The man accused of masterminding the largest identity theft in U.S. history agreed to plead guilty to federal charges in Massachusetts, according to court papers filed Friday.
Albert Gonzalez is accused of leading a ring of hackers who stole millions of credit card and debit card numbers from major U.S. retail chains including TJX and Barnes & Noble, leading to tens of millions of dollars in fraudulent transactions.
His alleged scheme stood out for its simplicity — it started with accomplices driving around Miami with laptops looking for unsecured computer networks — and its brazenness, as the former informant used details he learned from government officials to help fellow hackers avoid arrest.
Gonzalez, 28, has agreed to plead guilty to all charges in U.S. District Court in Boston by Sept. 11. He faces a prison sentence of 15 to 25 years, and has consented to forfeit $1.65 million, a Miami condominium, a previously seized $1.1 million and other assets, according to court papers.
Video: Albert Gonzlez agrees to plead guilty of running a record-setting identity theft ring, with CNBC's Mary Thompson.
Separate charges filed in New Jersey stand.
"The scary thing is that Albert Gonzalez wasn't a super genius, he was just your ordinary bad guy and there are others out there who can do the same things," said Charlie Miller, principal analyst at consulting firm Independent Security Evaluators. "Hopefully, this punishment will serve as a deterrent."
If accepted by a federal judge, the sentence would likely be the longest on record for a U.S. hacking case, said Mark Rasch, a former Justice Department official.
Gonzalez was working as an informant in a separate U.S. Secret Service hacking investigation when authorities learned he was using information from their probe to help fellow hackers avoid arrest.
In Boston, Gonzalez and 10 others were indicted a year ago on charges including computer fraud and wire fraud, compromising more than 40 million payment numbers. Victims also included BJ's Wholesale Club, OfficeMax, and DSW. The plea would also resolve New York federal charges related to hacking a restaurant's network.
Separate charges facing Gonzalez in New Jersey — which stand as the largest identity theft in U.S. history — are not affected by the Boston plea, a spokesman at the U.S. District Court in New Jersey said.
On Aug. 17, Gonzalez was indicted there for allegedly stealing more than 130 million card numbers from data processor Heartland Payment Systems and retailers 7-Eleven and Hannaford Brothers.
A mystery is why Gonzalez would agree to settle the Boston and New York charges but not the potentially more serious charges in New Jersey, an attorney not involved in the case said. There, Gonzalez faces up to 25 years if convicted.
The attorney, Stefan Jouret, who specializes in financial litigation, said it is possible the New Jersey prosecutors were not far enough along with their case to accept a plea deal, or disagreed about the evidence. Alternatively, Gonzalez's attorneys may have judged the evidence in the Boston and New York cases more damaging and wanted to settle them first.
Gonzalez's lawyer, Rene Palomino, did not return calls seeking comment.