Known as the “Original Internet Godfather” for his exploits as one of the first cybercriminals, Brett Johnson’s life reads like a Hollywood film script, and his story of crime serves as a lesson for fraudsters and the law enforcement officials who hunt them down.

After being placed on the United States Most Wanted List, captured and convicted of 39 felonies, he escaped prison. Captured again, Johnson served his time and accepted responsibility. He now advises the FBI and corporate America about how to understand a virtual underworld that he helped create.

“Those 39 felonies had to do with refining a lot of the different online financial crimes we see today, from account takeovers, credit card fraud, phishing schemes and tax return identity theft,” he told John Gill, J.D., CFE, ACFE vice president – education, at the closing session of the ACFE Global Fraud Conference.

Johnson’s life of crime began at the age of 10 years old when he first shoplifted food from K-Mart. Encouraged by his mother, he soon advanced to stealing clothes and toys. By the time Johnson was in his 20s, he had dabbled in charity fraud, money laundering, document forgery and other crimes.

Yet it wasn’t until the 1990s when eBay started, and the Beanie Baby craze took off, that Johnson discovered the potential behind internet fraud. He posted a photo of the popular royal blue Beanie Baby called Peanuts on the auction site. He didn’t own it, but he convinced a buyer to send thousands of dollars and then sent her a cheap knock-off. The victim of course complained — vehemently — but finally relinquished.

“That was my first lesson of cybercrime, and to this day the lesson remains” Johnson said. “If you delay a victim long enough, a lot of them get so exasperated they finally throw their hands in the air and walk away. You don’t hear from them again.”

Cybercrime has its appeal, explains Johnson. Not only is it lucrative, but unlike other crimes, fraudsters can avoid close contact with the victim making it easier to ignore the pain suffered by those they have duped.  “You never have to face your victim,” he said. “You can compartmentalize your online life. Online I do all this stuff, but in real life I am a good guy.”

Scamming the scammer

After being scammed by someone selling fake driver’s licenses on the internet, an angry Johnson created a forum that facilitated cooperation between cybercriminals called ShadowCrew. “What ShadowCrew did was to provide a trust mechanism that criminals could use,” he says.

These types of forums are still in use today, and they allow scammers to combine their skills to swindle their victims. Johnson explains that criminals require three basic competencies to carry out a cybercrime — an ability to gather data, an aptitude for executing the criminal plan and a knack for cashing out. But rarely is anyone skilled at all three, or even two, he says.

“Those networks exists so that a criminal who is good at one thing can network with another criminal who is skilled at the things they are not,” he says.

Johnson’s internet chat was a hit, but it soon drew the attention of law enforcement and the press. In August 2004, ShadowCrew made the cover of Forbes magazine and in October that same year, the U.S. Secret Service arrested 33 people connected to the site. Johnson escaped, but he was picked up in February 2005 in North Carolina.

Luck was on his side, however. The Secret Service offered him a job as an informant, only to see Johnson betray its trust by committing crimes in its employ. He was sentenced, placed in prison, escaped and put behind bars yet again. When he got out, he was prohibited from working with computers, which barred him from most jobs. Before long, Johnson was back committing online crimes and using stolen credit cards. His probation officer, the judge — and even the prosecutor — took sympathy on him, and he got a year and day for his crimes.  

Out of prison once again, Johnson still struggled to find a job given his criminal past, but he caught a break after reaching out to an FBI agent on LinkedIn, who helped him get back on his feet. “The truth of the matter is that if he hadn’t responded, I would probably be back in prison for 20 years,” said an emotional Johnson. “It was that validation from him that I really think was the main turnaround.”

With his life of crime behind him, Johnson now advises companies to listen to their IT professionals and says be prepared for a cyberattack, as it is not a question of if but when this will happen. This means consistent training of staff and investing in the right preventive tools.

“Forty one percent of every single router on the planet has a default password,” he warns. “Think about that for second. It is very easy to get access.”