One of the leading figures in the massive online fraud at TJX Companies, BJ Wholesale Clubs and other retailers has pleaded guilty to identity theft and other charges.
Christopher Scott, 25, of Miami, is the second individual to plead guilty in the case so far. Last week, Damon Patrick Toey, pleaded guilty to wire and credit card fraud and aggravated identity theft. The pair are believed to have led the gang that stole 45 million payment card details.
Both men were among the 11 individuals who were arrested in August in connection with payment card fraud stemming from a series of computer intrusions at major retailers over the last few years.
In a plea agreement before US District Judge Douglas Woodlock, Scott admitted to conspiracy, unauthorised access to computer systems, access device fraud and identity theft. He faces a maximum of 22 years in prison and a $1 million fine. Scott also will forfeit the $400,000 or so that he made in profits from the payment card thefts.
Besides TJX and BJs, Scott, Toey and the others arrested are accused of breaking into and stealing payment card data from DSW , OfficeMax , Boston Market, Barnes and Noble Sports Authority and Forever 21. According to prosecutors, the group is believed to have stolen data involving more than 45 million payment cards, leaving about 100 financial institutions vulnerable to losses from fraud.
According to a statement released by the US attorney's office in Boston, Scott's expertise was wireless hacking. Scott along with ring leader Albert Gonzalez and others would conduct "war drives" in shopping strips in Miami looking for vulnerable wireless networks at retail store locations.
Once they identified such a network, the gang would compromise it and use that access to break into the retailer's main payment processing network to steal payment card data.
The stolen data was then either sold to criminal gangs in East Europe and elsewhere or used by the gang itself to create and use fraudulent payment cards.
Court documents show that Scott broke into the TJX network in July 2005 through two wireless access points at a TJX-owned Marshall's store in Miami. He used the access he gained to download various commands onto TJX servers containing payment card data. In September of that year, with help from Gonzalez, they first started downloading payment card data from TJX servers.
Scott later established a VPN connection between a TJX payment card transaction processing server and a malicious server owned by Gonzalez which he then used to upload various sniffer programs for capturing transaction data as it was being processed. In all, Scott received about $400,000 for his role in the thefts.