Albert Gonzalez, 28, who already faces charges from a 2008 indictment of swiping the credit and debit card numbers of more than 40 million cardholders, was accused this month by federal prosecutors in New Jersey of hacking into computer networks used by retail and financial firms, affecting an additional 130 million accounts.
Prosecutors said the attacks, beginning in October 2006, constitute the largest credit and debit card data breach ever in the United States.
Gonzalez, who had once been an informant for the U.S. Secret Service, was arrested in Miami in 2008. He is currently in federal custody awaiting trial for his alleged role in hacking a computer network of a national restaurant chain.
Under a plea agreement with federal prosecutors filed in Boston on Friday, Gonzalez would serve a sentence of 15 to 25 years after pleading guilty to a 19-count indictment. He would also forfeit some $2.8 million in cash, a Miami condo, a car and expensive jewelry.
Read the August 2009 indictment of Albert Gonzalez (pdf)
Gonzalez was arrested in 2003 for hacking but not charged because authorities said he became an informant for the Secret Service. Over the next five years, authorities said, Gonzalez continued to hack into the computer systems of Fortune 500 companies even while providing assistance to the government. A judge allowed him to move from New Jersey back to Florida in 2004, and court documents alleged that Gonzalez hacked into the national restaurant chain Dave & Buster's.
Officials said Gonzalez devised a sophisticated attack to penetrate computer networks, steal credit and debit card data, and send that information to computer servers in California, Illinois,
Latvia, the Netherlands and Ukraine.
Prosecutors allege Gonzalez was the ringleader of hackers in the first round of stealing 40 million credit card numbers from retailers like T.J. Maxx, Barnes & Noble, Sports Authority and OfficeMax.
One of their techniques apparently involved "wardriving," or cruising through different areas with a laptop computer and looking for retailers' accessible wireless Internet signals. Once they located a vulnerable network, the hackers installed "sniffer programs" that captured credit and debit card numbers as they moved through a retailer's processing computers - then tried to sell the data.
Even after he was jailed last year, authorities continued to unravel the alleged scams of Gonzalez, who was also traced through his various online aliases, including "soupnazi," "segvec" and "j4guar17."
In the latest charges against Gonzalez, authorities said he and two Russian conspirators used a different technique to hack into corporate networks and secretly place "malware," or malicious software, that would allow them backdoor access to the networks to steal data later.
Gonzalez' lawyer, Rene Palomino Jr. of Miami, said that he is "intending to finalize the case as early as Friday."
"My client is extremely remorseful as to what has happened," Palomino told the Associated Press Thursday.
Palomino has said his client had a computer addiction.
"Albert is not a mean-spirited individual, he desires no physical harm on anybody and he wouldn't hurt a fly," Palomino told the AP in an earlier interview. "He's really not a bad guy. He just got way in over his head."