Albert Gonzalez, of Miami, pleaded guilty in US District Court in Boston to two counts of conspiracy to gain unauthorised access to payment card networks, the US Justice Department said in a statement.
Mr Gonzalez and two unidentified Russian co-conspirators were accused of stealing more than 130 million credit and debit card numbers from firms supporting major retail and financial organizations.
More than 250 financial institutions were affected including 7-Eleven, Target, Heartland Payment Systems, a New Jersey-based card payment processor and Hannaford Brothers, a supermarket chain.
Mr Gonzalez was accused of leasing servers to other hackers who used the platforms to store malicious software known as "malware" and launch attacks against corporate victims.
He is facing between 17 and 25 years in prison. Sentencing was scheduled for March 19.
"The Department of Justice will not allow computer hackers to rob consumers of their privacy and erode the public's confidence in the security of the marketplace," assistant US attorney general Lanny Breuer said.
"Criminals like Albert Gonzalez who operate in the shadows will be caught, exposed and held to account," Mr Breuer said.
Mr Gonzalez pleaded guilty in September to charges in two other cases related to hacks into major US retailers including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes and Noble, Sports Authority and the Dave and Buster's restaurant chain.
Sentencing in those cases was set for March 18.