A Minnesota computer hacker admitted in federal court Friday that he stole credit card information from thousands of people, used it to boost the value of cheap gift cards and then resold the cards on craigslist.
Zachary Wiley Mann, 21, of Maple Grove, pleaded guilty to a single count of wire fraud and one count of aggravated identity theft.
No sentencing date has been set, but he could get up to 20 years on the wire fraud charge, and federal sentencing guidelines call for a two-year minimum sentence on the identity theft charge.
Mann cooked up and carried out the scheme in January and February. At the time, he was on supervised release after serving an eight-month sentence for another computer-related crime in Florida.
In that case, Mann was one of five people charged with the 2005 hacking of the LexisNexis Group database — a crime in which personal records of nearly 17,000 people were stolen.
Mann, who used the online name “Majy,” was sentenced in that case in December 2006. He and the others were ordered to pay $105,750 in restitution. Mann was prohibited from owning any data encryption programs, and he had to keep a log of every Web site he visited.
Mann was also required to get permission from a judge to use a computer with a modem.
But this month, federal officials charged Mann in connection with the credit card scheme. They claimed he hacked into the “shopping cart” server of cafe chain Panera Bread’s Web site and stole customers’ credit card information.
David Anderson, a spokesman for the U.S. attorney’s office, said Mann got account information from “thousands of victims,” but he wasn’t able to provide a more precise number.
After getting the credit card data, Mann would buy gift cards in small amounts from a variety of eateries, including Panera Bread, Burger King, Wendy’s and Papa John’s, and then use the stolen credit card numbers to increase the value of the gift cards.
He sold the gift cards for cash, but federal officials didn’t say how much money, if any, he pocketed from the scheme.
After he pleaded guilty in the Florida case, federal officials acknowledged that none of the 16,674 people whose credit card accounts were accessed reported any losses.
LexisNexis claimed it suffered a loss of $103,845, but that was the amount it spent to mail notices to customers whose accounts were hacked, the cost of providing them credit-monitoring services and its own investigative expenses.
“I don’t think what we did was that bad,” Mann was quoted as saying in a June 2006 Washington Post article. “We never used anyone’s identity. Besides, don’t you think it’s wrong that a company like that has all this information that’s available to anyone who’s willing to pay for it?”
