Jonathan James, 24, was found dead of a self-inflicted gunshot wound in his home on May 18, 2008, less than two weeks after agents raided his house in connection with a hacking ring that penetrated TJX, DSW and OfficeMax, among others. In a five page suicide note, James wrote that he was innocent, but was certain federal officials would make him a scapegoat.
“I have no faith in the ‘justice’ system,” he wrote. ” Perhaps my actions today, and this letter, will send a stronger message to the public. Either way, I have lost control over this situation, and this is my only way to regain control.”
The note was provided to Wired.com this week by James’ father, Robert, who kept the details of his son’s death quiet for over a year because of the ongoing prosecutions over the retail hacks.
James apparently suffered from depression; agents executing the search warrant found another suicide note James had written years earlier, but did not seize his gun. The Secret Service declined to comment on the matter Wednesday, citing the continuing TJX prosecutions.
“Sometimes I thought he was pretty smart,” says his father. “Sometimes I thought, oh my God, I’ve raised an idiot. And the jury is still out.”
James gained notoriety in 2000, when, just 16, he became the first juvenile sentenced federally to a term of confinement for computer hacking. Operating under the handle C0mrade, James hacked into NASA and Defense Department computers for fun. Among other trophies, he penetrated the Marshall Space Flight Center in Huntsville, Alabama, and downloaded the proprietary environmental control software for the International Space Station — the programming that controlled the temperature and humidity in the station’s living space. James was sentenced to six months of house arrest — a sentence applauded by then-Attorney General Janet Reno — followed by probation.
“The government didn’t take too many measures for security on most of their computers,” James told PBS’s Frontline at the time. “They lack some serious computer security, and the hard part is learning it. I know Unix and C like the back of my hand, because I studied all these books, and I was on the computer for so long. But the hard part isn’t getting in. It’s learning to know what it is that you’re doing.”
Robert James, a programmer himself, admits he was a little proud of what his teenage son had managed to do. But when Jonathan later tested positive for drugs, the boy’s probation became six months in a juvenile detention facility. Afterwards, he stayed under the radar, until the Secret Service began closing in on the hackers behind intrusions at major U.S. retailers. Hackers compromised tens of millions of consumer credit cards, and reportedly made a multimillionaire of the ringleader, 28-year-old Albert Gonzalez, also of Miami.
The retail hack attacks couldn’t have been more different from the youthful, recreational hacking that James had once epitomized. This was a sophisticated, profit-motivated scheme.
Gonzalez and at least 13 other men have been charged over the breaches at TJX, BJ’s Wholesale Club, Boston Market, Barnes & Noble, Sports Authority, Forever 21, DSW OfficeMax, and a Dave & Buster’s restaurant. James was a friend of one of the defendants, Christopher Scott, who has since pleaded guilty and is set for sentencing in November.
The criminal complaints filed in U.S. District Court in Massachusetts describe an unindicted co-conspirator in the hacks who worked with Scott directly, identifying him only by the initials “J.J.” Robert James’ believes J.J. is his son.
In 2004, the complaints say, Scott and J.J. parked outside an OfficeMax store in Miami, accessed the store’s Wi-Fi, and intercepted an unspecified number of credit and debit card magstripe swipes, including account numbers and encrypted PINs. The two allegedly provided the data to Gonzalez, who arranged with another hacker to decrypt the PIN codes. Credit card companies later reissued some 200,000 cards, apparently in response to the OfficeMax breach.
“J.J.” is not linked in the complaints to any of the other intrusions in the case, but he allegedly had a mail drop opened for Gonzalez.
In his suicide note, James seemed to think that his past fame would get him blamed for crimes he didn’t commit.
“The feds of course would see me as a much more appealing target than Chris [Scott] — if they could tie me to this case I’d be like [Kevin] Mitnick times 10 to them,” he wrote. “Now, I honestly, honestly had nothing to do with TJX. Unfortunately I don’t picture the feds caring all too much. Read Agent Steal’s guide to getting busted. The feds play dirty. Chris called me the other day. He was in jail and they let him out. That can only mean that he too is trying to pin this on me. So despite the fact that he and Albert [Gonzalez] are the most destructive, dangerous hackers the feds ever caught, they’ll let them off easy because I’m a juicier target that would please the public more than two random fucks. C’est la vie. ”
“Remember,” he wrote, “it’s not whether you win or lose, it’s whether I win or lose, and sitting in jail for 20, 10, or even 5 years for a crime I didn’t commit is not me winning. I die free.”
James’ father remembers his son as a passionate computer geek, who started playing with the family PC at the age of 6, and switched his own computer from Windows to Linux in middle school. Prior to the NASA raid in January 2000, Robert James and his wife would frequently battle their son over his computer use, which would stretch late into the night.
At one point, the senior James took away his son’s computer; the boy, then 13, promptly ran away from home, and phoned his mother to declare he wouldn’t return unless he got his PC back. His parents tracked him to the Borders Books down the street.
Robert James chuckles when he recalls the story. “So, yeah, he kind of liked computers.”
When the publicity from his juvenile hacking conviction subsided, though, Jonathan James fell into an idleness that worried his father. His mother died of breast cancer when he was 18, leaving behind a trust that gave him the family house, which he shared with his brother. Except for a brief trip to Israel, James lived in the home for the rest of his short life. He never went to college, and, his father said, showed little interest in pursuing a career.
“He’s one of these people who would rather live without money than go to work,” said Robert James. “He was good at it. I was shocked at how good at it he was.”
If his son was involved in the Office Max hack, he adds, he wasn’t paid; he showed no signs of having money.
James and his father had a cordial but distant relationship. Shortly before the hacker’s death, though, he e-mailed his father to suggest they get together for dinner. It was an unexpected and welcome invitation. “I’m thinking he’s going to tell me he’s going to get married or something.”
The next day, though, Jonathan James was raided. “I called him up, and I said, ‘Are they going to find anything incriminating that you’ve been doing?’” recalls his father. “He said, No.”
“I said, ‘Well good, because you’re no longer a juvenile. It’s going to be serious if you get caught doing something.’ It was actually the last conversation I had with him.”
Jonathan James’ note (redacted .pdf) included personal messages to his father, brother and girlfriend, a will, and the passwords to James’ PayPal and MySpace accounts.
“He hadn’t been arrested, he hadn’t been charged, he hadn’t been tried, he hadn’t been sentenced,” his father says. “I just don’t know what the rush was.”
James’ sense of persecution appears to have been fueled by Albert Gonzalez’s past. After the raid, he learned that Gonzalez had earlier been the Secret Service’s key informant in “Operation Firewall,” a massive sting operation in which the agency used Gonzalez to infiltrate the credit card fraud forum Shadowcrew.
“Albert had been working with the feds since 2003,” James wrote. “That means that for five years he had been having people like Chris hack credit cards for him, while he makes money selling them over the Internet and then at the same time has his buyers arrested to please the feds. When this finally backfired on him, he gave them his Ace In the Hole — Chris, and got off with one count of wire fraud. Talk about entrapment!”
In retrospect, James’ understanding of the case appears tragically flawed. At the time of James’ death, Gonzalez had indeed been charged with only one of the hacks — against Dave & Busters. But prosecutors have since charged him with the others as well, despite the Secret Service’s past relationship with him. If convicted, prosecutors say, Gonzalez faces a potential life sentence.
James isn’t the only old-school hacker to resurface in connection with the growing wave of profit-oriented intrusions. New Yorker Stephen Watt has pleaded guilty to providing Gonzalez with a custom packet sniffer program used to suck down credit and debit card numbers in transit. Watt was notorious in the late 1990s and early 2000s as the hacker “Jim Jones” and “Unix Terrorist,” who targeted so-called white-hat hackers that had gone into legitimate computer security work.
Former 1990s white-hat hacker Max Butler, aka Max Vision, reemerged in 2005 as Iceman, the proprietor of a credit card fraud super-site called CardersMarket. And Ehud “The Analyzer” Tenenbaum, an Israeli man famous for hacking the Pentagon a decade ago, is now charged with stealing millions from Canadian and U.S. banks in a hacking scheme that began in October 2007.
In an eerie epilogue to James’ death, 10 days afterwards a family friend spotted two men messing with the hacker’s car; one of them was underneath the vehicle, his legs sticking out. The friend confronted them.
It was the Secret Service, Robert James says. “They took back the tracking device.” Wired.com, Kevin Poulsen