Brett Johnson's Insights on the Life of a Cybercriminal

When Brett Johnson was a cybercriminal, he was known as the “original internet Godfather.” He started one of the first organized cybercrime groups , ran a cybercriminal empire, was placed on the United States Most Wanted List, and created modern financial cybercrime as we know it. But that’s not the end of the story. See The Life of a Cybercriminal with Brett Johnson for a complete transcript of the Easy Prey podcast episode. After being captured, getting convicted of 39 felonies, escaping prison, and getting re-captured, Brett found a new path. He accepted responsibility for what he’d done, and with the help of his loved ones – and the FBI – he switched sides. Now, Brett is a leading authority on internet crime, identity theft, and cybersecurity. He speaks and consults around the world to help protect people and businesses from people like the old Brett Johnson. I try to protect people against the type of person I used to be. Brett Johnson got the title of “the original internet Godfather” for one simple reason. He built the first organized cybercrime community, called ShadowCrew. It was the precursor to today’s dark web markets. It also laid the foundation for how modern cybercrime and financial cybercrime operate today. In order for cybercrime to happen, there are three things that have to work together: Gathering data, committing the crime, and cashing out. If all three don’t work together, the crime fails. But most criminals can’t do all three things. Often they’re good in one area, potentially two, but very few can do all three. In order to successfully complete a crime, most cybercriminals need to partner with other cybercriminals. If you look at the necessities of cybercrime, there are three things that have to work in conjunction for cybercrime to be successful: Gathering data, committing the crime, and then cashing out. If you were good at committing the crime, you would still need partners to help in gathering data and cashing out. Before ShadowCrew, the only way you had to find them was Internet Relay Chat. It was a rolling chat board, and you had no idea who you were talking to. They could be a good potential partner, or an amateur pretending to be an expert, or a cop, or someone just trying to steal your money. There are three major sites for organized cybercrime – ShadowCrew, CarderPlanet, and Counterfeit Library. Brett ran both ShadowCrew and Counterfeit Library. These sites were a big improvement over Internet Relay Chat. They had a forum structure, so even new people could reference old conversations. In addition, people had screen names. You could use those screen names to find out someone’s skill level and whether you could trust them. It’s a large communication channel that makes cybercrime easier. And with Brett Johnson behind two of the three sites, it seemed fitting to dub him the Godfather of a cybercrime empire. Brett grew up in Eastern Kentucky, a very poor area where you’re lucky to have a job. If you didn’t have a job, you were probably scamming, hustling, or on government assistance. Brett’s mother was a criminal through and through. His father was an enabler who was so afraid of losing his mother that he agreed to anything she came up with. When Brett was ten and his sister Denise was nine, his mother left his father and they moved to Hazard, Kentucky. His mother would go out to party and left Brett and Denise alone for days at a time. Brett was always scared she wouldn’t come back. Denise just got angry. On one occasion, their mother had already been gone for a few days. There was no food in the house. But then Denise came home with some pork chops. When Brett asked where she got them, she said she stole them. He said, “Show me how.” So Denise showed him how she shoplifted the pork chops. Brett started stealing food. At first, it was just food because he and his sister were hungry. But the shopping center also had a Kmart. So he started stealing clothes. And then toys, video games, books, music, and anything he saw that he wanted. Then his mother started to notice the stolen loot. It’s hard to ignore a brand-new TV and Atari game system. When she asked Brett, he said he found it. His mother knew that wasn’t true. She asked Denise, who never lied. And when Denise said it was stolen, Brett’s mother said the exact thing Brett had said: “Show me how.” Their mother got their grandmother involved, and the whole family started taking road trips to shoplift. His mother and grandmother would go to JCPenney’s and steal clothes. Brett was a big reader, so he would go to the bookstore and steal books. In Eastern Kentucky, you’re expected to do whatever your family does. So Brett Johnson grew up committing crime. And it wasn’t just stealing. He committed benefit fraud, charity fraud, insurance fraud , faking car accidents, faking documents, and more. I don’t want you to think that my childhood resulted in my crimes. As an adult, you’re responsible for your actions, and I chose to victimize people. Brett wants to point out that his childhood does not justify his life of crime. Just because you do something as a child doesn’t mean you have to continue to do it. His sister Denise shoplifted those pork chops because they were hungry. But she didn’t break the law again. She went on to become a teacher, a great parent, and a good person overall. Brett was the one who didn’t stop. In the 1990s, Brett Johnson branched out on his own. He faked a car accident to get money, and then he moved to the UK to get a degree in English and Theater. He also got married. By his own admission, Brett is always scared. Even today, he’s scared that the people who love him are going to leave him. When he got married, he told his wife not to worry about working. He would work, and she could just worry about school. Then he started doing all the cooking and cleaning. Soon, he was doing everything – working fifty hours a week, taking eighteen hours of classes, and doing all the housework. Something had to give. That something was his job. He was already an experienced fraudster. All he needed was a different way to make money. Brett found eBay, and he started looking for ways to make money on eBay. At that time, Bill O’Reilly did an episode on Beanie Babies. One of the stuffed animals profiled was Peanut the Royal Blue Elephant, who was selling for $1,500. Brett didn’t really understand how it worked. He just saw a cheap stuffed toy being sold online for a lot of money. He went to a Hallmark store to see if they had one. The store didn’t have Peanut the Royal Blue Elephant, but they did have a gray Beanie Baby elephant for eight dollars. Brett bought one, and then on the way home he bought blue dye. The dye didn’t work very well – the end product was ragged-looking and only vaguely blue. But he had to do something. He started researching mail fraud. As long as you send the person something, you can argue that they received it and it’s your word against theirs. Brett found a picture of the real Peanut online and posted it on eBay. A woman won the auction and thought she was buying the real thing. When Brett was a kid, he became a really good social engineer . He had to do it to adults in order to survive. It’s something you see a lot with online criminals. As children, they’re forced to learn social engineering. And then as adults, they use that skill to commit crimes. Brett used his social engineering skills on the buyer of his dyed elephant. He sent her a message saying, “Look, we’ve never done business before. You have no way of knowing I’m really Brett Johnson, and I have no way of knowing you are who you say you are. I need you to pay for this purchase with a US Postal Money Order. It’s issued by the US government and protects both of us. Send it to me, and once I’ve received it, I’ll send you the elephant.” The woman sent the money order. Unlike checks, money orders can’t be canceled. When Brett mailed her the badly-dyed elephant, she had no way to undo the payment. She called him and said it wasn’t what she ordered. He kept putting her off. She ordered a blue elephant, she got a blue-ish elephant, that should be good enough, right? Eventually, she gave up. The first lesson I learned about online crime is that if you keep putting the victim off, a lot of them get exasperated, throw their hands in the air, walk away, [and] you don’t hear from them. Brett’s eBay scam was unsophisticated. He even did it under the name Brett Johnson. But he kept going, and he got better at it. From fake products, he turned to selling pirated software. That led to installing modchips into systems. Modchips led to programming satellite DSS cards. At about the same time Brett started programming satellite DSS cards, a Canadian judge ruled that it was legal for Canadian citizens to pirate satellite DSS signals. Since RCA didn’t sell 18” satellite dishes in Canada, that was the only way for Canadian citizens to get those signals. That opened up a lot of crime. In the US, you could go to Best Buy, purchase a system for a hundred dollars, take out the card, throw away the system, reprogram the card, and ship it to Canada for $500 a piece. Brett started doing that. He was getting so many orders that he couldn’t keep up. Then he had an idea. They’re in Canada, and he’s in the US – who are they going to complain to? Brett stopped filling orders altogether, but he kept taking money. At this point, he was making around $4,000 a week. He started to get scared of how much money was coming in. Surely someone was going to investigate him for money laundering. He needed to do something to cover his tracks. Brett figured that the best thing to do was to get a fake ID, open a new bank account, and send all of his stolen money through that. But he didn’t know how to get a fake ID. So he did the best thing he knew how to do – he got online. He found a guy with the screen name “Fake ID Man.” He had reviews and everything. Brett sent Fake ID Man $200 and a photo for the fake ID. But he never got the ID. “Fake ID Man” was another scammer. Even though that’s exactly what Brett had been doing to other people, he got angry. He found a need for a place where criminals could verify they weren’t going to get ripped off by other criminals. That’s what drove him to create ShadowCrew and Counterfeit Library. Brett Johnson’s downfall started when his wife left him. He was married for nine years, and he lied to her the entire time. It took her three years to figure out he was a criminal. For the next six years, he lied that he had quit, or that he would quit after just a little longer. She eventually figured out he wasn’t going to quit. So she left. Brett had always had a deep fear of abandonment. Now that fear had become real, and it was his fault. He became depressed, then suicidal, and finally called a psychologist. She took him as a patient and tried to get him to stop breaking the law. She thought real estate might be a good career path. Brett saw her for four months, and she definitely did some good. But one night, he was lonely and horny. He was thirty-four years old and had never been to a strip club in his life. So he was that idiot who walked into the strip club and fell head-over-heels for the first stripper he saw. A girl walked by, and he suddenly felt like she was the only one for him. They got engaged, and then he found out she was addicted to cocaine. But he stayed with her. He thought that if he could save her, he could save himself. But this choice ripped the last support out of his life. Brett’s sister Denise had stuck with him through the crime and through the divorce. But the coke-addicted stripper girlfriend was too much for her. She disowned him. ShadowCrew made the front cover of Forbes in August 2004. In October of that same year, the US Secret Service arrests thirty-three people in six countries. Brett Johnson is the only person publicly mentioned as getting away. They finally pick Brett up on February 8, 2005. And the Secret Service gave him a job. He worked for the Secret Service for about a year. And he was that guy who continued to break the law from inside the Secret Service offices. Even he admits he was an idiot. When they caught on, he went on a cross-country crime spree. He stole about $600,000 in about four months. One morning, after stealing $160,000 from ATMs the night before, Brett woke up and got online. There, he saw that his name was now on the Most Wanted list. What do you do when you wake up to find yourself on US Most Wanted list? If you’re Brett Johnson, you go to Disney World. Brett was caught at Disney World with a device that’s now called Stingray, but back then was called Triggerfish. It’s a device that spoofs a cell phone tower. Your phone connects to it, and it can locate your phone within a seven-foot radius. It can locate all the phones in your area as well. The federal government likes to keep these devices very secret. They once dismissed charges against one of Brett’s associates for asking about them. But no matter how secret they are, if the government is looking for you, they can use one to find you. When Brett got picked up at Disney World, he was just riding rides. By his own admission, he was a complete idiot at that point. Of course, I went to prison, and rightfully so. If anyone ever needed a stint in prison, it’s Brett Johnson. Brett was charged, convicted, and sent to prison. He escaped and was caught again. At this point, his sister hadn’t talked to him for over a year. After his escape attempt, his father came to visit him. They got a ten-minute visit at Brett’s prison in Lexington. His father said, “Son, can I do anything for you?” And Brett said, “Can you tell my sister I love her?” Brett’s father called Denise. She was living in Hickory, North Carolina at the time, and she was pregnant. But she gets in the car and drives seven and a half hours to see Brett for ten minutes and tell him she loved him too. Brett wouldn’t see her again for another five years. It took two and a half years of prison for Brett to accept responsibility for his actions. He justified everything he’d done. He claimed that he did it for his sister, his wife, or his stripper girlfriend. It took two and a half years for him to realize that the reason he’s in prison is because he chose to broke the law. It was nobody’s fault but his own. That was, of course, a tough pill to swallow. And not just that, but also that he hurt people he didn’t know. He had stolen from and lied to people he’d never met. When he got out of prison in 2011, he had no more desire to break the law. After his release, Brett had three years of probation. One of the conditions was he couldn’t touch a computer. He had job offers from Deloitte, KnowBe4, and a few payment processors, but he had to turn them down because he wasn’t allowed to touch a computer. It got to the point where he would apply to work at a fast food place and his probation officer would say no, there’s a computer involved. He couldn’t get a job. He was bumming from his father and sister, and on food stamps so he could eat. When you leave prison, they tell you to find a job and something you care about and your chances of going back are zero. Brett found something to care about – his cat. It got to the point where he had enough money to feed the cat, but not enough left over for toilet paper. He went to the dollar store and bought cat food. On the way out, there was a kiosk of toilet paper. And he stole some. That was the first crime I committed when I got out. I didn’t want to go back online to do it, so I ended up shoplifting toilet paper. Around this time, Brett met his current wife, Michelle. He ended up moving in with her a couple months later. Eventually, he even got a job. The only person that would hire him was a guy running a landscaping business out of his house. Brett pushed a lawn mower ten hours a day for $400 a week. You can tell from looking at him that Brett Johnson is not a manual labor kind of guy. He would come home, pass out, wake up, shower, and go out and do it again. But he was doing something, and at this point, he was happy. But then the weather got cold. Grass stopped needing mowed, and his job ended. Michelle was the only one working. Brett felt like he had to do something to show he was worth it. He figured if nothing else, he could bring in food. So he got on the dark web , bought some stolen credit cards, and started ordering groceries. It was just like when he was shoplifting as a kid. He started with food, but then food turned into clothes. If he was supplying food, why shouldn’t he get Michelle’s kids the clothes they need, or buy Michelle something nice for Christmas? He got arrested – of course he got arrested – on a food order. Michelle had no idea. At his sentencing hearing, the only people there were the US Marshals, the judge, the prosecutor, Brett’s probation officer, Brett himself, and Michelle. Michelle stood in front of the judge and said that Brett was a better dad to her kids than their actual father. Brett was crying like a baby. That’s the moment he found out that the whole time, Michelle didn’t need him for what he gave her. She just needed him for him. Before, he’d only ever had that love and acceptance from his sister. Brett still had to serve ten more months in prison. But he came out a completely changed man. He and Michelle got married shortly after his release, and he finally got off probation. And he started looking for a job – any job. They always say that at the very least, you can get a job selling used cars, but not Brett. He knew his limits and his triggers. He knew that if he had access to that information, he would go too far. Eventually, Brett got on LinkedIn and reached out to Keith Mularski, FBI “super cop,” as he says. He sent Keith a message saying, “I respect everything you did, and I’d like to be legal.” Keith took Brett under his wing. To this day, he gives him references and advice. Brett’s new career protecting people from cybercriminals started there. They went to the head of the identity theft council. Eventually, Microsoft came in and hired him. Now he has a completely blessed life. He still doesn’t think he deserves it, but he works hard to try and justify it. I’m adamant about trying to not be remembered as the guy who stole everything. I’d like to be remembered as the guy who turned it around. Brett does a lot of consulting. He works with Fortune 50 and Fortune 500 companies, as well as financial institutions. He also has a couple podcasts, including The AnglerPhish Podcast, The Online Fraudcast, and a new one that he’s working on called The Unethical Life. He works with the AARP, consumer groups, educational instituations, and law enforcement. He even gets to talk at Quantico’s CISO Academy twice a year. Brett is very adamant about making amends. He doesn’t think there’s anything he can do to make up for the damage he caused. That’s why it’s important to him that every choice from here on is a good one. Brett considers himself blessed to have the opportunity to help people instead of harm them. There’s no way he’s going back to being Brett Johnson the cybercriminal. Once you got a taste of doing things right and helping people, that’s a pretty good taste. Most people think cybercriminals are fantastically skilled computer hackers who can break into anything. That’s just not true. There are criminal computer geniuses, but not very many. Most cybercriminals are just very good social engineers . They know how to manipulate you with technology and psychology to trick you into giving them information, access, data, or cash. Cybercrime is not rocket science – it’s not complicated to defraud someone. The other thing you need to understand is that everyone’s information is already available. Many people think there are things we can do to make sure our information isn’t compromised. That ship has sailed. Last year alone, there was something like 1,500 data breaches with 2.6 billion records compromised. And that’s just what’s reported. The question becomes, if all of our information is available, what can we do so that if a criminal has it, they can’t use it? The good news: Protecting yourself isn’t rocket science, either. All of the credit reporting agencies have the option to freeze your credit. And don’t just freeze yours – freeze everyone’s in your house. A quarter of all kids will be victims of identity theft , synthetic fraud , or medical fraud. It’s free to freeze your credit. It’s important to note that a credit freeze only stops new account fraud. A criminal can still access all your existing accounts and victimize you. That’s why step two is also essential. Monitor all your existing accounts. Put alerts on them as well. Cards from Discover even have a zero dollar alert. If someone buys your Discover Card information and pings it to see if it’s active, you’ll get a text that someone did that. When you have alerts active, you can notice fraud and stop it immediately. Eighty percent of people on the planet use the exact same login and password across multiple websites. The obvious step would be to find something better than passwords, but that doesn’t seem to be happening any time soon. In the meantime, get yourself a password manager . And then use it. Convince your family to use it. We’ve never been taught what a secure password is. Let a password manager take that job off your hands. A scam starts with a scammer and a target on opposite sides of the fiends. The scammer’s goal is to get the victim to their side of things. If the victim doesn’t trust them, they won’t get cash, information, access, or anything. The trick is to establish that trust. In a modern world, trust is established by tools, technology, and social engineering. On the tech side, we all have cell phones, and we tend to trust the information we get from them. Scammers can use call spoofing to trick us. When Brett calls you, your phone will tell you that it’s Brett Johnson calling from Birmingham, Alabama. But when a scammer spoofs that information, they can make it say whatever they want. And you don’t have to be a tech expert to do it. There are easy services that can change it for you. They can make it look like they’re calling from the IRS , the Social Security Administration , or anywhere else. By spoofing who you think they are, they lay base levels of trust. Once they have that, they can use social engineering the rest of the way. There are different ways to use social engineering. They typically start with establishing some rapport and trust. Then they introduce the problem – there’s some sort of issue that you need to solve. Often, they try to scare you with the severity of the problem. A lot of scams are long cons, especially romance scams . They put a lot of effort into building rapport and befriending the victim, then inspiring the far of loss. They try to manipulate the victim into giving cash because the victim is desperate. It all boils down to instilling some degree of desperation in the victim, getting the victim to act out of a degree of desperation. It’s important to approach everything with a degree of objectivity. When you’re the victim, being objective goes out the window. The scammer’s job is to make sure you’re not thinking objectively. They want you to act out of emotion and not reason. Take a step back and think about what’s going on. Brett also recommends you find a buddy you can run things by, just to see how it sounds from an outside perspective. The problem is that people like to trust. As humans, we want to believe the best in everyone. A lot of people just don’t realize there are predators out there and they will victimize you. As Ronald Reagan said, “Trust, but verify.” Brett wants people to trust each other, but still verify everything you can. Criminals will victimize you differently depending on who you are and what you do. The method will vary if you work in payroll, are a CEO, or have worked in food service for twenty years. They will still victimize you, but the way is different. The same is true if you’re a company or institution. Do you have data that can be stolen and resold, or do you have data your company needs to operate? That will determine whether they steal your data or lock it with ransomware. Understand how cybercriminals will want to target you, and design your security around that. Too often people are reactive in their security. But if you’re waiting to be a victim, Brett promises it’s coming. Even if you join an identity theft protection service or have all the anti-malware software in the world, know what’s going on with your accounts and be proactive across the board. The only reason you’ve not been victimized right now is there’s so much information out there that it’s like the worst lottery in the world. There’s just not enough criminals to take advantage of it right now, but it’s coming. The three steps Brett recommends are great for being proactive. Be aware of your environment and be aware of what signs you’re going to. Stay safe, stay vigilant, and don’t live a life being scared. You can find Brett Johnson on LinkedIn , which tends to be his main social media channel. He is also on Twitter , where he complains a lot. His main website is anglerphish.com . If you are having trouble, reach out to him, call him, or email him. He will help as much as he possibly can to make sure you’re safe.