The Full Story of Max Butler: Hacker Extraordinaire

At the time of this writing, Max Butler, also known as Max Vision in the hacker world, has been released from US federal prison. Max was a kind of gray hat hacker. By day, he was an IT security professional in Silicon Valley, and by night, he was stealing and selling credit card numbers on the black market. At one time, he ran the world’s largest credit card black market, CardersMarket. During his incarceration, Max assisted the Computer Emergency Response Team (CERT) in Pittsburgh with defending against hackers.

Early Life and First Offenses

Born on July 10, 1972, in Meridian, Idaho, Max Butler grew up in a tumultuous environment. His parents divorced when he was 14, and he became fascinated with bulletin board systems and hacking. This interest led to his first run-in with the law after a theft of chemicals from his high school lab. Butler pleaded guilty to malicious injury to property, first-degree burglary, and grand theft, resulting in probation and a transfer to live with his father. Butler attended Boise State University but soon faced legal trouble again, this time for assault. Convicted during his first year of college, he was paroled from the Idaho State Penitentiary in April 1995.

Professional Life and Descent into Cybercrime

After his release, Butler moved to Seattle with his father, working in part-time technical support roles. He discovered Internet Relay Chat and began downloading warez—illegally obtained software. Fired from CompuServe for excessive bandwidth consumption due to these activities, Butler relocated to Half Moon Bay, California, where he adopted the surname Vision and lived with fellow tech enthusiasts.

Butler's career took a turn when he became a system administrator at a gaming start-up, MPath Interactive. Despite a lawsuit from the Software Publishers Association for unauthorized software distribution, he continued to work in IT security and even developed an online resource for network intrusion detection systems.

Turning to the Dark Side

Max Butler's hacking activities escalated in the late 1990s. A few years before Max was caught, he realized that the Aloha Point of Sale (POS) system used by many small restaurants had a technical support backdoor built into it. In this case, the backdoor enabled tech support to assist their clients. Aloha tech support could access the end user’s system through port 5505 to provide assistance when the user called for help. Max realized that if he found a system connected to the internet with the Aloha POS system, he could access the system with sysadmin privileges through port 5505. Max was able to enter many of these systems and steal tens of thousands of credit card numbers.

Eventually, Max wanted to find every system that had port 5505 open so that he could go from stealing thousands of credit card numbers to stealing millions. Max decided to write a script that would scan millions of IP addresses looking for systems with port 5505 open. Of course, most systems do not have port 5505 open so, if they did, it was likely they were running the doomed Aloha POS. He could run this script while at work during the day, then by night hack into those systems identified as having port 5505 open.

The FBI Investigation and Arrest

Max Butler's criminal empire began to unravel in 2007 when the FBI arrested him for operating CardersMarket. He was accused of stealing nearly 2 million credit card numbers, resulting in $86 million in fraudulent purchases. Butler pleaded guilty to two counts of wire fraud and received a 13-year prison sentence, the longest ever for hacking charges in the United States at the time. Additionally, he was ordered to pay $27.5 million in restitution to his victims.

Incarceration and Continued Schemes

While serving time at FCI Victorville Medium 2, Butler's criminal activities continued. In 2018, he was charged with running a drone-smuggling ring from jail. Using an illicit cell phone, Butler allegedly orchestrated a scheme to airdrop contraband into the prison yard. Despite these charges, Butler maintained his innocence, claiming another inmate was the mastermind.

Release and Aftermath

Max Butler was released from prison on April 14, 2021. His story was featured in an episode of CNBC's "American Greed" in 2010, highlighting his dual life as a cybersecurity professional and a notorious hacker. Throughout his career, Butler's ability to exploit vulnerabilities and evade detection made him a formidable figure in the cybercriminal underworld.

Max Butler's life is a stark reminder of the dangers and ethical dilemmas in the cybersecurity field. His journey from a curious teenager to a feared cybercriminal underscores the fine line between securing systems and exploiting them for personal gain. As cyber threats continue to evolve, Butler's story serves as both a warning and a lesson in the ongoing battle against cybercrime.