This article originally appeared on VICE France.
When Maxime* woke up at his girlfriend's house in May of 2007, everything was calm.
The 17-year-old Parisian lay there content for a few minutes, before remembering he had something to do before going to school: organise an €80,000 (AU$130K) sale of stolen credit cards on the dark web.
The internet connection at Maxime's parents' home was protected with multiple proxy servers and a VPN. His girlfriend's family computer was not – but that morning, he logged on anyway. Once online, the credit card buyer, "HatHack", commented that Maxime's IP address was in France. This made him pause for a second, but he went through with the transaction anyway, arranging to receive the money through a cryptocurrency platform, before heading out to school.
What Maxime didn't know was that HatHack was a US Secret Service agent, and that – together with France's Central Anti-Cybercrime Office (SDLC) – the Americans were gearing up to arrest an international group of 13 hackers, including himself.
Located from Turkey to Canada, France to Ukraine, the group had been hacking the databases of retail websites for customer data, then forging American credit cards and reselling them on the dark web, according to court records seen by VICE France. For three years, Maxime – who went by "Theeeel" or "Zetun" online – had been able to keep his secret life under wraps. That morning, he triggered his own downfall.
Before he was Theeeel, Maxime was a typical suburban teen – lonely and awkward. Born in Paris in 1989, to a business executive and a guidance counsellor, he says he developed a penchant for hacking when he was about six years old, downloading the Hacker Manifesto in 1994 after discovering it in the hacking magazine Phrack.
A few years later, Maxime hacked French webmail service CaraMail after school one day. "All you had to do was get into the source code," he tells me now. "Then, when you get to authentication, you change the code 'Admin = 1' to become an administrator." On CaraMail's chat forum he met a user called "Dadoo", who gave him info on a stolen credit card. "He told me how it all works," recalls Maxime. "I used it to buy more cards online." He took to roaming dark web forums such as Mazafaka, Carder and MyBazaaar, where he could buy more stolen credit cards.
On the dark web he also met "Lord Kaisersose", "Maksisk", "Junkee Funkee" and "Drondon" – all older hackers, many from outside of France. In 2003, the group began buying and reselling stolen credit cards on a large scale by hacking retail websites for customers' financial information. "We'd hack anything without a second thought, then we'd exchange 'dumps' [bank informagtion]," says Maxime. They targeted MasterCard, VISA and American Express cards. At the time, American credit cards had a magnetic strip that revealed the owner's credit limit: "We preferred screwing over rich Texans rather than someone who was already penniless."
With money flowing in, the teenager started buying video game consoles, flat screen TVs and even a few Yves Saint Lauren suits – hiding all his ill-gotten swag in his parents' attic. But inevitably, he began to want more. With the help of his network (now 13 members strong), he started to forge credit cards himself, as well as fake bills. This con was simpler, and more lucrative. He bought an MSR206 encoder [which reads and writes card data] online for €500, as well as an embosser to inscribe numbers and holograms. The data dumps were supplied by Lord Kaisersose, among others. As for the printing: "I just went to a regular old print shop on my street – simple as that." Maxime could now print and sell as many fake cards as he wanted.
"At school, nobody knew who I was. I was just a random little white dude who lived in the suburbs," he says. "I didn't necessarily want money, I wanted recognition."
For five years, Maxime managed to hide it all from his parents, even after they discovered the expensive stuff he was hiding in the attic. "They figured I was dealing," he says. "I lived in the suburbs, so that was believable."
One day, Maxime's mother discovered a photo album stuffed with hundreds of credit cards. She put two and two together. "I grabbed the album and threw it in the fire, promising her I'd stop," he tells me. But his mum didn't push the subject – and, unsurprisingly, Maxime went back to his old habits.
Between the ages of 13 and 16, Maxime raked in nearly €1 million (£850,000) and a profit of €50,000 (£42,500) a month. He invested it all in E-gold, an early cryptocurrency based on the gold index, which ultimately went under after becoming popular with hackers and other criminals. According to court documents, he also started Straps Line, an offshore accessories business that made key rings. All this before he turned 18.
On the 12th of June, 2006, US Secret Service staff based at the American embassy in Paris sent a letter to the SDLC. They had been investigating the hacker Lord Kaisersose in regards to American Express dumps. The operation, christened "Hard Drive", had identified Theeeel as a seller on the dark website Darkmarket, linking him to Lord Kaisersose.
In early 2007, Maxime was in his final year of high school when his guidance counsellor came to see him. "He said, 'Max, I've been getting some phone calls. I'm worried about you. I'm not even allowed to talk to you about it, but you should stop what you’'e doing right now.'" Maxime says that's when he knew "things wouldn’t last" – but he continued nonetheless, eventually incriminating himself on his girlfriend's computer.
One morning that June, Maxime awoke to the sound of dogs barking, and banging on his door. He immediately knew what was up, and scrambled to get rid of an incriminating USB drive. He went to throw it out the window, but saw 30-odd police officers standing in the garden. It was over. The cops raided his home, finding everything: the blank credit cards, the encoder and the computers used for transactions.
His first lawyer, Maître Laurent-Franck Lienard, explained that he faced a potential 14 years in prison and a fine of €1 million. The authorities estimated Maxime and his associates had stolen €12.5 million from over 28,000 European credit cards. Sent to temporary detention while awaiting trial, his lawyer managed to get him out for six weeks to study and sit his college entrance exams. He passed with honours.
Maxime's trial finally took place in 2008, in Aix-en-Provence, where the appellate court handed him a suspended sentence of only 12 months in prison, and a fine of €45,000. American Express demanded €1 million in damages, which the court rejected.
Once free, Maxime decided to reboot his life, passing the competitive entrance exam to become a cybersecurity engineer. After a stint at the Ministry of Defence, today he works as a senior pen-tester, identifying security risks for a private cybersecurity agency. "I'm really lucky," he says. When asked what he's learned from the entire saga, Maxime tells me he's not sure he regrets what he did. "Especially because it ended up putting me on the right track – I just had to go through all that to get here. But I want to apologise for the fear and sadness I caused my family. That, I'll always regret."
*Name changed to protect the individual’s privacy
This article originally appeared on VICE FR.