In the real world, Raphael Gray would sit in a typically messy teenager's bedroom in the Welsh town of Pembrokeshire. But on the internet, he was something else entirely: the self-styled "Curador" (from the Portuguese for "guardian") whose mission was to expose the dangers of shopping on the web.
To this end, he published the numbers, names and expiry dates of 6,000 credit cards and even sent a shipment of Viagra to Bill Gates, head of Microsoft.
This week he paid the price for his arrogance, as he was sentenced on six counts of breaking into computer systems in the UK, US and Canada, and two more of "obtaining services by deception".
In what must have appeared a neat twist, the Viagra shipment was bought with a credit card bearing Mr Gates's name, which he acquired from a Buffalo-based site, salesgate.com.
But as if to underline the fact that Mr Gray was not a top-line hacker - in fact more Sunday park football than Premier League - the card was a fake. Mr Gates never shopped at salesgate - the name was just one of a number generated by the company to test its database.
"One is always careful about saying this," said Neil Barrett, head of the security company Information Risk Management.
"He may be a good and competent hacker. But the hacking he was caught on was trivial, and poorly executed."
The sentence however left security experts irked. Having pleaded guilty to the charges at Swansea Crown Court, he was given a three-year community probation order linked to treatment for a mental disorder.
The judge heard that he had had low self-esteem from childhood; and had received a blow on the head four years before committing the offences.
The defence produced medical evidence of his condition to explain the computer fraud he undertook. Mr Barrett, who was to have testified for the prosecution, said: "It's getting close to the time when we need to have custodial sentences for some of these hackers. This looked like a good one to do it."
David Duke, chief technologist for Cryptic Software, said: "There's an underground handbook that hackers can find about what constitutes a criminal act in which country. A smart person would use that. But people still think hackers are cloak and dagger types sitting in darkened rooms. Many aren't. These days they can just be schoolkids. It's that easy to find "exploits" to hack into stuff, especially Microsoft stuff, on the web now."
Mr Gray began his crusade in January 2000, telling websites using Microsoft's Internet Information Server (IIS) that they were vulnerable. They ignored him, so he wrote a small program that tapped the sites' databases of credit cards and then sent them to be published on the web, where anyone who wanted to download them could.
In March last year, after he had broken into another database full of credit card numbers, he sent a message to a news website, saying: "Law enforcement couldn't hack their way out of a wet paper bag. They're people who get paid to do nothing. They never actually catch anybody."
Not long after, the police arrived at his home and arrested him. "It was like something out of a movie!" a friend of Gray's said later. "The FBI men were wearing trench coats."
But the film is over now. Mr Gray's counsel told the court that he has a job as a computer security consultant now. It will be interesting to see how he treats any hackers who try to break into systems he is overseeing.
- INDEPENDENT
Welsh credit card hacker escapes jail sentence
AdvertisementAdvertise with NZME.