09/5/2017 | Episode 5
A former FBI Most Wanted hacker, Brett Johnson is now an educator and consultant with AnglerPhish Security.
Evan: Welcome to “Trust & Safety in Numbers,” presented by Sift Science. I’m your host, Evan Ramzipoor, here today with Brett Johnson, a former hacker turned security consultant. Thanks for joining me. Before we get to the episode, let’s warm up with a quick fraud fact. Did you know that for each dollar that a hacker uses in a mobile payment scam, a merchant loses $3.34? That’s a lot. To learn more about mobile payment fraud, check out “10 Things You Need to Know about Mobile Fraud” on the Sift Science blog. Now onto the episode.
Brett Johnson started off as a hacker in the late ’90s and early 2000s. In 2002, after a series of chat sessions with like-minded hackers, Johnson developed a forum called the ShadowCrew, an eBay-style business that provided counterfeit ID cards, stolen data, and other illegal services. In many ways, Johnson laid the groundwork for today’s cybercrime forums and marketplaces. But today, Brett Johnson is a consultant with AnglerPhish Security. So Brett, tell us your story. Who are you and how did you get to where you are today?
Brett: Around 1997, ’98, a Canadian judge ruled that it was illegal for a Canadian citizen to pirate satellite DSS signal, so small RCA 18-inch satellites. So what you could do is, is you could go down to Best Buy and buy one of these satellite systems for $100, pull the card out, program it, send it up to Canada and make $500 a card. So I started doing that in campus during times with the University of Kentucky. Ended up getting online and thought I’d found a guy that sold IDs, sent him $200, sent him a picture of myself, got ripped off. Well, I was pissed off at the time because of that. Still needed the ID, so I ended up starting a forum on a website called counterfeitlibrary.com. It was myself, a gentleman from Moose Jaw, Saskatchewan named Beelzebub, another one from Los Angeles named Mr. X. Beelzebub sold fake IDs from Indiana and Ohio. Mr. X made a fake social security card, and he would sell those for like $50, the IDs were $200.
I didn’t know anything at all about the business, whatsoever. So I became the reviewer of all the products on the website. After about two years of that, the other two people who started that forum with me, they dropped off to the side. Beelzebub decided to go into the pot growing business up in Canada. Mr. X got arrested running counterfeit credit cards. So they dropped off. I was the only guy left standing and became the leader of the entire group. Counterfeit Libraries switched over into ShadowCrew. I’m thinking that was around the year 2000. ShadowCrew was started by myself, Kim Taylor and Seth Sanders.
It started as a result of us partnering with the Ukrainians. The Ukrainians were handling a bunch of credit card information. They were able to get all this credit card data, but because of where they were in the Soviet Union or the eastern block there, they were unable to cash any of it out. So they needed to partner with people in order to cash out, and that’s where we came in. Up until we partnered with the Ukrainians, we were probably 2,000 members on shadow…or on Counterfeit Library. We partnered with the Ukrainians and, literally, overnight, it switched from an…we were doing eBay fraud and PayPal fraud. It switched from that type of site over to a credit theft site, and things grew exponentially.
To give you an idea, I was making…on eBay fraud, I was pulling in, probably $12,000 every two weeks doing that. That changed to $30,000 to $40,000 a month doing just credit fraud. And there were all kinds of people doing that. We also were responsible…phishing ramped up a lot at that point in time. We were one of the first groups that did phishing for profit. Initially started with targeting PayPal, then eBay, and then banking systems and things like that. So yeah, we grew into that. We made the front cover of Forbes.
August of 2004, October 2004, the Secret Service arrests 33 people in about six countries, and they initially said 45 minutes, but it was about six hours. I was the only guy that… Yeah, I was the only guy that got away. They picked me up February 8th of 2005 running counterfeit cashier’s checks, asked me what I wanted to do for them. I told them that, “Hey, as long as you keep me out of jail, I’ll do whatever you want me to do.” So they gave me a job, got me out of jail. The day they got me out of jail, I started breaking the law again. I was the first guy that did identity theft based tax returns. That stuff that is the reason now that your tax return is delayed every year. I was the first guy that did that. So I started doing that again.
Evan: Oh, so you are the one to thank for that?
Brett: I am that SOB. Yes, I am.
Evan: Well, let me thank you personally for that.
Brett: Oh, I know you are really grateful for that one. So, yeah, I started doing tax fraud, again. Some weeks would pull in $160,000 doing that. Worked for the secret service for 10 months, still doing that kind of stuff. They finally found out that I was warning some friends of mine and doing all this illicit activity, not only as a part time side offer from outside of their offices, but from inside of their offices, as well. I was actually breaking the law from inside of their offices.
After 10 months, they gave me a polygraph. I failed that completely. They threw me in county jail. I was not under federal charges at the time, I was just under state charges. State judge reinstated the bond. Nobody told the Secret Service. I took off on a cross-country run. I was out for four months, pulled or stole another $450,000 out of ATM machines. Made the United States Most Wanted list, got caught, sent to prison, escaped from prison, got caught again, served out the time in west Texas where…let me tell you something, well, Texas knows how to do two things: barbecue and building prisons.
So, served out my time there. Took about two years for me to really understand the damage that I had caused and to really regret my life choices. Got out and I was under three years’ probation during which time I could not touch a computer and ended up pushing a lawn mower, mowing yards for a living. I was fortunate enough to meet my wife during that time. We got married two years ago. And only recently have I been able to build up this speaking business and consulting business, this security professional type business that you’re talking about. It’s not been an easy road at all. You hear a lot of people talking about this, you know, “If you go to prison as a cyber criminal, you can get out and be a consultant.” Well, no, you can’t. It’s a very difficult track to take. So, I hope that answers the question. It’s a long answer.
Evan: No, that’s a great answer. That’s a lot different from the answer that I usually get to, “How did you get into security consulting?” That’s for sure.
Brett: I went to federal prison and escaped.
Evan: That’s one way to do it. So, tell me about some of the challenges that you’ve had to overcome as a security consultant. Because you said that there is this misconception, and I’ve heard this a lot, that once you make your name as a hacker and go to prison, you have a job waiting for you when you come back. And that was actually something that I was surprised to learn from you, that that’s just not the case at all.
Brett: No. It is certainly not the case. And here’s the reason. My crimes were financial hacking crimes, identity theft also, using stolen credit cards, everything in the world. And it was all intent on making money or stealing money. So when you get out of prison…and I…my entire time in prison, I had thought, “Oh, I’ll be fine.” I had that same misconception, “I’ll be fine. I’ll get out, I’ll get a consultant job. Everyone will be in line to hire me.” Well, the thing is, you’re wanting the job, work in security, yet you have served time for stealing money. No one in the world trusts you. Why would anyone…why would a bank hire you to look at their security system or their network or even touch their computers when they know that you’ve stolen money from other banks in the past? They would be… It’s just stupidity on their part to do that.
So, even now, today, it’s difficult to have anyone trust you enough to let you access their computers. To give you an idea, tomorrow I fly out to Redmond, Washington, to meet with Microsoft. And the idea is that I’ll be testing on…me and a team of mine will be testing certain aspects of theirs for fraud vulnerabilities. Now, that being said, that does not mean that I will have access to their network at all. The thing is that, I will be testing it from the outside trying to penetrate in, as they probably look at the way the penetration looks from their end. I will have no access at all to their network.
That’s the type of stuff that these people that are coming out of prison as hackers or cybercriminals face. No one is going to trust you enough to access their systems. Yes, everyone wants your knowledge, everyone wants to know about your viewpoint and how you can help them, but when the pavement meets the road, they do not want to let you touch their computers, because they are scared to death you’re going to steal from them. And let’s be honest about that. When I went to prison, I had full intention of getting out and doing it again. There was no doubt in my mind. My plan was, “Okay, I’ll go ahead and I’ll serve my time, and I’ll get out and I’ll start back in tax fraud.” And that’s…
Evan: Right. Why won’t you?
Brett: Right. You know, you’re stealing $160,000 a week. You can get everything back you had really quick. Unless you go through the process of actually sitting down and looking at the damage you’ve caused, not only to yourself but your friends and family… You know, I stole from friends, family. I stole from people I didn’t even know. And I tried to blame it on everybody else. You know, it was always, “I did it for this person. I did it for this girl. Well, I loved her and I would…” No, no, it was all my fault. But because of the way the criminal intellect works, in order for you to live with yourself, in order for me to live with myself, I had to find reasons to do it, instead of accepting that it was all my choice.
So, yeah, it’s not an easy process. And again, to be fair, it’s…it shouldn’t be an easy process because most people who get out of prison go right back to what they were doing. That’s what I’ve always said. I say this in my presentations as well, “You get out of prison with the exact same tools in which you went into prison with.” There’s really no rehabilitation or anything unless you take the steps to rehabilitate yourself. The only time you get off in federal prison is the drug program. Now, I’ve never used drugs in my life, but I lied. I mean, I was a bad guy. I lied in order to get the drug program.
So, as I was finishing up my time in prison, they put me on this drug program. Well, the drug program, even though I’m not an addict, it really helped benefit me by making me face a lot of the choices and decisions that I had along the way. So, yeah, it’s one of those things, unless you’re rehabilitated, you haven’t…I wouldn’t trust anybody that was a former cybercriminal to touch a network, at all.
Evan: Yeah, absolutely. No, that’s totally fair. To close, I just want to ask you, what’s the most unexpected thing you’ve learned during your career?
Brett: I will tell you the most unexpected thing. It is the forgiveness that I have encountered with the people that I’ve met along the way. And by that, I mean that, this year I’m finally to the point where it looks like I am able to make a living by consulting and speaking at conferences and things like that. And the only reason that I’ve been able to do that…it’s not because of me. The only thing I’ve done is I’ve not broken the law. But I’ve had all these people that have helped me along the way. I’ve had Keith Mularski from the FBI. I’ve had Neal O’Farrell from the Identity Theft Council. Karisse Hendrick from the Card Not Present Group. All of these people have reached out to somebody who was just a horrible criminal. I was. I was just not a good person. And they believed enough to give me another chance. And it’s very humbling and very surprising. And I…you have no idea how much I appreciate that.
Evan: Brett Johnson, thank you so much for joining us today and for sharing with us. I really wish you all the best. Thank you, again, so much for sharing your experience.
Brett: Hey, thank you. Great. Have a good day now.
Evan: You, too.
Evan: Thanks for joining us on “Trust & Safety in Numbers.” Until next time, stay vigilant, fraud fighters.
Learn more about what sets Sift Science’s machine learning apart.
With billions of compromised credentials already in criminals’ hands, how do you protect your users’ accounts, your brand, and your bottom line?