Convicted hacker Albert Gonzalez, who is currently serving a 20-year prison sentence after pleading guilty to the massive hacks at TJX, Heartland and numerous retailers, now claims that he thought he was authorized and directed by the government to carry out the illegal activities.
In a petition filed last month, first reported by Wired , Gonzalez informed the U.S. District Court for the District of Massachusetts that he would like to withdraw his guilty plea and asked the court to vacate its sentence.
In his 25-page petition, Gonzalez blamed his attorneys Martin Weinberg and Rene Palomino for not properly representing him or informing him about his defense options. Gonzalez also claimed that his lawyers did not appeal his sentence as he had asked them to.
Gonzalez was arrested in Miami in 2008 along with 10 other individuals on charges relating to the thefts at TJX, Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
Later he was also charged with the break-ins at Heartland Payment Systems, Hannaford, 7-Eleven and two other unnamed retailers. Gonzalez was indicted in three different states, New York, Massachusetts and New Jersey for his crimes. Prosecutors alleged that Gonzalez and his international gang of cyber criminals stole data on more than 130 million debit and credit cards over a multi-year period.
In Sept. 2009, Gonzalez, pleaded guilty to 20 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft. He was sentenced to two concurrent 20 year terms by federal courts in Massachusetts and NJ.
In his petition, Gonzalez claims that all of the criminal activities that he admitted to in court were actually done with the full knowledge and the direction of the United States Secret Service.
As previously known, Gonzalez noted that he had begun working as a confidential informant for the Secret Service back in 2003 soon after he was busted in connection with a series of ATM thefts. Gonzalez claims that over the next several years, he helped the Secret Service infiltrate various carder gangs and hacking groups, leading to the arrests of many of them.
Gonzalez' petition details his interactions with two of his Secret Service handlers, who he claims treated him almost like another member of the agency and took him to different parts of the country for undercover work.
"The Agents had me infiltrating chat rooms setting people up and then the Agents would bust them," he offers as one example of the work he claims to have done for the government. "On one occasion I was taken to California for a week to help Agents there with undercover operation that resulted in arrests and convictions," Gonzalez said in his petition.
At the time of his arrest, Gonzalez said he firmly believed he was "authorized to engage in the cyber crimes I was participating in, in order to gather intelligence on National and International cyber criminals and I was doing my job to the best of my abilities," Gonzalez said. He said he was being paid $1,200 a month for his work.
According to Gonzalez, his illegal activities were done to establish trust with other cybercriminals so he could make contact with more of them and expose their acitivities to law enforcement.
Gonzalez said Palomino did not advise him of the availability of the "Public Authority" defense that he could have used to defend his actions. Under the public authority defense, any individual who is "acting under the actual or believed exercise of public authority on behalf of a law enforcement agency" can claim immunity against illegal conduct arising from his actions, Gonzalez said in his petition.
Gonzalez also asked for his guilty pleas to be withdrawn. According to him, the only reason he pleaded guilty to the indictments in all three states was because his attorney and prosecutors told him he would benefit by doing so. Gonzalez claims in his petition that he was informed if he agreed to plead guilty to all three cases, all of the cases would be transferred to Boston, where it would go before one judge and he would receive just one sentence.
However, all three cases could not be transferred as promised, resulting in two separate convictions, Gonzalez said. He contends in his petition that he would not have agreed to plead guilty if he had known his cases could not be consolidated as promised.
"I gained absolutely nothing by accepting the plea agreement," he said. "Because I relied on the promises of my attorney and the government that could not be carried out, I did not knowingly and voluntarily enter into the plea agreement," he said.
The only reason that he was even arrested in the first place was because of evidence found on a computer owned by Maksym Yastremskiy, a Ukrainian gang member who had previously been arrested in Turkey, Gonzalez said.
Yastremskiy was tortured into decrypting the data on his computer by Turkish authorities, so the information gathered from his computer should have been suppressed, he claimed.
But Palomino in a conversation with Wired is quoted as saying that Gonzalez has no ground for appeal because it was a negotiated plea agreement and that his former client knew what he was getting into when he accepted it.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.