Kingpin

1. Max Butler's Early Impulses and Dual Nature

When his manic side flared, the world was too slow to keep up; his brain moved at light speed and focused like a laser on whatever task was before him.

Early life. Max Butler grew up in Idaho, a computer prodigy with a restless, impulsive nature. His parents' divorce deeply affected him, seemingly splitting his personality into calm and intensely manic modes. This intensity, combined with a passion for computers inherited from his father, led him to explore the burgeoning online world and phone phreaking from a young age.

Trouble with authority. Max's disregard for rules manifested early. A Secret Service warning about his phone phreaking went unheeded. His impulsive side led him and friends to steal a master key to their high school, resulting in vandalism and chemical theft. This led to his first arrest, a bipolar diagnosis, and a five-year prison sentence for aggravated assault after a domestic dispute escalated, a charge later deemed legally questionable.

Lessons learned? Prison left Max bitter about the justice system but seemingly undeterred from pushing boundaries. Upon release, he adopted the name Max Ray Vision, aiming for a fresh start. However, his return to online activities quickly led to software piracy and another brush with the law, highlighting the persistent pull of his rebellious nature despite his aspirations for a legitimate life.

2. From White Hat to FBI Informant

Max liked the FBI agent, and the feeling seemed to be mutual.

A new identity. After his piracy bust, Max Vision moved to Silicon Valley, seeking work in the booming dot-com industry. He found a job and began building a reputation as a "white-hat" hacker, applying his skills to computer security. This era saw a shift in the hacking community, with many moving from intrusion to defense.

Working with the Feds. His past caught up when the Software Publishers Association sued him for piracy. This led to an introduction to FBI agent Chris Beeson, who recruited Max as a criminal informant. Max, code-named "Equalizer," provided intelligence on the computer underground, hoping to earn leniency for his past actions and build a bridge to a legitimate career.

Testing boundaries. Despite working for the FBI, Max couldn't resist the urge to hack. He discovered a critical vulnerability in BIND, a core Internet program, and impulsively decided to exploit it himself. He hacked into numerous U.S. government and military systems, not to cause harm, but to "fix" the vulnerability by installing backdoors only he controlled, believing he was doing a "greater good."

3. Disillusionment and the Lure of Cybercrime

Max began to wonder if he had a future in computer security at all.

Caught red-handed. Max's BIND attacks were traced back to him, leading to an FBI raid. Despite his claims of good intentions, his actions were illegal. The FBI offered him a deal: cooperate more deeply, specifically by trying to implicate his boss, Matt Harrigan. Max refused to betray his friend and hired a lawyer, Jennifer Granick, who advised him against cooperating further without a formal deal.

Facing consequences. The FBI dropped Max as an informant and pursued an indictment. Facing prison, Max struggled to find legitimate work due to his felony record. His attempts at penetration testing were met with resistance, and his skills, honed in prison, were becoming outdated compared to the rapidly evolving security landscape.

A tempting offer. Disillusioned and financially struggling, Max reconnected with Jeff Norminton, a con man he met in prison. Norminton offered to bankroll Max's return to hacking, this time for profit. Max, tired of trying to go straight and feeling unjustly punished, accepted, marking his full transition from white hat and informant back to the criminal underground.

4. Building a Criminal Empire: Carders Market

With one stroke, Max had undermined years of careful law enforcement work and revitalized a billion-dollar criminal underworld.

Partnering for profit. Max teamed up with Chris Aragon, a former bank robber and drug smuggler who had found success in credit card fraud. Chris, fascinated by the online carding world, saw the potential in Max's hacking skills. Max, in turn, saw Chris as a partner who could monetize stolen data and provide financial support.

Targeting criminals. Max began hacking carders themselves, seeing them as morally acceptable targets and easy prey. He used sophisticated client-side exploits, like a zero-day vulnerability in Internet Explorer disguised as a "Free Amex" offer, to compromise thousands of carders' computers and steal their dumps and other valuable information.

Creating a marketplace. Frustrated by existing crime forums, Max decided to create his own: Cardersmarket.com, operating under the handle "Iceman." He envisioned a secure, well-organized site. In a bold move, he hacked and wiped out several rival English and Russian carding forums, consolidating their users onto Carders Market and establishing it as the dominant platform, much to the dismay of law enforcement and rival criminals.

5. The Rise of Organized Cybercrime and Data Theft

Once the underground figured out that part of the equation, it would be an industry of its own.

The new frontier. The arrest of Russian hackers Alexey Ivanov and Vasiliy Gorshkov in 2000 revealed a new breed of profit-oriented cybercriminals, primarily from Eastern Europe. They were technically skilled and organized, engaging in extortion and large-scale data theft, signaling a major shift in the landscape of online crime.

Carding forums emerge. Sites like Counterfeit Library, CarderPlanet, and Shadowcrew provided centralized marketplaces and knowledge bases for this growing criminal economy. They facilitated the buying and selling of stolen credit card data ("dumps"), counterfeit IDs, hacking tools, and other illicit goods and services, creating a global network of cybercriminals.

Data becomes currency. The introduction of security features like CVV codes made raw credit card numbers less useful, driving demand for full magstripe data ("dumps"). Criminals developed new methods to steal this data, including:

• Recruiting insiders (e.g., restaurant workers with skimmers)
• Hacking point-of-sale systems
• Exploiting vulnerabilities in corporate networks

This fueled a multi-billion dollar black market, with dumps selling for $20-$100 depending on the card type.

6. Law Enforcement's Undercover War

Who is Iceman?

Struggling to adapt. Law enforcement, initially focused on recreational hackers, faced a new challenge with organized, profit-driven cybercrime. Traditional methods were often ineffective against anonymous online actors operating across international borders.

Informants and stings. Agencies like the FBI and Secret Service began recruiting informants from within the underground. Albert Gonzalez ("Cumbajohnny"), a Shadowcrew administrator, became a key asset in "Operation Firewall," which used a wiretapped VPN to gather evidence and resulted in dozens of arrests, temporarily disrupting the scene. Dave Thomas ("El Mariachi") also worked as an FBI informant running a crime forum honeypot.

Infiltrating the forums. Recognizing the forums as central hubs, FBI agent Keith Mularski ("Master Splyntr") embarked on an ambitious undercover operation to infiltrate and eventually take over a major carding site. Operating from a civilian office in Pittsburgh, Mularski built a legend as a Polish spammer to gain credibility and access to the vouched forums that emerged after Operation Firewall.

7. The Cat-and-Mouse Game and Exposure

You are No Longer Anonymous!!

Post-Firewall chaos. Operation Firewall scattered carders, but they quickly regrouped on new, smaller forums. Max's hostile takeover of these sites, consolidating them into Carders Market, brought a temporary order but also drew significant attention and sparked rivalries.

Rivalries and paranoia. Max's actions ignited a public feud with Dave Thomas ("El Mariachi"), who suspected Iceman was law enforcement. Thomas relentlessly attacked Carders Market's hosting, eventually forcing Max to move the site to Iran. This public "carder war" drew media attention, exposing Iceman to a wider audience.

Master Splyntr's cover blown. Max's paranoia extended to his own administrators. Suspecting Master Splyntr was a mole, Max used his hacking skills to trace Splyntr's login IP address back to the NCFTA office in Pittsburgh, correctly identifying him as a federal agent. Despite Max's efforts to expose him, Mularski managed to maintain his cover by quickly moving DarkMarket's hosting and discrediting Max's claims.

8. The Net Closes: Arrest and Aftermath

Iceman’s identity had been hidden in the government’s computers all along.

Evidence accumulates. Law enforcement agencies, including the Secret Service and FBI, were independently tracking Max. Giannone's arrest for selling Max's dumps led to his cooperation, providing key details about Iceman and his partner Chris Aragon. This information, combined with old records from Norminton and Janer, finally linked Iceman to Max Ray Vision.

The final hunt. Physical surveillance and electronic monitoring confirmed Max's location at a corporate apartment in San Francisco. Aware of Max's use of strong encryption (DriveCrypt), law enforcement planned the raid carefully to capture his computers while they were running, allowing forensic experts from CERT to access the decryption key stored in RAM.

Capture and consequences. Max was arrested in September 2007. His encrypted hard drives, once thought impenetrable, were cracked. The evidence revealed the full scope of his crimes, including 1.8 million stolen credit card accounts and estimated losses of $86.4 million. Facing decades in prison, Max cooperated, leading to a plea deal and a thirteen-year sentence, the longest for a hacker at the time.

Legacy. Max's arrest, along with those of other major players like Maksik and Albert Gonzalez, significantly disrupted the carding underground. While cybercrime continues to evolve, the era of large, open English-speaking forums like Shadowcrew and Carders Market ended. The case also highlighted the ongoing challenges of encryption and the need for better security standards like chip-and-PIN, which the U.S. has been slow to adopt.

Last updated: May 7, 2025