How Brett Johnson, the ‘Original Internet Godfather’, walked away from his cybercrime past

His first marriage was paid for courtesy of insurance fraud and by 2006 he was on America’s most wanted list. Now he’s helping firms to tackle cybercrime

Dionysios Demetis
Friday 05 January 2018 17:29 GMT
Comments
Johnson tears up when he mentions the FBI special agent who helped him quit online fraud
Johnson tears up when he mentions the FBI special agent who helped him quit online fraud (The Conversation/Dionysios Demetis)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

It’s 7am and I’m driving through Hull city centre to pick up Brett Johnson, known in cyberspace by the alias Gollumfun and dubbed the “Original Internet Godfather” by the US Secret Service.

Johnson was on the notorious US most wanted list in 2006, before being arrested for cybercrime and laundering $4m. I’ve never met anyone whose name has been on that list, and so our encounter comes with some level of subliminal intimidation. Turns out, he’s both casual and friendly and I’m keeping an open mind.

But I also have to remind myself that he’s a former cybercriminal, who invented a “popular” online tax-return fraud scheme, plenty of identity theft variants and ShadowCrew – the precursor to the dark web.

We’re scheduled to spend two days together. I invited Johnson to give a talk at the Business School of the University of Hull and, some weeks after his talk – in partnership with the FBI – at the University of Tulsa in Oklahoma, he flies over for his first trip to the UK.

Johnson – who over the course of the next 48 hours takes me through his former criminal mindset blending cybersecurity and money laundering (a topic that I’ve spent more than a decade researching) – exudes confidence, but admits that being involved in cybercrime was the biggest mistake of his life.

He has nothing but good words for US Secret Service agents, but he did disappoint them when they let him out of prison on the understanding that he would work as an informant (he carried on committing fraud from within their premises).

Johnson praises the FBI, as we walk along campus, and tears well up when he mentions the name of special agent KM, who guided him in dropping cybercrime for good. His sister Denise and wife Michelle always come up when discussing how he turned his life around. They “saved my life”, he says, while recalling the hardships of his formative years when he felt pushed into skulduggery at the age of 10: the family fraud ring was led by his mother who also convinced Johnson’s grandmother to join in.

“It was almost written in stone that I was going to end up in some sort of fraud,” he says.

His first marriage in 1994 was paid for courtesy of insurance fraud. Johnson staged a fake car accident to finance his wedding day. By the time he started using the web, it was a natural progression to shift his fraudulent behaviour online.

He started by scamming eBay buyers. Then he exploited a loophole when a Canadian judge ruled that satellite dishes can be “pirated” legally (in Canada but not the US). Johnson reprogrammed the transmission cards for his Canadian customers and discovered he couldn’t fulfil the orders fast enough. Soon enough, he thought: “Why send them the product altogether? Who are they going to complain to?”

Clearly, Johnson made many, many mistakes. He’s the first to admit it and often points to himself as “this idiot” who broke the law, then broke it again, and took quite some time in prison (including eight months of solitary confinement) to come to terms with what he had done.

More than a decade later, he now channels his expertise in darknet intelligence gathering, blackhat auditing, penetration testing and social engineering into his consultancy firm, AnglerPhish Security. Johnson, who now advises Fortune 500 companies, seems confident that he has turned his back on crime. He tries, he says, to convince young cybercriminals – who contact him online – to quit their deceptive ways.

Cybercriminals are deluded when it comes to sidelining the consequences of their actions, Johnson explains. They repeatedly deny negative outcomes and, later on, accept they’ll carry on committing crime no matter what. Cybercriminals focus on the joy of their dark craft, harvest interconnected practicalities and exploit subtleties that stretch way beyond the confines of a computer screen and escalate to geopolitics.

As a simple example, Johnson used to hijack IP addresses in Eastern Europe when committing identity fraud as they were less likely to be reported to the US, due to the deteriorating political relationships between the countries. Everything matters. Detail matters most. That’s why, he explains, in the context of “friendly fraud” (or refund fraud), miscreants do their homework.

“Really, criminals are the only people on the planet who read the terms of service on websites. No one else reads them,” he says. They do it, he adds, to “get an idea of how that website operates”.

Time, he says, is also critical and “if you wait out a victim long enough then they’ll go away exasperated” – a lesson he learned early from his first eBay scam. Online victims rarely report a crime to the cops. It’s a trend that frustrates cybercrime police units. Worse still, some companies decline to report cyber attacks and can – as was recently revealed with the latest Uber scandal – go to extreme lengths to conceal a system hack affecting customer data.

When it comes to cyber-enabled financial crime, Johnson says, hijacking identities remains central to the process. It was this knowledge that, in 2004, led him to take over counterfeitlibrary.com: the site that attracted cybercriminals who wanted a fake identity.

One of the cornerstones of cybercrime is “networking between individuals to realise maximum success or potential for financial crime”, he explains. The vast majority of online fraudsters aren’t “professionals”. Instead, they feed off each other: publishing manuals, guides, notes and helping out in forums wherever possible. If one cybercriminal finds a loophole in a multinational’s system, then it’s all hands on deck. The £2.5m stolen from Tesco Bank in the UK last year started from a single forum post of someone claiming that they had taken out £1,000.

That’s exactly why monitoring what’s going on in the dark web is so important for companies. But it’s not just potential corporate victims who are being trained in this dark art. Top cybercriminals charge wannabe scammers hundreds of dollars for six-week online courses on how to commit fraud. They also protect each other; giving advice on how to maintain and secure their own anonymity online. Back in the day, Johnson did the same thing for free for ShadowCrew members. Now, everything is monetised.

***

Johnson ran the ShadowCrew network, where he sold fraudulent bank accounts, prepaid debit cards and collaborated extensively with others to combine phishing scams and the CVV1 hack. ShadowCrew moderator Albert Gonzalez was sentenced to 20 years for masterminding the online theft of 170 million card numbers. And it was that network that eventually landed Johnson behind bars.

But it doesn’t end there: Johnson also established online tax fraud based on hijacked identities – a highly lucrative criminal activity. It became central to the illegal flow of money that he’d set up. He used the California Death Index and filed tax returns for the dead; surprisingly, it worked. He could file one tax return every six minutes but couldn’t open online bank accounts fast enough. Over the course of his cybercriminal activities, Johnson had opened “hundreds of accounts”. Some weeks he claims he was “pulling out $160,000 in cash”.

Despite being an early architect of online crime, even Johnson is amazed by the scale of it today. ShadowCrew had 4,000 members, he says, whereas AlphaBay boasted 240,000 users before it was shut down by the FBI. But with what appears to be an ongoing multi-state distributed-denial-of-service attack on major darknet forums, cybercriminals quickly flock elsewhere. Bitcoin, Johnson adds, is an almost perfect tool for cybercrime.

Banks, companies and many different institutions routinely adopt anti-fraud tools to prevent their systems from being vulnerable to hacks and scams but – at the same time – fraudsters embrace them, too. They test the tools to make sure that their activity avoids detection. They also purchase off-the-shelf software that blocks detection attempts altogether and scrambles behavioural detection efforts.

Another tool he demonstrates allows anyone to buy hijacked IP addresses from a wide list of countries, including the UK, and costs around 30p per IP address. It also calculates, for a further 15p, a risk score for the fraudster of the probability of detection/blocking of that IP address by commercial anti-fraud and anti-spam software.

I find it difficult to get past the subtle irony of IP risk scores informing the decisions of cybercriminals. Then again, if they’re doing their own operational security, fraud-based “risk management” seems a natural next step in this evolving tango.

There’s so much to discuss with Johnson that our allotted two days go by very quickly. After his visit, we connect online and he suggests renaming my long lost Unix alias from carlito, which is a moniker now reserved by someone else, to carl1to – with the number “1” denoting the first Carlito in a nod to a Nineties mobster movie starring Al Pacino. Somehow, it feels like a fitting end to my time with the Original Internet Godfather.

Dionysios Demetis is a lecturer in management systems at the University of Hull. This article first appeared on The Conversation (theconversation.com)

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in