Max Ray Vision (formerly Max Ray Butler, alias Iceman) is a former computer security consultant [1] and hacker who served a 13-year prison sentence, the longest sentence ever given at the time for hacking charges in the United States. [2] He was convicted of two counts of wire fraud, including stealing nearly 2 million credit card numbers and running up about $86 million in fraudulent charges. [3]
Butler was born on July 10, 1972, [4] [5] [6] and grew up in Meridian, Idaho with a younger sibling; his parents divorced when he was 14. [5] His father was a Vietnam War veteran and computer store owner who married a daughter of Ukrainian immigrants. [7] As a teenager, Max Butler became interested in bulletin board systems and hacking. [5] After a parent reported a theft of chemicals from a lab room at Meridian High School, Butler pleaded guilty to malicious injury to property, first-degree burglary, and grand theft. Butler ultimately received probation for his crimes. He was sent to live with his father and he transferred to Bishop Kelly High School. [8]
Butler attended Boise State University for a year. [9] In 1991, Butler was convicted of assault during his first year of college. [5] His appeal was unsuccessful on procedural grounds, as a judge ruled that Butler's defense attorney did not raise the issue in an earlier appeal. The Idaho State Penitentiary paroled Butler on 26 April 1995. [10]
Butler moved with his father near Seattle and worked in part-time technical support positions in various companies. He discovered IRC and frequently downloaded warez, or illegally downloaded software or media. After an Internet service provider in Littleton, Colorado traced Butler's uploads of warez to an unprotected FTP server –the uploads were consuming excessive bandwidth–to the CompuServe corporate offices in Bellevue, Washington, CompuServe fired Butler. [11]
After moving to Half Moon Bay, California, he changed his last name to Vision and lived in a rented mansion "Hungry Manor" with a group of other computer enthusiasts. [12] Butler became a system administrator at computer gaming start-up MPath Interactive. [13] The Software Publishers Association filed a $300,000 lawsuit against Butler for engaging in unauthorized distribution of software from CompuServe's office and later settled the case for $3,500 and free computer consulting.
After marrying Kimi Winters, he moved to Berkeley, California, and worked as a freelance pentester and security consultant. During this time, he developed 'an online community resource called the "advanced reference archive of current heuristics for network intrusion detection systems," or arachNIDS.' [14]
In the spring of 1998, Butler installed a backdoor onto American federal government websites while trying to fix a security hole in the BIND server daemon. However, an investigator with the United States Air Force found Butler via pop-up notifications. [15] He hired attorney Jennifer Granick for legal representation after hearing Granick speak at DEF CON. On 25 September 2000, Butler pleaded guilty to gaining unauthorized access to Defense Department computers. [4] Starting in May 2001, Butler served an 18-month federal prison sentence handed down by US District Judge James Ware. [16]
After his release from prison in 2003 on supervised release, Butler exploited Wi-Fi technology to commit cyberattacks anonymously along with Chris Aragon from San Francisco. [17] He advanced to programming malware, such as allowing the Bifrost Trojan horse to evade virus scanner programs and exploited the HTML Application feature of Internet Explorer to steal American Express credit card information. [18] Butler also targeted Citibank by using a Trojan horse towards a credit card identity thief and began distributing PINs to Aragon, who would have others withdraw the maximum daily amount of cash from ATMs until the compromised account was empty. [19]
Arrested in 2007, Butler was accused of operating CardersMarket, a forum where cyber criminals bought and sold sensitive data such as credit card numbers. After pleading guilty to two counts of wire fraud, stealing nearly 2 million credit card numbers, which were used for $86 million in fraudulent purchases, Butler was sentenced to 13 years in prison, which was the longest sentence ever given for hacking charges in the United States of America at the time. [20] After prison, Butler will also face 5 years of supervised release and is ordered to pay $27.5 million in restitution to his victims. [3] [21]
In 2018 Butler was charged with running drone-smuggling ring from jail. The indictment states that in October 2014 he obtained an illicit cell phone and allegedly used it to obtain stolen debit card numbers from the internet, through which he stole money that he paid out to fellow inmates. [22]
Prosecutors say that a former cellmate named Jason Dane Tidwell stayed in touch with Butler via an encrypted messaging app and that, in the spring of 2016, Butler allegedly told Tidwell to buy a remotely piloted drone with some of the debit card scam proceeds to delivery contraband by airdrop. An inmate informed on the scheme, but guards never managed to find the contraband. One inmate, Phillip Tyler Hammons, confessed to retrieving airdrops, and he fingered Butler as the mastermind behind the plan. Butler claims that it was Hammons who behind the whole scheme. [22]
Butler was released from FCI Victorville Medium 2 on 14 April 2021.
Butler's story was featured in an episode of the CNBC television program American Greed in 2010. [23]
Adrián Alfonso Lamo Atwood was an American threat analyst and hacker. Lamo first gained media attention for breaking into several high-profile computer networks, including those of The New York Times, Yahoo!, and Microsoft, culminating in his 2003 arrest.
Kevin David Mitnick was an American computer security consultant, author, and convicted hacker. He is best known for his high-profile 1995 arrest and five years in prison for various computer and communications-related crimes. Mitnick's pursuit, arrest, trial and sentence were all controversial, as were the associated media coverage, books and films. After his release from prison, he ran his own security firm, Mitnick Security Consulting, LLC, and was also involved with other computer security businesses.
Kevin Lee Poulsen is an American convicted fraudster, former black-hat hacker and a contributing editor at The Daily Beast.
Rizon is an Internet Relay Chat (IRC) network. The IRC network itself ranks number 5 among the largest IRC networks. Rizon is popular with many anime fansubbing groups who work online, many of whom provide their content through XDCC via IRC bots in their distribution channels. It is also used by many users of eRepublik as a means of communication. File sharing of other copyrighted material such as Warez is also common in some channels on the network.
ShadowCrew was a cybercrime forum that operated under the domain name ShadowCrew.com between August 2002 and November 2004.
Adam Botbyl is an American computer hacker from Michigan. He gained unauthorized access to the Lowes corporate computer network via an open, unsecured wireless access point used by the Lowe's chain of home improvement and hardware stores. The access point was initially discovered inadvertently by his then-roommate, Paul Timmins. Months later, Botbyl and Salcedo returned to explore and exploit the network at a store located in Southfield, Michigan. They then attempted to install a program that could have allowed them to capture the credit card information of customers conducting transactions through the Southfield store.
globalHell was an American hacker group. They were one of the first hacking groups who gained notoriety for website defacements and breaches. The combined losses caused by the group were estimated to be ranged between $1.5m and $2.5m. The group was called a "cyber gang" as it had many of the same characteristics of a gang and carried out the same activities as a gang, including trafficking in stolen credit card numbers.
Jonathan Joseph James was an American hacker who was the first juvenile incarcerated for cybercrime in the United States. The South Florida native was 15 years old at the time of the first offense and 16 years old on the date of his sentencing. He died at his Pinecrest, Florida home on May 18, 2008, of a self-inflicted gunshot wound.
Ehud "Udi" Tenenbaum, also known as The Analyzer, is an Israeli hacker.
Justin Tanner Petersen was an American hacker, concert promoter, sound engineer, private investigator and an informant for the Federal Bureau of Investigation. While tasked with helping to catch other hackers and fugitives wanted by the FBI, he continued to commit serious crimes.
Cameron LaCroix, aka camo, cam0, camZero, cmuNNY, is an American computer hacker best known for the hacking of Paris Hilton's cellular phone, accessing LexisNexis, and defacing Burger King's Twitter account. He has also been convicted of intentionally causing damage to a protected computer system, obtaining information from a protected computer system, wire fraud, and aggravated identity fraud. Prosecutors said victims of the teen's actions have suffered about $1 million in damages. Pursuant to a plea agreement signed by the juvenile in August 2005, he received 11 months in a federal juvenile detention facility. In January 2007 his supervised release was revoked due to possession of a cell phone.
Albert Gonzalez is an American computer hacker, computer criminal and police informer, who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 to 2007, the biggest such fraud in history. Gonzalez and his accomplices used SQL injection to deploy backdoors on several corporate systems in order to launch packet sniffing attacks which allowed him to steal computer data from internal corporate networks.
United States v. Ivanov was an American court case addressing subject-matter jurisdiction for computer crimes performed by Internet users outside of the United States against American businesses and infrastructure. In trial court, Aleksey Vladimirovich Ivanov of Chelyabinsk, Russia was indicted for conspiracy, computer fraud, extortion, and possession of illegal access devices; all crimes committed against the Online Information Bureau (OIB) whose business and infrastructure were based in Vernon, Connecticut.
The Federal Correctional Institution, Oakdale is a low-security United States federal prison for male inmates in Louisiana. It is part of the Oakdale Federal Correctional Complex (FCC) and operated by the Federal Bureau of Prisons, a division of the United States Department of Justice.
The Federal Correctional Institution, Fort Dix is a low-security United States federal prison for male offenders in New Jersey. It is operated by the Federal Bureau of Prisons. A satellite prison camp houses minimum-security male inmates.
Roman Valerevich Seleznev, also known by his hacker name Track2, is a Russian computer hacker. Seleznev was indicted in the United States in 2011, and was convicted of hacking into servers to steal credit-card data. His activities are estimated to have caused more than US$169 million in damages to businesses and financial institutions. Seleznev was arrested on July 5, 2014, while vacationing in the Maldives, and was sentenced to 27 years in prison for wire fraud, intentional damage to a protected computer, and identity theft. Seleznev would only serve ten years in prison before he would take part in the 2024 Ankara prisoner exchange that involved 26 total people, including himself.
Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground is a 2011 non-fiction book written by Kevin Poulsen.
Carding is a term of the trafficking and unauthorized use of credit cards. The stolen credit cards or credit card numbers are then used to buy prepaid gift cards to cover up the tracks. Activities also encompass exploitation of personal data, and money laundering techniques. Modern carding sites have been described as full-service commercial entities.
David Benjamin Schrooten is a Dutch computer hacker also known as Fortezza and Xakep. In 2012, he was arrested in Romania at the request of the United States Secret Service and extradited to Seattle, Washington. Here he was sentenced to 12 years in federal prison, primarily for his role in trafficking credit cards he obtained by hacking other hackers. By doing so, he caused approximately 63 million dollars in damages.