This article was taken from the March 2011 issue of Wired magazine. Be the first to read Wired's articles in print before they're posted online, and get your hands on loads of additional content by subscribing online.
Max Butler, a $110-an hour online-security expert, had an alter ego: "Iceman". Using this identity, Butler crowned himself king of a global online fraud network. It would take a dedicated team of FBI and secret agents to put a stop to his crimes.
The taxi idled in front of a convenience store in downtown San Francisco while Max Butler paid the driver and unfolded from the back of the car. Six foot five inches tall, his thick black hair pulled into a messy ponytail, he stepped into the shop and waited for the taxi cab to disappear. He then emerged and walked the two-block journey to his safe house.
Around him, tiny shops and newsstands awakened under the overcast sky and suited workers filed into the office towers looming above. Butler was going to work too. He'd be cloistered for days this time. Once he put his plan into motion, there'd be no slipping out for a bite of dinner. Nothing, until he was done. This was the day he was declaring war. His long gait took him to the Post Street Towers, an apartment complex he'd been coming to for months, doing his best to blend in with the exchange students drawn by short leases and reasonable rents. Nobody knew his name -- not his real one, anyway. And nobody knew his past.
Here, he wasn't Max Butler, the small-town troublemaker driven by obsession to a moment of life-changing violence; nor "Max Vision", the alias he used as a $100-an-hour computer-security expert, paid to harden the networks of Silicon Valley companies. As he rode up the lift, Butler became someone else altogether: "Iceman", a rising leader in a criminal economy responsible for billions of dollars in thefts from American companies and consumers.
And Iceman was fed up. For months, he'd been hacking merchants around the country, prying out piles of credit-card numbers that should have been worth hundreds of thousands on the black market. But the market was broken. Two years earlier, Secret Service agents had driven a virtual bulldozer through the computer underworld's largest gathering spot, arresting the ringleaders at gunpoint and sending the rest scurrying into chat rooms and small-time web forums -- all riddled with security holes and crawling with Feds and snitches. It was a mess.
Whether they knew it or not, the underworld needed a strong leader to unify them. To bring order. Butler stalled in the hallway to check for a tail, then walked to his apartment door and entered the oppressive warmth of the rented studio. Heat was the biggest problem with the safe house. The servers and laptops produced a swelter that pulsed through the room. He'd brought in fans over the summer, but they provided scant relief and hiked the electricity bill so high that the apartment manager suspected him of running a hydroponic cannabis farm. But it was just the machines, entwined in a web of cables, the most important snaking to a giant parabolic antenna aimed out of the window like a sniper
Butler sat at his keyboard and trained a digital bead on the web forums where computer criminals gathered -- virtual cantinas with names such as DarkMarket and TalkCash. For two days he hacked, his fingers flying at preternatural speed as he breached the sites' defences, stealing their content, logins, passwords and email addresses. When he tired, he crashed out on the apartment's foldaway bed for an hour or two, then returned bleary-eyed to his work.
He finished with a few keystrokes, wiping out the sites' databases with the ease of an arsonist flicking a match. On August 16, 2006, he dispatched an unapologetic mass email to the denizens of the sites he'd destroyed: they were all now members of Iceman's own CardersMarket.com. Suddenly the largest criminal marketplace in the world, it was 6,000 users strong and the only game in town.
In one fell swoop, Butler had undermined years of careful law-enforcement work and revitalised a billion-dollar criminal underworld.
In Russia and Ukraine, Turkey and the UK, and in apartments, offices and houses across the US, criminals would awake to the announcement of the underground's first hostile takeover. Some of them kept guns in their nightstands to protect their millions in stolen loot, but they couldn't protect themselves from this. FBI and Secret Service agents who'd spent months or years infiltrating the now-destroyed underground forums would read the message with equal dismay, and for a moment all of them -- hacking masterminds, thuggish Russian mobsters, masters of fake identities and the cops sworn to catch them -- would all be unified by a single thought.
Who is Iceman?
Butler had sketched out his plans on a pair of whiteboards in his safe house: there were five English-language carding sites that mattered in the underground -- four too many. He had spent weeks infiltrating those competitors: ScandinavianCarding, TheVouched, TalkCash, and his chief rival, DarkMarket, a UK site.
Butler's plan to muscle in on the other forums hadn't come from the white-hat side of his personality. Butler the criminal wasn't greedy, and he was doing brisk business on the criminal marketplace he had set up in June 2005, CardersMarket.com. But the carding scene was broken, and when Butler the white hat saw something broken, he couldn't resist fixing it.
Ego played a role too. The whole carding world seemed to think Iceman, the name Butler used as a forum administrator, was bankrupt of any skill except the ability to set up forum software. Butler saw an opportunity to show the carders how wrong they were.
DarkMarket turned out to be an unguarded spot. A British carder called JiLsi ran the site, and he'd made the mistake of choosing the same password -- "MSR206" -- everywhere, including CardersMarket, where Butler knew everyone's passwords. Butler could just walk in and take over. TheVouched, on the other hand, was a fortress -- you couldn't even connect to the website without a privately issued digital certificate installed in your browser.
Fortunately, JiLsi was also a member of that site, and he had moderator privileges there. Butler found a copy of the certificate in one of JiLsi's webmail accounts, protected by the carder's usual password. From there, it was just a matter of logging in as JiLsi and leveraging his access to get at the entire database.
On TalkCash and ScandinavianCarding, Butler determined that the forum software's search function was vulnerable to a structured query language (SQL) attack. Code is injected and exploits security vulnerability in the database. SQL injection is a standard weapon in every hacker's arsenal -- the holes, even today, plague every type of website, from ecommerce to banking.
Butler slid into the sites through the holes he'd secretly blasted in their ramparts, using his illicit admin access to copy their databases. Most carders wanted to avoid attention, not thrust themselves into prominence. A hostile takeover was unprecedented.
When he was done with the English-speaking sites, Butler went to eastern Europe. He found CardingWorld.cc and Mazafaka.cc no more secure than the western boards and was soon downloading their databases of private messages and forums posts. Megabytes of Cyrillic flowed on to his computer, a secret history of scams and hacks against the West stretching back months, now permanently warehoused on Butler's hard drive in San Francisco's Tenderloin district.
When he was finished, he executed the DROP command on all the sites' databases, wiping them out. ScandinavianCarding, TheVouched, TalkCash, Darkmarket, CardingWorld -- the bustling, 24-hour-a-day marketplaces supporting a billion-dollar global underground economy all winked out of existence. Ten thousand criminals around the world, men with six-figure deals in the works, wives, children and mistresses to support, cops to buy off, mortgages to pay, debts to satisfy and orders to fill were, in an instant, blind.
Adrift. Losing money. They would all know the name Iceman.
As the morning dawned in San Francisco, he watched CardersMarket's new members gather, confused and angry, on his consolidated crime forum. Matrix001, a German DarkMarket administrator, demanded an explanation for Iceman's actions. A previously taciturn spam king named Master Splyntr spoke up to criticise the organisation of the material Iceman had stolen from the other boards.
There was just one black mark on Butler's triumph: DarkMarket.
His chief competitor had backups, and managed to crawl back to life within days. It was a slap in the face to everything Butler was trying to achieve for himself and the community. But DarkMarket wasn't what it seemed: the site had been infiltrated by Keith Mularski, an FBI agent, as part of an undercover operation. Calling himself Master Splynter, Mularski was masquerading as a Polish spammer. Butler could see what was coming. With an FBI agent at the helm, DarkMarket was going to put a lot of carders in prison.
Butler attempted to prove that Master Splynter was a Fed, but was unable to convince any of the other users.
Butler could feel the heat coming at him. In November 2006, he declared Iceman's retirement and made a show of handing control of the site to Th3C0rrupted0ne. He secluded himself while things cooled down and three weeks later took back the board under another handle. Iceman was dead; long live "Aphex".
But, by January 2007, Butler was back in business at his new safe house, with a stew of Wi-Fi outside. Using yet another alias -- "Digits" -- Butler was now regarded by some carders as the second most successful mag-stripe vendor in the world.
The number-one spot was firmly occupied by a Ukrainian known as Maksik. Maksik operated outside the carding forums, running his own web-based dispensary for stolen cards at maksik.cc. Buyers would begin by sending Maksik upfront money by E-Gold, WebMoney, wire transfer or Western Union. That would buy them access to his website, where they could select the "dumps" -- the magnetic-stripe data on the backs of credit cards -- they wanted and place an order. Maksik would press a button to approve the transaction and the buyer would get an email with the dumps he'd ordered, straight from Maksik's massive database of stolen cards.
Maksik's wares were phenomenal, with a high success rate at the register and a mammoth selection of bank identification numbers (BINs), the primary account number found on credit cards. Like Butler's, Maksik's cards came from swipes at pointof-sale terminals. But instead of targeting scores of small stores and restaurants, Maksik got his cards from a smaller number of giant targets: Polo Ralph Lauren in 2004 and Office Max in 2005. In three months, Discount Shoe Warehouse lost 1.4 million cards taken from 108 stores in 25 US states -- straight into Maksik's database. In July 2005, a record-breaking 45.6 million dumps were stolen from the TJXowned retail chains TJ Maxx, Marshall's and HomeGoods.
Thanks in large part to Maksik and Butler, the popular consumer impression that web transactions were less secure than real-life purchases was now completely false. In 2007, the majority of compromised cards were stolen from brick-and-mortar retailers and restaurants. The large retail intrusions were compromising millions of cards at a time but breaches at smaller merchants were far more common -- Visa's own analysis found that 83 per cent of creditcard breaches were at merchants processing a million or fewer transactions a year, with most thefts at restaurants.
But Butler hadn't gone into the data-theft business to be second best. Maksik was costing him money. Even his business partner, Chris Aragon, was now buying from both Butler and Maksik. Aragon bashed out bogus plastics using an embosser, a card printer, a heat-foil press and an MSR206 mag-stripe writer. The cards were near-perfect full-colour forgeries, complete with holograms. As soon as the plastic cooled, Aragon and his friends went shopping for luxury items that could be easily fenced. Aragon's wife, Clara, ran a business selling the goods on eBay.
At Butler's direction, one of Aragon's team, known as "Tea", gradually befriended the Ukrainian and urged him to start vending on CardersMarket. Maksik declined graciously and suggested she visit him sometime in Ukraine. Rebuffed, Butler took off the gloves and got Tea to send Maksik a Trojan-horse program, hoping to get control of the Ukranian's database of dumps.
Maksik laughed off the hacking attempt. US federal law enforcement had also been tracking Maksik since his rise to infamy in the wake of Operation Firewall, the first major federal operation against cybercrime, which led to the arrest of 28 suspected cybercriminals in October 2004. In early 2006, Ukranian police finally identified Maksik as one Maksym Yastremski, from Kharkov. But they didn't have enough evidence to make an arrest.
The Feds got a chance at collecting information from Maksik in June 2006, when he was holidaying in Dubai. Secret Service agents worked with local police to execute a "sneak and peek" in his hotel room, where they secretly copied his hard drive. But the operation was a dead end: sensitive material on the drive was encrypted with the program Pretty Good Privacy, which was good enough to stop the Secret Service in its tracks.
Carders such as Maksik and Butler were at the fore in embracing one of the unheralded gifts of the computer revolution: cryptography software so strong that, in theory, even the National Security Agency couldn't crack it.
Butler knew that, if his tradecraft failed and the Feds crashed through his safehouse door, they'd find everything he accumulated in his crimes, from credit-card numbers to hacking code, scrambled by software called DriveCrypt -- a 1,344 bit military-grade crypto he'd bought for $60.
The government would arrest him anyway, he expected, and demand his password. He'd say he'd forgotten it. A federal judge somewhere would order him to disclose the key, and he'd refuse. He'd be held on contempt charges, and then be released. Without his files, the government wouldn't have any evidence of his real crimes.
Nothing had been left to chance -- Max Butler was certain of that. He was untouchable.
A Long Island carder, Jonathan Giannone, whom Butler and Aragon had discovered as a teenager, was hiding a secret.
On August 16, 2006, the same day Butler had absorbed his rivals, Secret Service agents arrested Giannone at his parents' house for selling some of Butler's dumps to an informant known as Gollumfun.
Giannone, 21, was released on bail and told nobody about the bust.
To him, it was just a bump in the road -- how much trouble could he really get in for selling 29 dumps?
Federal criminal trials are rare. Most defendants opt to take a plea deal in exchange for a slightly shortened sentence, or limit their exposure by becoming an informant. But Giannone liked his odds: most cases don't hinge on the undercover work performed by an active computer criminal. Soon after he'd snitched on Giannone, Brett "Gollumfun" Johnson had gone on a four-month cross-country crime spree. He wouldn't make a very good witness for the prosecution.
But, after a day of deliberation, the verdict came in: guilty.
The first federal trial of the carding underground was over. A week later, Giannone, facing a lengthy prison term, was summoned from his cell at Lexington County Jail. He instantly recognised the Secret Service agents waiting for him: they were Johnson's handlers and had testified at Giannone's trial. Giannone told them everything he knew: Iceman lived in San Francisco, did a brisk business in dumps, sometimes used the aliases Digits and Generous to sell his goods. He used hacked Wi-Fi to cover his tracks. A Mongolian woman called "Tea" was his Russian translator.
Most crucially, he had a partner named Christopher Aragon in Orange County, California. You want Iceman? Get Chris Aragon. The revelations electrified the agents tracking Iceman. When Mularski had typed Aragon's name into the FBI's case-management system, he found another case, in which a suspected real-estate fraudster had described Aragon's dumps supplier as a tall, pony-tailed man he knew as "Max the Hacker". It got better. Way back in December 2005, another fraudster involved in the same case had told the FBI about introducing Aragon to the superhacker Max Butler after his release from Taft prison on a previous hacking charge. The interviewing agent was interested only in real-estate fraud and hadn't pursued the lead.
Now Mularski and his Secret Service counterparts had a name.
Giannone's statements confirmed it. Iceman had told Giannone that he was once raided as a suspect in the hacking of the source code for the game Half-Life 2. Mularski ran another search and saw there were only two US search warrants executed in that investigation: one was against Max Ray Butler.
Iceman's identity had been hidden in the government's computers all along. Knowing Iceman's identity wasn't the same as having proof, though. The Feds had enough for a search warrant, but they didn't have the location of Butler's safe house. Worse, Giannone had tipped them that Iceman used DriveCrypt. That meant that even if they tracked down Butler's address, they couldn't count on finding evidence on his hard drive. They could bust down Butler's door, then watch him walk out of a courtroom 24 hours later on bail or a signature bond. With an international network of fake ID vendors and identity thieves at his beck and call, Butler might vanish, never to be seen again. They needed to sew up the case before making a move. Mularski decided Chris Aragon was the key.
Chris Aragon pulled his Tahoe into the car park at Fashion Island mall in Newport Beach, parked and got out with an associate, 23-year-old Guy Shitrit. They walked towards the Bloomingdale's, fake American Express cards in their wallets.
It was May 2007 and Aragon was close to getting out. His wife Clara had brought in $780,000 on eBay in three years: 2,609 sales including Coach bags, iPods, Michele watches and Juicy Couture clothes. Chris Aragon added to the take with his sales of plastics and novelties on CardersMarket.
Aragon had figured it out: Butler didn't want to quit. He liked hacking; it's all he wanted to do. So screw him. Aragon had his own exit strategy. He'd poured his profits into a denim-fashion company called Trendsetter USA that was 100 per cent legit.
They walked into Bloomingdale's and made a beeline for ladies' handbags. Aragon and Shitrit picked out a bag each and went to the register. After some swipes at the point-of-sale terminal, they were headed for the door with $13,000 worth of merchandise in their hands.
Aragon and Shitrit left Bloomingdale's, popped the back of the SUV and found a place for the new purchases amid a dozen plain-brown department-store bags.
A white police cruiser zoomed into the car park. It stopped near them and disgorged two uniformed Newport Beach Police Department officers.
Aragon's heart sank. Another bust.
The police booked Aragon at the Newport Beach Police Station, then searched his car, turning up 70 credit cards and small amounts of ecstasy and Xanax. Once fingerprinted, Aragon was ushered into an interrogation room.
Detectives ran his name through the National Crime Information Center computer and saw that his criminal record stretched back to the 70s, and, that technically, he was still on probation from a bust in San Francisco -- for credit-card fraud.
They figured they had a ringleader in their holding cell, got a search warrant and converged with a team of detectives and uniformed cops at the only address they could find for Aragon:
Trendsetter USA. The cops stormed the premises, but the baffled look on the employees' faces suggested they were innocent. After some questioning, one of the workers mentioned that their boss, Clara, ran an eBay business in the back office.
A detective opened the office storage cabinets and took inventory: 31 Coach bags, 12 new Canon cameras, several TomTom GPS navigators, Chanel sunglasses, Palm organisers and iPods, all new and in boxes. Clara walked in to the office in the middle of the search, and was promptly arrested. In her handbag, a detective found several utility bills for an address in Capistrano Beach, all in different names. Clara reluctantly admitted she lived there. The detectives arrived at the Aragon home and began their search. In Aragon's home office they found an unlocked safe, inside which were two plastic index-card cases crammed with counterfeit cards. There were more cards in the bedroom, bundled in rubber bands and stashed in the night table. An MSR206 magnetic-card encoder rested on a shelf in the family room, and in the connecting garage a box of handbags sat on the floor. Aside from the dining room and bathrooms, the only space in the house clean of evidence was the children's bedroom. Just two twin beds, side by side, some stuffed animals and toys. For all his talk about credit-card fraud as a victimless crime, Aragon had overlooked his two most vulnerable victims. They were four and seven, and their dad wasn't coming home.
That's a Fed," Butler said as he indicated a sedan passing by on the street. His girlfriend Charity Majors glanced sceptically at the Ford. US-made cars were just one of many things that alarmed Butler these days.
Weeks had passed since Aragon's arrest, and reading the press coverage from Orange County, Butler couldn't get over how much evidence the police had found in his former partner's home. Using Aragon's pay-out sheets as a road map, the cops had rounded up his entire cashing crew and converged on Aragon's credit-card factory in the Valley, seizing the counterfeiting gear. Aragon was being held on $1m bail.
The entire operation had been dismantled piece by piece. The authorities were calling it perhaps the largest identity-theft ring in Orange County's history. "Shit, I wonder what kind of records he kept on all that," Butler later wrote to The3C0rrupted0ne. "I mean, if he was sloppy enough to have equipment at his house."
Butler had already ditched his pre-paid mobile phone and instituted a "security ban" on Aragon's CardersMarket account. As the weeks passed with Aragon still in jail, Butler started to worry. He decided to invest in a rope ladder, keeping it by the back window in case he had to get out fast.
It was then Butler finally learned about Giannone's bust from a news article. He had lost track of Giannone, and the news that he had lost a criminal trial worried him. "Of all the rat snitch piece of shit motherfuckers out there, he is the closest to being able to finger me for the Feds," he confided in a post to the private administrators' forum on CardersMarket. "The little dipshit might actually be able to get the Feds close to me."
Butler uprooted from his office and hid his equipment at home until he was set up elsewhere. On June 7, 2007 he picked up the keys at the Oakwood Geary, another corporate apartment building in the Tenderloin. He was "Daniel Chance" now, just another displaced software drone relocating to the Bay Area. The real Chance was 50 and bearded, whereas Butler was clean-shaven with long hair -- but the fake driver's licence and genuine money order were enough to get him in.
The next evening, Butler checked out a red Mustang from his neighbourhood Zipcar and packed it with his computer gear. For all his paranoia, he didn't notice the Secret Service agents tailing him on the drive to the Oakwood, and watching from the street as he moved in to his new safe house.
Butler contemplated finding honest work again -- he had been offered a legitimate job in Canada, but he'd turned it down. He couldn't bring himself to leave Majors. He'd been contemplating marriage, playing with the idea of luring her to Las Vegas and popping the question.
It was time, he decided, for Max Vision, white hat, to return.
It would be official. He visited the San Francisco courthouse and filled out the paperwork. On August 14, a judge approved his legal name change from Max Butler to Max Ray Vision.
He already had an idea for a new site that could catapult him back into the white-hat scene: a system for disclosing and managing zero-day vulnerabilities. He could seed it with the security holes he was privy to in the underground, bringing the exploits into the white-hat world like a defector with a suitcase full of state secrets.
But after all his work making CardersMarket the top forum in the Anglophone world, he couldn't bring himself to abandon it.
Butler returned to his safe house. It was August and the temperature was 32°C. His central processing unit was threatening to burn itself out. He turned on his fans, sat at his keyboard and began the work of phasing out his Digits and Aphex identities.
He logged on to CardersMarket and, as Digits, posted a note that he was shunting his dumps vending to Unauthorized, one of his admins. Then, as Aphex, he announced that he was retiring from carding and was selling CardersMarket. He let the announcement sit for a few minutes and then took down the site. When he brought it back up, Achilous, one of his administrators in Canada, was in charge. Butler created a new, generic handle for himself, "Admin", to help CardersMarket's new kingpin during the transition.
An instant message popped up on his screen. It was from Silo, a Canadian carder who was always trying, and failing, to hack him.
Butler had tracked him down and identified him as Lloyd Liske in British Columbia. He suspected Liske was an informant.
The note was odd, a long sentence about newbies making dumb mistakes. But Silo had hidden a second message within it by capitalising nine of the letters. They spelled out MAX VISION. A guess, Butler thought. Silo couldn't possibly know anything.
The day after Butler announced his retirement, Secret Service agent Melissa McKenzie and a federal prosecutor from Pittsburgh flew to California to tie up some loose ends. The investigation was nearly complete. The Secret Service had got hold of Digits's email from a contact at the Vancouver Police Department -- Silo's handler. Butler had been using a Canadian-based webmail provider called Hushmail that provides high-security encryption, using a Java applet that decrypts a customer's messages right on his own PC instead of the company's server. The company openly marketed the service as a way to circumvent FBI surveillance. But it was now being mined by law enforcement.
Meanwhile, the Secret Service had begun sporadic physical surveillance of Butler. Mularski had learned from testimony on the FBI's case-management system that Butler had a girlfriend named Charity Majors. Public records provided her address and a subpoena of her bank records showed they had a joint account. The Secret Service staked out the house and eventually trailed Butler to the Oakwood Geary.
Electronic surveillance confirmed that Butler was operating from the Oakwood. The FBI had won a secret court order letting them electronically monitor the IP addresses connnecting to CardersMarket's false front at a US hosting company. Several traced back to broadband subscribers living within a block of the complex and running Wi-Fi.
Two weeks earlier, a female Secret Service agent disguised as a maid had ridden up the elevator with Butler and watched him unlock apartment 409. The apartment number was the last piece of data they'd needed. There was just one more stop before they'd move in: the Orange County Central Men's Jail, a grim lock-up in Santa Ana, California. McKenzie and federal prosecutor Luke Dembosky were shown to an interview room to meet Aragon, the last hold-out in the Orange County team. Clara and six members of his team were headed to plea deals that would ultimately net them from six months to seven years in prison. Clara would get two years, eight months.
Aragon's mother was looking after the two boys.
Once the introductions were made, McKenzie and Dembosky got down to business. They couldn't do anything about Aragon's state case, but if he co-operated he'd have a nice letter in his file attesting that he'd helped in a major federal prosecution. That could sway the judge at sentencing time. McKenzie produced a photo line-up and asked Aragon if anyone looked familiar. Aragon's situation was grim. With convictions for bank robberies and drug smuggling, he was eligible for California's tough three-strikes law. That meant a mandatory 25-to-life. Aragon picked out Butler's mugshot. And then he told the Feds the story of Max Vision's drift to the dark side.
On September 5, 2007, Butler dropped Majors at the post office and directed his cab driver to a CompUSA store. He picked up a fan to keep his electronics cool, walked to his apartment and crashed out on his bed amid a tangle of unfolded laundry. He settled into a deep slumber. He slept right through the knock on his door at 2pm.
Then the door flew open and s six agents rushed into the room, guns drawn, shouting orders. Butler bolted upright and screamed. "Put your hands where I can see them!" an agent yelled. "Lay down!"
Butler recovered his composure. His machines were locked down and his encryption was rock solid. He managed to relax a little as the agents let him get dressed, then walked him down the hall in handcuffs.
On the way, they passed a three-man team who'd been waiting for the Secret Service to secure the safe house. They weren't Feds: they were from Carnegie Mellon University's Computer Emergency Response Team (Cert) and were there to bust Butler's crypto. The Cert team had spent the last two weeks gaming out different scenarios for what they might encounter in Butler's safe house. Now the team leader looked over the set-up: Butler's server was wired to half-a-dozen hard drives. Two had lost power when an agent tripped over a cable snaking across the floor, but the server itself was still running, and that's what mattered.
The forensics experts moved to the machines and began their work, using memory-acquisition software they'd brought with them to suck down the live data from the RAM on to an external storage device.
Down the hall, Butler cooled his heels in the apartment that the Feds had used as a staging area for the raid.
Two agents watched over him. Butler would be questioned later -- for now, the agents were just chatting with one another. The Secret Service agent was from the local San Francisco field office; he asked his FBI counterpart where he worked. "I'm from Pittsburgh,"
Keith Mularski answered. Butler's head snapped to look at Master Splyntr.
Butler was driven to the FBI field office where he tried to feel agents out for what they knew. Some seemed surprised at his politeness, his sheer likeability. Butler wasn't what they expected from the cold, calculating kingpin they'd been tracking for a year.
On the drive to jail, one of the agents voiced her puzzlement.
You seem like a nice guy, she said, and that's going to help you. "But I have this one question for you... Why do you hate us?"
Butler was speechless. He never hated the Secret Service, or the FBI, or even the informants on CardersMarket. Iceman did. But Iceman was never real: he was a guise, a personality Butler slipped on like a suit when he was in cyberspace.
Max Butler never hated anyone in his life.
Butler was taken to Pittsburgh, where his new public defender tried again to get him released on bail, but the judge refused after prosecutors speculated that Butler was sitting on vast stores of hidden cash, and could easily use his contacts to disappear with a new name. To prove that he'd tried to evade the Feds, they played their trump card: private messages written by Butler himself describing his use of false IDs while traveling and his "evasive move" to his final safe house. Butler had sent the messages to a Pittsburgh Secret Service informant who'd been an admin on CardersMarket for a full year.
Butler wasn't at all surprised to see that it was Th3C0rrupted0ne.
In February 2010 Butler was sentenced to 13 years in federal prison, the longest sentence for a hacker in US history.
Extracted from Kingpin (Crown Publishing, £16) by Kevin Poulsen. Kevin Poulsen edits Wired US's Threat Level blog (wired.com/ threatlevel)
This article was originally published by WIRED UK
