Unplugged! The biggest hack in history

The 'Phonemasters' tapped into the nation's power grid, obtained private White House numbers and rooted around credit-reporting agencies. Here's how accountant-turned-sleuth Michael Morris cracked the case.

DALLAS -- In a federal courtroom here, Calvin Cantrell stands silently, broad shoulders slouched. His lawyer reads from a short letter he has written:

"My parents taught me good ethics, but I have departed from some of these, lost my way sometimes," the letter states. "I was 25 and living at home. No job, and no future... . All I ever really wanted was to work with computers."

Cantrell certainly did work with computers -- both his own, and, surreptitiously, those of some of the largest companies in the world. He was part of a ring of hackers that pleaded guilty here to the most extensive illegal breach of the nation's telecommunications infrastructure in high-tech history.

And sitting behind him in court as he was sentenced two weeks ago was the accountant-turned-detective who caught him: Michael Morris. A decade earlier, Morris, bored with accounting work, left a $96,000 job at Price Waterhouse and enrolled in the FBI academy, at $24,500 a year. Cantrell's sentencing was the final act in a five-year drama for Morris, and secured his reputation as the FBI's leading computer gumshoe.

The tale of Morris and Cantrell is among the first cops-and-robber stories of the New Economy, involving, among other things, the first-ever use of an FBI "data tap." It illustrates how the nation's law-enforcement agencies are scrambling to reinvent their profession in a frantic effort to keep pace with brilliant and restless young hackers.

Unlimited potential for harm
The story also shows that hacking's potential harm is far more ominous than theft of telephone credit-card numbers. Cantrell was part of an eleven-member group dubbed "The Phonemasters" by the FBI. They were all technically adept twentysomethings expert at manipulating computers that route telephone calls.

The hackers had gained access to telephone networks of companies including AT&T Corp., British Telecommunications Inc., GTE Corp., MCI WorldCom (then MCI Communications Corp.), Southwestern Bell, and Sprint Corp. They broke into credit-reporting databases belonging to Equifax Inc. and TRW Inc. They entered Nexis/Lexis databases and systems of Dun & Bradstreet, court records show.

The breadth of their monkey-wrenching was staggering; at various times, they could eavesdrop on phone calls, compromise secure databases, and redirect communications at will. They had access to portions of the national power grid, air-traffic-control systems and had hacked their way into a digital cache of unpublished telephone numbers at the White House. The FBI alleges, in evidence filed in U.S. District Court for the Northern District of Texas, that the Phonemasters had even conspired to break into the FBI's own National Crime Information Center.

Unlike less-polished hackers, they often worked in stealth, and avoided bragging about their exploits. Their ultimate goal was not just fun, but profit. Some of the young men, says the FBI, were in the business of selling the credit reports, criminal records, and other data they pilfered from databases. Their customers included private investigators, so-called information brokers and -- by way of middlemen -- the Sicilian Mafia. According to FBI estimates, the gang accounted for about $1.85 million in business losses.

"They could have -- temporarily at least -- crippled the national phone network. What scares me the most is that these guys, if they had had a handler, whether criminal or state-sponsored, could have done a lot of damage," says Morris. "They must have felt like cyber gods."

Some may be still at large
With the exception of Cantrell, none of the defendants in the Phonemasters case would comment on the matter. Others are thought to remain at large. This is the story of Cantrell and two accomplices largely put together from federal district court records and FBI interviews. Morris first learned of the group in August 1994, when he got a phone call from a Dallas private investigator, saying Cantrell had offered to sell him personal data on anyone he wished. He even offered a price list: Personal credit reports were $75; state motor-vehicle records, $25; records from the FBI's Crime Information Center, $100. On the menu for $500: the address or phone number of any "celebrity/important person."

Morris immediately opened an investigation. Only 33-years-old at the time, he had taken an annual pay cut to join the FBI just five years earlier. He had been a tax consultant at Price Waterhouse, and despised the work. "I was young and making the big bucks, but every morning I would think 'God, I don't want to go to work.' "

Tall, square-jawed and mustachioed, Morris began working on white-collar crimes when he arrived at the Dallas FBI field office. He took on a few hacker cases and realized he liked the challenge. "These guys are not the kind who'll rob the convenience store then stare right into the security camera," he says. "Trying to be the Sherlock Holmes of the Internet is hard when the fingerprints on the window can be so easily erased."

Morris convinced the private investigator to meet with Cantrell while wearing an audio taping device. After reviewing the tapes, he was certain that he was onto something big. He applied for and received court authority to place a digital number recorder on Cantrell's phone lines, which would log numbers of all outgoing calls. It showed that Cantrell frequently dialed corporate telephone numbers for AT&T, GTE, MCI, Southwestern Bell and Sprint. Cantrell had also placed calls to two unlisted numbers at the White House, which further piqued Morris's interest.

So, late that summer, Morris took an unprecedented step. He began writing a 40-page letter to the FBI's Washington headquarters, the Department of Justice and the federal district court in Dallas. Recording Cantrell -- now his central suspect -- while on the phone wasn't sufficient for the job that faced him, he believed. Instead, he needed new federal powers. He asked for Washington's permission to intercept the impulses that traveled along Cantrell's phone line as he was using his computer and modem.

"It's one of the hardest techniques to get approved, partly because it's so intrusive," says Morris, who spent the next month or so consulting with federal authorities. "The public citizen in me appreciates that," he says. Still, the long wait was frustrating. "It took a lot of educating federal attorneys," he says.

Once authorities said yes, Morris faced another obstacle: The equipment he needed didn't exist within the FBI. Federal investigators had experimented with a so-called data-intercept device only once before in a New York hacker case a year earlier. It had failed miserably.

Morris and technicians at the FBI's engineering lab in Quantico, Va., worked together to draft the specifications for the device Morris wanted. It would need to do the reverse of what a computer's modem does. A modem takes digital data from a computer and translates it to analog signals that can be sent via phone lines. Morris's device would intercept the analog signals on Cantrell's phone line and convert those impulses back to digital signals so the FBI's computers could capture and record each of a suspect's keystrokes.

Alerting the victims
While waiting for the FBI to fit him with the proper gear, Morris contacted several of the telephone companies to alert them that they had been victimized. The reception he got wasn't always warm. "It's kind of sad. Some of the companies, when you told them they'd had an intrusion, would actually argue with you," he said.

GTE was an exception. Morris discovered that Bill Oswald, a GTE corporate investigator, had opened his own Phonemasters probe. Oswald and Morris began working together and uncovered another of Cantrell's schemes: He and some friends had managed to get their hands on some telephone numbers for FBI field offices. They entered the telephone system and forwarded some of those FBI telephones to phone-sex chat lines in Germany, Moldavia and Hong Kong. As a result of the prank, the FBI was billed for about $200,000 in illegal calls.

Morris also learned that on Oct. 11, 1994, Cantrell hacked GTE's computer telephone "switch" in Monticeto, Calif., created a fake telephone number and forwarded calls for that number to a sex-chat line in Germany. The FBI isn't sure how Cantrell convinced people to call the number, but court records show that Cantrell received a payment of $2,200 from someone in Germany in exchange for generating call traffic to the phone-sex service.

In early December 1994, Morris's "analog data-intercept device" finally arrived from the FBI's engineering department. It was a $70,000 prototype that Morris calls "the magic box."

On Dec. 20, Morris and other agents opened up their surveillance in an unheated warehouse with a leaky roof. The location was ideal because it sat between Cantrell's home and the nearest telephone central office. Morris and nine other agents took turns overseeing the wiretap and data intercepts. The agents often had to pull a tarp over their workspace to keep rain from damaging the costly equipment. As middle-class families go, the Cantrells seem exemplary. Calvin's father, Roy, was a retired detective who had once been voted "Policeman of the Year" in Grand Prairie, the suburb west of Dallas where they live. His mother, Carol, taught Latin and English at Grand Prairie High School, where Calvin graduated in 1987 with above-average grades.

As a student, he was no recluse. He had a small circle of friends who shared his love of martial arts, video games and spy movies. Cantrell's longtime friend, Brandon McWhorter, says Calvin was always a fun-loving guy, but there was one thing about which he was very serious.

"He would always talk to me about religion," McWhorter says. "He held very strong religious beliefs."

After high school, Cantrell continued to live at home while taking classes at the University of Texas at Arlington and a local community college.

He held a series of odd jobs and hired himself out as a deejay for weddings and corporate parties. Cantrell balanced, school, work, family and friends even as he began hacking more often. His parents became suspicious, but said nothing. The family had three phones; Calvin stayed on his 15 hours a day.

"They'd go in my room and see all the notes and the phone numbers. Even though they couldn't put it together technically, they knew something was up," says Cantrell. "They were kind of in denial... . My parents were pretty soft."

Mrs. Cantrell says Calvin had been so well-behaved that she never suspected his computer activities were more than fun and games. "I wish I had known what was going on. Unfortunately, my son was smarter than I was." (Calvin's father passed away last year.)

The hack
At 8:45 on the night of Dec. 21, just four days before Christmas, Cantrell went online. Using an ill-gotten password, he entered a Sprint computer, where he raided a database, copying more than 850 calling-card access codes and other files, court records in the case show.

The Phonemasters often got passwords and other key information on companies in a low-tech approach called "Dumpster diving," raiding the trash bins of area phone firms for old technical manuals, phone directories and other company papers. This often allowed Cantrell to run one of his favorite ruses -- passing himself off as a company insider.

"I'd call up and say, 'Hi, I'm Bill Edwards with systems administration.' ... I'd chat with them for a while, then I'd say 'We're doing some network checkups today. Can you log off of your computer, then tell me every character you're typing as you log back on?' A lot of people fell for that," Cantrell says.

After hacking into the Sprint database that evening, Cantrell talked to another hacker, Corey Lindsley, over the phone. He'd "met" Lindsley, and another hacker, John Bosanac, in 1993 while surfing the murky world of hacker bulletin boards. Cantrell then sent the copied files to Lindsley, who was a student at the University of Pennsylvania in Philadelphia.

Morris's equipment captured everything -- voice and data. It was an FBI first. "We're sitting in this place that looked liked a bomb pit, but the atmosphere was really exciting," says Morris. "We were ecstatic."

As the days passed, the FBI wiretap generated stacks upon stacks of audiotapes and data transcripts. Some was just idle talk among friends, the occasional call to finalize dinner plans, lots of workaday chatter. But the incriminating evidence mounted. "It's great, you know. I really love fraud," joked Bosanac, a Californian who was musing with Cantrell about the various technical methods of using other people's cellular telephone accounts to place free calls. "Fraud is a beautiful thing."

Family conversations even entered the investigation. On Jan. 7, for instance, Cantrell called his mother from a friend's house and asked her find an MCI manual on his shelf. He then asked her to read him a set of directions for accessing MCI's V-NET computer system. Mrs. Cantrell read the material but asked her son whether he was supposed to have the book, citing warnings that stated its contents were restricted to MCI employees. Cantrell just avoided his mother's question. The FBI data-tap captured every word.

Taking a toll
Still, the process took its toll on the FBI team, especially coming during the holidays. "It was stressful that the wiretap was going 24 hours a day, seven days a week. I had to write up the legal documents, and it's tough making people work through Christmas," Morris said. On top of that, he had to keep records of his findings, and every 10 days he had to reapply to the court to prove that his wiretap was yielding evidence.

By late January, the FBI had begun to get a clear profile of Cantrell and his hacker friends. Lindsley, it appeared, was the group's acerbic leader, directing much of the hacking activity. Over phone lines, the FBI heard him bragging about how he had given a Pennsylvania police department "the pager treatment" in retaliation for a speeding ticket he received. Lindsley had caused the police department's telephone number to appear on thousands of pagers across the country. The resulting flood of incoming calls, Lindsley bragged, would surely crash the department's phone system.

They also enjoyed collecting information about film stars, musicians and other famous people. Cantrell has admitted that he broke into President Clinton's mother's telephone billing records in Arkansas to obtain a list of unpublished White House numbers. The men, says the FBI, even made harassing phone calls to rock star Courtney Love and former child actor Danny Bonaduce using pilfered numbers.

They weren't without fear of getting caught. On the evening of Jan. 17, for instance, there was a clicking on the phone line as Bosanac, Cantrell, and Lindsley shared a three-way conference call. "What the hell happened?" asked Bosanac, according to an FBI transcript of the conversation.

"That was the FBI tapping in," laughed Cantrell.

"Do you know how ironic that's gonna be when they play those tapes in court?" Lindsley said. "When they play that tape in court and they got you saying it was the FBI tapping in?" On Jan. 18, the FBI overheard Cantrell, Bosanac and Lindsley on another conference call. With the other two men giving directions, Cantrell dialed his computer into Southwestern Bell's network and copied a database of unlisted phone numbers. The three men then discussed plans to write a computer program that could automatically download access codes and calling-card numbers from various telephone systems. They also talked about the chance that the FBI would one day track them down.

"Just remember, nobody f-- rats anybody out," said Lindsley to the others. "No deals."

"Yeah, no deals is right," replied Bosanac.

"No deals. I'm serious. I don't care what your f-- lawyers tell you," said Lindsley.

Cantrell said nothing.

Transferred codes to Canada
Later that morning, between 5:09 and 7:36, Cantrell entered Sprint's computer system and downloaded about 850 Sprint calling-card codes. He then transferred those codes to a man in Canada. The codes would allow anyone who purchased them to place free international phone calls. Morris would later learn that a contact in Canada paid Cantrell $2 apiece for each code, court records show. The Phonemasters most likely did not know -- or care -- where the codes ended up, but the FBI traced them and found some ended up in the hands of a Sicilian Mafia operative in Switzerland.

On Jan. 23, while probing a U S West telephone database, Cantrell, Bosanac, Lindsley and others stumbled over a list of telephone lines that were being monitored by law enforcement. On a lark, they decided to call one of the people -- a suspected drug dealer, says Morris -- and let him know his pager was being traced by the police.

On Jan. 27, the group was clearly feeling paranoia about being caught, prompting Lindsley to tell his accomplices to pull as many Sprint codes as quickly as they could. Cantrell began to have reservations.

"What if I stopped before all of y'all?" Cantrell asked Lindsley. "Would you applaud my efforts?"

"No," said Lindsley. "I don't think there's any reason to stop. What are you worried about?"

"Uh, I'm not worried about anything. I'm just saying, uhm. There might ... there might come a time here where I don't have time for this."

He added a little later: "I, you know, really like it. But, I don't know, I just ... Eventually, I don't see myself doing a lot of illegal things."

Lindsley continued to prod Cantrell to speed up the download of stolen codes by spending more time online and using two phones.

"I'm telling you, you run two lines around the clock," Lindsley said.

"You can't run them around the clock," said Cantrell.

"Why not?"

"Oh, come on. I think that's pushing it too hard."

"I think you just got a weak stomach there, boy."

Tension rises
By late February, things began to get tense. One of Cantrell's hacker friends informed him that his number had shown up in a database of phone numbers being monitored by the FBI. In all the excitement of burglarizing databases and rerouting phone calls, the Phonemasters had neglected to check their own phone lines for any signs that law enforcement might be listening in.

Morris hastily arranged for an FBI raid. On Feb. 22, 1995, agents raided Cantrell's home, Lindsley's college dorm room, and burst into Bosanac's bedroom in San Diego.

For Morris, the climactic raid was only the start of a long battle to bring the hackers to justice. Because of the complicated nature of his evidence gathering, it took him more than two years to compile the most salient portions of the wiretap transcripts and data-tap evidence. "All the documents and tapes from this case could fill a 20-by-20 room," Morris explains. "And at the time, I was the only computer investigator for all of Texas."

In the meantime, as federal prosecutors slowly geared up for a trial, Cantrell tried to get on with his life. "I spent the first few weeks after the raid being paranoid and wondering what would happen," he says. Occasionally, Morris and other agents would call him, asking questions about some of the systems he had hacked. By the summer of 1995, at the urging of his mother, Cantrell started attending church again. He scored the first in a string of professional computing jobs, doing systems-administration work for a company called Lee Datamail in Dallas. He neglected to tell his employers about the FBI case. "It's been mental torture for the last four years, not knowing," says Cantrell. "Can I go to school, move to another state? That kind of thing messes with your head."

Over time, Cantrell says he had come to seriously regret what he had done and the $9,000 he says he made from selling codes wasn't worth the trouble. "Looking back, it was all crazy. It was an obsession. I wanted to see how much I could conquer and a little power went to my head." Cantrell notes that he has since tried to make amends, even helping the phone companies plug their security holes and helping the FBI gather more information on some of the group's members who haven't yet been apprehended.

The matter finally seemed near conclusion this March when Morris was able to play "a couple of choice tapes" in separate meetings with Cantrell, Bosanac and Lindsley. Afterward, all three agreed to plea guilty to federal charges of one count of theft and possession of unauthorized calling-card numbers and one count of unauthorized access to computer systems. Chief Judge Jerry Buchmeyer ordered a presentencing investigation.

During a hearing on the matter, Lindsley's attorney tried to argue that the FBI had wildly overstated the $1.85 million in losses that her client's hacking had allegedly caused. But in the end, Judge Buchmeyer rejected the argument and sentenced him to 41 months in prison. Bosanac, in the meantime, has asked that his sentencing hearing be moved to San Diego, where he lives.

As for Cantrell, Judge Buchmeyer lauded his "acceptance of guilt." He could have been sentenced to three years in federal prison; instead he was given two. He reports to federal prison in January of next year.

Morris, meanwhile, has used his data-tap method in several other cases; he also travels around the country and the world advising law-enforcement agencies on how to conduct state-of-the-art investigations of hacker crimes.