Last August, Wallace admitted to compromising around 500,000 Facebook accounts, using them to send over 27 million spam messages through Facebook's servers, between November 2008 and March 2009.
Sentencing had been scheduled for last December, but it has taken the court almost a year to reach a sentencing decision.
Wallace could have faced up to 16 years imprisonment, but in the end was sentenced to just two-and-a-half years in prison and five years of supervised release.
He was also ordered to pay US$310,628.55 in restitution, according to the Office of the U.S. Attorney for the Northern District of California. That's about one cent for every message sent or about 60 cents per account compromised.
Using a Facebook account in the fictitious name of David Frederix, Wallace honed his phishing technique. He automated the process of signing into a Facebook user's account, retrieving a list of their friends, and then sending them each a message.
That message encouraged them to log into a website that would trick them into divulging their Facebook username and password before directing them to an affiliate website that paid him for the traffic. Wallace then continued his spam campaign using the newly gathered login credentials.
Facebook had previously filed a lawsuit against him under the CAN-SPAM act, resulting in March 2009 in an order not to access or attempt to access Facebook's computer network in any manner whatsoever. However, Wallace admitted that just weeks later, he flouted that order by logging into his Facebook account while on a plane heading from Las Vegas to New York.
Wallace is due to begin his sentence on Sept. 7.