Settling into his chair and resting his fingers on his keyboard like a concert pianist, Butler began his attack. Most illegal online loot was fenced through four so-called carder sites—marketplaces for online criminals to buy and sell credit card numbers, Social Security numbers, and other purloined data. One by one, Butler took them down. (This story, like the rest of this article, has been reconstructed using court documents and conversations with friends and associates; Butler declined to be interviewed.)

First, he breached their defenses, tricking their SQL database servers into running his own commands or simply slipping in with a hacked password. Once inside, he sucked out their content, including the logins, passwords, and email addresses of everyone who bought and sold through the sites. And then he decimated them, wiping out the databases with the ease of an arsonist flicking a match. He worked for two straight days; when he tired, he crashed out on the apartment's foldaway bed for an hour or two, then got up and went back at it. Butler sent an email under the handle Iceman to all the thieves whose accounts he had usurped. Whether they liked it or not, he wrote, they were now members of his own site, CardersMarket.com. In one bold stroke, Butler had erected one of the largest criminal marketplaces the Internet had ever seen, 6,000 users strong.