Max Ray Vision (formerly Max Ray Butler, alias Iceman, born July 10, 1972), a former computer security consultant, is an online hacker charged with two counts of wire fraud and theft of nearly 2 million credit card numbers as well as approximately $86 million in fraudulent charges.
Butler grew up in Meridian, Idaho and had a younger sibling; his parents divorced when he was 14. His father was a Vietnam War veteran and computer store owner who married a daughter of Ukrainian immigrants. As a teenager, Max Butler became interested in bulletin board systems and hacking. After a parent reported a theft of chemicals from a lab room, Meridian High School expelled Butler, and Butler pled guilty to malicious injury to property, first-degree burglary, and grand theft. Butler was diagnosed as bipolar in a two-week psychiatric evaluation at an in-care facility and ultimately received probation for his crimes, live with his father, and transfer to Bishop Kelly High School.
Butler attended Boise State University for a year. In 1991, Butler was convicted of assault during his freshman year of college. His appeal was unsuccessful on procedural grounds, as a judge ruled that Butler's defense attorney did not raise the issue in an earlier appeal. The Idaho State Penitentiary paroled Butler on April 26, 1995.
Professional and personal life
Butler moved with his father near Seattle and worked in part-time technical support positions in various companies. He discovered Internet relay chat and frequently downloaded warez, or illegally downloaded software or media. After an Internet service provider in Littleton, Colorado traced Butler's uploads of warez to an unprotected file transfer protocol server –the uploads were consuming excessive bandwidth–to the CompuServe corporate offices in Bellevue, Washington, CompuServe fired Butler.
Moving to Half Moon Bay, California, Butler changed his last name to Vision and lived in a rented mansion "Hungry Manor" with a group of other computer enthusiasts. Butler became a system administrator at computer gaming start-up MPath Interactive. The Software Publishers Association filed a $300,000 lawsuit against Butler for pirating software from CompuServe's office and later settled the case for $3,500 and free computer consulting. In March 1997, Butler became an informant for the Federal Bureau of Investigation; one of the first reports he wrote for the FBI covered unprotected FTP file servers like the one in Colorado in which he uploaded the warez.
After marrying Kimi Winters, he moved to Berkeley, California, and worked as a freelance pentester and security consultant. During this time, he developed the arachNIDS database, 'an online community resource called the “advanced reference archive of current heuristics for network intrusion detection systems,” or arachNIDS.'
FBI investigation, guilty plea, and sentencing
In the spring of 1998, Butler installed a backdoor onto American federal government websites while trying to fix a security hole in the BIND server daemon. However, an investigator with the United States Air Force found Butler via pop-up notifications and his FBI handlers. The FBI had Butler infiltrate a group of hackers who hijacked 3Com's telephone system for personal teleconference use. Butler attended the annual DEF CON hacker convention the following summer and by then had second thoughts about his work with the FBI. He hired attorney Jennifer Granick for legal representation after hearing Granick speak at DEF CON, and the FBI terminated Butler consequently. On September 25, 2000, Butler pled guilty to gaining unauthorized access to Defense Department computers. Starting in May 2001, Butler served an 18-month federal prison sentence handed down by US District Judge James Ware.
After his release from prison in 2003 on supervised release, Butler exploited Wi-Fi technology to commit cyberattacks anonymously along with Chris Aragon from San Francisco. He advanced to programming malware, such as allowing the Bifrost trojan horse to evade virus scanner programs and exploited the HTML Application feature of Internet Explorer to steal American Express credit card information. Butler also targeted Citibank by using a Trojan horse towards a credit card identity thief and began distributing PINs to Aragon, who would have others withdraw the maximum daily amount of cash from ATMs until the compromised account was empty.
Arrested in 2007, Butler was accused of operating Carders Market, a forum where cyber criminals bought and sold sensitive data such as credit card numbers. After pleading guilty to two counts of wire fraud from stealing nearly 2 million credit card numbers and spending $86 million in fraudulent purchases, Butler was sentenced to 13 years in prison, which is the longest sentence ever given for hacking charges. After prison, he will also face 5 years of supervised release and is ordered to pay $27.5 million in restitution to his victims.
- Evans, Will (27 September 2000). "Berkeley Hacker Admits To Government Infiltration". The Daily Californian. Retrieved 4 March 2011.
- Poulsen, Kevin (22 December 2008). "One Hacker's Audacious Plan to Rule the Black Market in Stolen Credit Cards". Wired. Retrieved 4 March 2011.
- U.S. Public Records Index Vol 1 (Provo, UT: Ancestry.com Operations, Inc.), 2010.
- "Case File: Cybercrime: Max Butler". Retrieved 28 October 2010.
- Mills, Elinor. "'Iceman' pleads guilty in credit card theft case". CNET News. Retrieved 25 September 2010.
- Poulsen, Kevin (2011). Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground. Crown Publishers. p. 2. ISBN 978-0-307-58868-5.
- Poulsen, pp. 4-5.
- "Computer Hacker Masterminds". American Greed. CNBC. 5 May 2010.
- Poulsen 2011, p. 15.
- Poulsen 2011, p. 16.
- Poulsen 2011, pp. 14, 16.
- Poulsen 2011, p. 17.
- Poulsen, pp. 17-18.
- "McGraw Hill - Intrusion Detection and Prevention". Intrusion Detection and Prevention. McGraw Hill/intrusion-detect.com. Retrieved 16 March 2011.
- Poulsen 2011, p. 35.
- Poulsen, pp. 35-39.
- Poulsen 2011, pp. 39-41.
- Delio, Michelle (22 May 2001). "A 'White Hat' Goes to Jail". Wired. Retrieved 16 March 2011.
- Poulsen 2011, pp. 68-71.
- Poulsen 2011, pp. 80-84.
- Poulsen, pp. 101-104.
- McMillan, Robert. "Hacker Iceman gets record 13 year sentence". Retrieved 28 October 2010.
- "Federal Bureau of Prisons". Bop.gov. Retrieved 2012-08-01.