toey, 25, helped Gonzalez breach the networks of numerous companies through SQL injection attacks in 2007 and 2008 and also served as a vendor selling stolen card data. Upon his arrest in May 2008, he provided information that investigators say likely helped persuade Gonzalez to plead guilty last year to what prosecutors are calling the most serious and largest identity-theft crimes ever prosecuted.
Toey was the last of six U.S. defendants sentenced for the crimes. In all, federal judges have handed out nearly 38 years against Gonzalez and his crew, with Gonzalez getting the stiffest sentence by far.
Gonzalez received three concurrent sentences last month, amounting to 20 years in prison for his role in the hacks of TJX, Hannaford Brothers, Heartland Payment Systems and others, which resulted in the theft of more than 200 million credit- and debit-card numbers. After his arrest, Gonzalez led investigators to a stash of more than $1 million in cash buried in a barrel in his parents’ backyard.
Toey, who prosecutors say earned only about $80,000 for his role in the crimes, faced a maximum sentence of 22 years. Prosecutors took into consideration his extensive cooperation with authorities, and sought only 6 years in prison and a $100,000 fine, with no restitution.
According to his defense attorney’s sentencing memo, Toey was raised by a single mother, who later married and had two more children. He was little-supervised, and at age 11 began experimenting with marijuana and spending extended periods of time on the computer. At 15 he dropped out of school. After his mother’s divorce shortly thereafter, he and his family went through a string of evictions, and ended up staying with family friends for a while, where his mother spent much of her time partying, drinking and smoking pot.
It was during this disruptive period that Toey met Gonzalez, according to accomplice Stephen Watt. Gonzalez and Toey met online on an IRC channel for script kiddies called #feed-the-goats. The chat room was also home to the motley “Global Hell” hacking group that staged defacements of government and corporate web sites.
In 2003, at the age of 18, Toey conducted his first cash-out operation for Gonzalez, who by then had become an administrator at a website for carding thieves called Shadowcrew. According to Toey’s attorney, he and his family were living in a residential hotel at the time and needed money for rent.
Toey, with his mother’s blessing, took a bus to New York City and withdrew the money from ATMs using stolen bank-card data. Court records don’t indicate how much he stole, but his share of the money was sufficient to support his family’s move to an apartment.
Toey continued to work as a vendor and mule for Gonzalez through 2006, selling stolen bank-card numbers to others, and withdrawing cash on stolen accounts from ATMs. Although he did not participate in the hack of TJX, Dave & Buster’s restaurant chain and a string of other businesses during this period, he earned proceeds from the sale and use of the stolen data.
His participation in breaching companies began in 2007, prosecutors say, when the primary hacking mode for Gonzalez’s gang changed from attacking unsecured wireless networks to attacking vulnerable web sites with SQL injection attacks.
Toey moved to Florida in the fall of 2007, at Gonzalez’s invitation, to live rent-free in Gonzalez’s Miami condo.
He spent his days conducting reconnaissance on corporate networks, and uncovered vulnerable gateways at clothing retailer Forever 21 and other companies.
Toey passed information about the targets to Gonzalez, who further explored the networks for financial data, or provided the targeting data to Russian accomplices who burrowed into the networks.
The hack into Heartland Payment Systems, for example, which resulted in the loss of data on more than 100 million credit- and debit-card accounts, was actually conducted by two Russian hackers, identified in court documents only as “Grigg” and “Annex.”
Toey, whom prosecutors called a “trusted subordinate” of Gonzalez, also set up and maintained two servers for Gonzalez in Latvia and Ukraine, which were used to launch the hacks against corporate networks, and to store malware and stolen card data.
Toey’s attorney says that while living in Gonzalez’s condo, his client “began to realize it was only a matter of time before he and his cohorts were caught.” He wanted to end his life of crime and get a legitimate job, but didn’t know how to go about this, given his lack of education and work history.
His attorney says he was relieved when the condo was raided in May 2008 and he was arrested.
“It was a load off my shoulders,” his attorney quotes him saying. “I had been tired of doing this stuff for Albert for a while before I got arrested.”
He began cooperating immediately with authorities, even before retaining a defense attorney and getting legal advice.
He led investigators to the two servers in Eastern Europe and provided them with the encryption keys to access evidence on them. Authorities found 16.3 million stolen card numbers on the Latvian server and another 27.5 million stolen numbers on the server in Ukraine.
Prosecutors say they would not have been able to establish Gonzalez’s conspiracy with hackers Grigg and Annex without Toey’s help, which included testifying to the grand jury that indicted Gonzalez.
His testimony, along with the electronic evidence he helped authorities uncover, “likely weighed heavily in the decision of Albert Gonzalez and at least one of his co-conspirators to plead guilty to the offenses,” prosecutors wrote in their sentencing memo.
Some of Gonzalez' Eastern European accomplices have been indicted, and are presumed to be still at large. The other U.S. defendants have been sentenced as follows:
Christopher Scott, 27, was sentenced last month to 7 years in prison for breaching the wireless access points of several retailers between 2003 and 2007 to siphon credit and debit card numbers, which he then passed to Gonzalez. Scott's take from the crimes was at least $400,000, prosecutors say. Restitution is still to be determined.
Humza Zaman, 33, was sentenced last month to 46 months in prison and fined $75,000 for his role in the conspiracy. A former network security manager at Barclays Bank, Zaman was charged with laundering between $600,000 and $800,000 for Gonzalez.
Stephen Watt, 25, was sentenced in December to 2 years in prison for his role in the TJX case, which involved supplying Gonzalez with a sniffer program used to siphon card datafrom the TJX network.
Jeremy Jethro, 29, received 3 years probation and a $10,000 fine for selling an Internet Explorer exploit to Gonzalez for $60,000.
Image courtesy California State Controller’s Office
