Was Morgan Stanley Compromised By Project Mayhem?

One of the key headlines these days has been the unmasking of what has been dubbed the biggest identity theft and credit card fraud case in history, allegedly spearheaded by one Albert Gonzalez, who in 2003 was involved in a comparable scheme however upon being caught, promptly became an informant for the Secret Service and turned over 30 of his hacking buddies. Six years later it is he this time who is in the hot seat, together with most of his associates, including one 25 year old Stephen Watt, who supposedly was the creator of the credit card sniffer software used to hack into over 130 million of various credit cards for merchants such as TJX, Dave And Busters and 7-Eleven, which numbers were subsequently sold for hefty sums to Eastern European purchasers. What is peculiar in all this is that apparently for the entire duration of this operation, Stephen was working in "Application infrastructure development and in house security toolkit development" at Morgan Stanley (earning $99,000 a year as a 21-23 year old programmer in 2004-2007), and subsequently took a brief position with Imagine Software, where he developed "real-time computer trading programs for financial firms." Did Stephen learn the tools of the trading game at MS, while at the same time hacking millions of credit cards, only to take what he learned from both ventures into a new operation, one that counts among its clients the Who's Who of Wall Street? Or, alternatively, did he use his packet sniffing skills at Morgan Stanley? The questions grow...

While the case against Gonzalez is rather clear cut, with him apparently being a recidivist, who should have been taken down the first time around the Secret Service got involved in his deal, that of Watt is less conclusive. According to Wired magazine, "[Gonzalez] spent $75,000 on a birthday party for himself and once complained that he had to manually count $340,000 in pilfered $20 bills because his counting machine broke. But while Gonzalez apparently lived high off ill-gotten gains, [Watt] sits broke and unemployed, his career in shambles, while awaiting sentencing for a piece of software he crafted for his friend."

To be sure Watt's involvement in the hacking industry has its roots in his past:

Though it’s unacknowledged by the prosecution and defense, Watt was once known in hacker circles as “Jim Jones” and “Unix Terrorist.” In the late 1990s and early 2000s, that hacker was part of a band of self-proclaimed black hats that opposed the publication of security vulnerabilities and resisted the hacking scene’s shift from recreational network intrusions to legitimate security research.

“I figured out his name years ago, Stephen Huntley Watt, and then the guy wound up getting indicted on the TJ Maxx thing,” says former hacker Kevin Mitnick.

Under the rubric Project Mayhem, the gang managed to hack into the accounts of a number of prominent “white hat” hackers and publish their private files and e-mails. At the 2002 DefCon hacker conference, Watt took the stage with two friends to personally share some of the hacked e-mails.

What exactly is the prosecution's case against Watt:

The Information alleges that WATT was a member of a conspiracy which, between 2003 and 2008, unlawfully gained electronic access to corporate computer networks using various techniques, downloaded customers’ credit and debit card information, and fraudulently used that information and sold the information to others for fraudulent use. The Information further alleges that WATT modified and provided a “sniffer” program used by the conspirators to monitor and capture the data crossing corporate computer networks.

The full sentencing memorandum against Watt is presented below (trust the United States Of America to be unable to even get the name of the only defendant correct, one would imagine the SEC is somehow involved here):


For a more humane representation of Stephen Watt's actions we recommend reading the Sentencing Memorandum prepared by Watt's lawyer, Michael Farkas, presented below:



Yet, while Zero Hedge will not make any determinations with regard to a justification of Stephen's actions (although there is a certain soft spot for an individual who used a Project Mayhem moniker in his transgressions) what is a major issue here is what if anything did Watt do while he was employed as a "software engineer" at Morgan Stanley, especially since the primary action against him by the government is that he created an (illegal) packet sniffer dubbed "blabla", and what skills did he learn there (and possibly abuse) to take to his next employer Imagine Software where, as the memorandum reveals, he worked on "software such as real-time computer trading programs for financial firms."

Notable is that the entire case against Watt revolves around his creation of a packet sniffer: a program that, by its simplest definition, allows the interception or capture of IP traffic. From the Watt Memorandum:

A program known as a "sniffer" refers to a class of application that captures any type of data that travels across a communications network. "Packet sniffers" are the most commonly referenced, which are used to capture and often store data that travel across a local network or the Internet. Sniffers serve a wide variety of purposes and can be used in many sorts of legitimate research, diagnostics, and security-related scenarios, in addition to illegal data gathering... and from the footnote: Sniffers can also be appropriated for malicious activity, as they can also be used to capture information that travels across networks such as logins and passwords, transmitted files, and various forms of electronic conversations.

And the reason why Watt is in this jam is precisely because he created a sniffer to isolate credit card numbers out of total Internet traffic:

The sniffer "blabla" involved in this case falls into this latter class of sniffers, which blindly logs any type of data. Specifically, it is known as a "raw TCP sniffer," which can be used to "sniff" incoming data to any sort of Internet server as it was not designed with the prescience of any target host computer or network.

For the conspiracy minded, let's recall that packet sniffing was one of Sergey Aleynikov's, of Goldman Sachs "market manipulation" allegation fame, primary background strong suits. One need not think too hard about how having the benefit of non-public data information in the field of High Frequency Trading (ignoring the concept of Flash orders for the purpose of this thought experiment) could provide a massive profitable leg up to the entity that managed to (surreptitiously) control such packet sniffing.

Which raises the question: was Watt, while employed at Morgan Stanley between 2004 and 2007, a time bracketed on both sides by his illegal activities in the 2003-2008 period, using his knowledge of packet sniffers only in the context of his allegedly illegal scheme to capture credit card numbers while working with Gonzalez, or did his expertise render him more valuable to Morgan Stanley than the headlines would make it seem? Alternatively, did an unquestionably bright Watt realize some of the weaknesses in MS' trading infrastructure, and if so, have these been disseminated? After all it took just a hint of potential impropriety in the Aleynikov case to have the Fed's arrest him just days after Goldman's awareness of his activity (not to mention a bail higher than that of "Sir" Alen Stanford).

An indication to this may be provided by by some hacker disclosures on bulletin boards, where n0td3v writes that Watt is best known for "back dooring of the Qualys Vulnerability Scanner." The fact that Watt actually did work at Qualys in 2001-2002 is not lost. Perhaps Watt's MO, is that if his skills were not used directly for the benefit of his current employer, was to discover the weaknesses present in the IT infrastructure with the goal of potential subsequent abuse?

Yet it bears pointing out that the firm that Watt left for after quitting Morgan Stanley, Imagine Software, counts among its clients such names Credit Suisse, Deutsche Bank, Jefferies, Smith Barney, Millennium Management, PNC... and Goldman Sachs JBWere. From Imagine's About Us section:

Imagine’s reputation for delivering tangible competitive advantage is based upon proven innovation that enables users to stay abreast of the market. Imagine Software puts institutional-grade functionality, broad cross-asset instrument support, and the ability to employ any trading strategy in the hands of sell- and buy-side businesses of all sizes.

  • Introduced enterprise solution, Imagine Trading System, in 1993, and ASP solution, Derivatives.com, in 2000
  • Headquartered in New York with offices in London, Sydney, and Hong Kong
  • Thousands of users across major hedge funds, fund-of-funds, pension funds, brokerage firms and banks worldwide
  • Significant prime broker relationship with Credit Suisse
  • Relationships with other major prime brokers
  • Leading provider of on-demand derivative trading analytics, portfolio and risk management solutions
  • Winner of two #1 Risk Magazine Awards (equity trading and equity analytics) several years in a row

Whether Watt's potential transgressions include just the creation of the blabla packet sniffer which was used to defraud numerous public companies out of hundreds of millions, or were his unique skills geared for something more, now that the bright 7 foot tall hacker had managed to find his way into the pinnacle of financial society, will likely remain unknown. However, Zero Hedge will follow the case (District Court of Massachusetts, 08-cr-10318) and await eagerly the release of the transcript of the Sentencing Hearing of Watt, which should be made available to the public in mid-September (presumably severely redacted just like the previously filed disclosure by Belopolsky and Volfbeyn againt RenTec: wouldn't want those "trade secrets" leaking now, would we).

In conclusion, this case which seems to have more and more loose ends unravel each and every day, could potentially benefit by the prosecutors focusing not just on the direct actions of Watt while collaborating with Gonzalez, but on whether there was any potential impropriety by the alleged perpetrator while employed in the capacity of a programmer, dealing with what by all counts seems to be very intimate day-trading software at major Wall Street organizations.