Max Butler

Max Ray Vision (formerly Max Ray Butler, alias Iceman) is a former computer security consultant and hacker who served a 13-year prison sentence, the longest sentence ever given at the time for hacking charges in the United States. He was convicted of two counts of wire fraud, including stealing nearly 2 million credit card numbers and running up about $86 million in fraudulent charges.

Early life
Butler was born on 10 July 1972, and grew up in Meridian, Idaho with a younger sibling; his parents divorced when he was 14. His father was a Vietnam War veteran and computer store owner who married a daughter of Ukrainian immigrants. As a teenager, Max Butler became interested in bulletin board systems and hacking. After a parent reported a theft of chemicals from a lab room at Meridian High School, Butler pleaded guilty to malicious injury to property, first-degree burglary, and grand theft. Butler ultimately received probation for his crimes. He was sent to live with his father and he transferred to Bishop Kelly High School.

First offense
Butler attended Boise State University for a year. In 1991, Butler was convicted of assault during his first year of college. His appeal was unsuccessful on procedural grounds, as a judge ruled that Butler's defense attorney did not raise the issue in an earlier appeal. The Idaho State Penitentiary paroled Butler on 26 April 1995.

Professional and personal life
Butler moved with his father near Seattle and worked in part-time technical support positions in various companies. He discovered Internet Relay Chat and frequently downloaded warez, or illegally downloaded software or media. After an Internet service provider in Littleton, Colorado traced Butler's uploads of warez to an unprotected file transfer protocol server –the uploads were consuming excessive bandwidth–to the CompuServe corporate offices in Bellevue, Washington, CompuServe fired Butler.

After moving to Half Moon Bay, California, he changed his last name to Vision and lived in a rented mansion "Hungry Manor" with a group of other computer enthusiasts. Butler became a system administrator at computer gaming start-up MPath Interactive. The Software Publishers Association filed a $300,000 lawsuit against Butler for engaging in unauthorized distribution of software from CompuServe's office and later settled the case for $3,500 and free computer consulting.

After marrying Kimi Winters, he moved to Berkeley, California, and worked as a freelance pentester and security consultant. During this time, he developed 'an online community resource called the "advanced reference archive of current heuristics for network intrusion detection systems," or arachNIDS.'

FBI investigation, guilty plea, and sentencing
In the spring of 1998, Butler installed a backdoor onto American federal government websites while trying to fix a security hole in the BIND server daemon. However, an investigator with the United States Air Force found Butler via pop-up notifications. He hired attorney Jennifer Granick for legal representation after hearing Granick speak at DEF CON. On 25 September 2000, Butler pleaded guilty to gaining unauthorized access to Defense Department computers. Starting in May 2001, Butler served an 18-month federal prison sentence handed down by US District Judge James Ware.

After his release from prison in 2003 on supervised release, Butler exploited Wi-Fi technology to commit cyberattacks anonymously along with Chris Aragon from San Francisco. He advanced to programming malware, such as allowing the Bifrost Trojan horse to evade virus scanner programs and exploited the HTML Application feature of Internet Explorer to steal American Express credit card information. Butler also targeted Citibank by using a Trojan horse towards a credit card identity thief and began distributing PINs to Aragon, who would have others withdraw the maximum daily amount of cash from ATMs until the compromised account was empty.

Arrested in 2007, Butler was accused of operating CardersMarket, a forum where cyber criminals bought and sold sensitive data such as credit card numbers. After pleading guilty to two counts of wire fraud, stealing nearly 2 million credit card numbers, which were used for $86 million in fraudulent purchases, Butler was sentenced to 13 years in prison, which was the longest sentence ever given for hacking charges in the United States of America at the time. After prison, Butler will also face 5 years of supervised release and is ordered to pay $27.5 million in restitution to his victims.

Aftermath
In 2018 Butler was charged with running drone-smuggling ring from jail. The indictment states that in October 2014 he obtained an illicit cell phone and allegedly used it to obtain stolen debit card numbers from the internet, through which he stole money that he paid out to fellow inmates.

Prosecutors say that a former cellmate named Jason Dane Tidwell stayed in touch with Butler via an encrypted messaging app and that, in the spring of 2016, Butler allegedly told Tidwell to buy a remotely piloted drone with some of the debit card scam proceeds to delivery contraband by airdrop. A snitch ratted them out, but guards never managed to find the contraband. One inmate, Phillip Tyler Hammons, confessed to retrieving airdrops, and he fingered Butler as the mastermind behind the plan. Butler claims that it was Hammons who behind the whole scheme.

Butler was released from FCI Victorville Medium 2 on 14 April 2021.

Butler's story was featured in an episode of the CNBC television program American Greed in 2010.