Sins of the ‘saint of e-commerce’

Teenage hacker Raphael Gray said he did not regret hacking into e-commerce sites around the world, after a court sentenced him to three years’ probation and psychiatric attention.

Gray from Clynderwen in Pembrokeshire, west Wales, admitted gaining unauthorised entry to computer systems around the world as part of a multi-million pound mission to expose owners of insecure sites.

The 19-year-old stole at least 23,000 card numbers from customer databases, publishing thousands of them on his own websites in a bid to publicise poor security at retail businesses.

He is one of a breed of allegedly benevolent hackers who claim to break into computers in order to highlight and improve security problems.

But his activities brought FBI agents and Canadian mounties to the tiny west Wales village to make an arrest after a lengthy investigation.

International hacks

Using his home computer, Gray hacked into the ordering functions of top international retail sites in the UK, US, Canada and Thailand over six weeks between January and February 1999.

The self-styled “saint of e-commerce” set about publishing details of 6,500 cards on two of his own websites – and – where he used the information as an example of weak security in the growing number of consumer websites which he believed were unsafe.

He wrote on one site: “Maybe one day people will set up their sites properly before they start trading because otherwise this won’t be the last page I post to the net.”

Gray reportedly discovered the credit card number of Microsoft chief Bill Gates and sent Viagra to the company’s Redmond headquarters.

The teenager included on his sites details of his infamous database cracks in a “hall of shame”, boasting law enforcers would never find him “because they never catch anyone. The police can’t hack their way out of a paper bag”.

Traced by police

Operating under the alias Curador, Gray had scripted a program which connected to a database, extracted information, then crashed the site’s server computer when it was done, wiping out all traces of the hack.

Like all hacks, the aim was to leave no digital fingerprints and, like all hackers, Gray believed he would get away with it and live to boast to the close-knit hacker community.

But Gray’s program failed to crash at least one server, and the Royal Canadian Mounted Police and FBI – which had been tracking a number of e-commerce fraudsters in a wider investigation – used logs to trace Curador to the cottage where he lived with his mother and two sisters.

The computer studies student was at the keyboard when the agents and officers from Dyfed Powys Police turned up at the door last March.

$3m bill

During their investigations, the FBI said closing the hacked accounts and re-issuing new cards could cost the credit card industry $3m.

In December 1999, while the detectives were attempting to put the pieces together, Gray had been an e-commerce consultant for Narberth electronics shop Console King.

He built a consumer storefront for the Pembrokeshire mail order company’s website but later parted company with the store.

When he went to court last June, Gray originally denied 10 charges under the Computer Misuse Act 1990 of using a computer to gain unauthorised access to a system to break the law.

He was also accused of deception under the Theft Act to obtain computer equipment worth £1,399 and items from Debenhams worth £400.

He later admitted six charges of unlawfully gaining entry to corporate websites and four of dishonestly obtaining services.

Gray maintained, however, he was not using the information maliciously, but to raise awareness of poor internet security.

At a court hearing in April, Leighton Davies QC, prosecuting, said: “He was obsessed by his crusade – he is a highly-strung man going through an abnormal period in his life.

“He targeted e-commerce sites whose computer systems were run by a Microsoft program which suffered a security weakness. This allowed hackers to access information stored on the databases without any authorisation.”

Hacker fraternity

Gray’s infamous case was not only the talk of his tiny village, but the toast of the hacker fraternity.

In a vote posted on his website, 56% of respondents believed his actions were carried out in the name of a good cause.

Gray, who broke into the websites aged 18, wrote that it was “the weak, dangerous security of retail websites which was criminal”.

In sentencing him to three years’ psychiatric attention, the court showed it felt differently.

After Curador’s case, however, one site has heeded internet security warnings.

The storefront of former employer Console King now rejoices: “We’re 100% secure.”