This article originally appeared on VICE AU.
He is one of hacking history's most notorious cybercriminals. Behind the anonymity of his pseudonym, GOllumfun, Brett Johnson created an online network called Shadow Crew, a central hub for high-level hackers to network and the precursor to today’s dark web. Operating between 2002-2004, at its peak the forum had 4,000 members.
Toward the end of his hacking days Johnson was making more than USD$500,000 per month, and at one point sat on America’s most wanted list. Even after his arrest, when he agreed to work as a Secret Service informant, his cybercrime continued.
Finally, after being captured again—and sentenced in 2007 to seven years, six months in federal prison—Johnson chose to dedicate his life to protecting companies against the crimes he once lived for. VICE spoke to the reformed hacker about his past, his present, and how cybercrime has changed since his exit.
First of all, why and how did you go down this road?
Cybercrime was a natural progression for me because my mother, and almost everyone on her side of the family, was involved in crime. I committed my first offence at 10 years old: my mum was a very negligent and abusive parent—she used to leave me and my sister alone for days at a time—so my sister and I started shoplifting food so we could eat. That grew into stealing clothes, and more. When my mum found out, she joined us. Then she got her mother, my grandmother, to join us.
As I got older I became more involved in the types of crime my family committed: insurance fraud, burning homes and cars, faking accidents, stealing, document forgery... cybercrime became a natural extension of all that.
But moreover, cybercrime was like a puzzle for me. It felt almost like David and Goliath—I was the lone person defeating million-dollar organisations. Then there was the massive amounts of money I was able to steal, and, finally, status: being the head of all those people [at Shadow Crew] was a big ego-boost.
What was the weirdest or most ethically dubious thing you did as a hacker, or that you witnessed?
There are so many. I once stole several thousand dollars’ worth of coins from a family trying to sell them to put a new roof on their home. Another time, I sent a counterfeit cashier’s check to a victim and he ended up being arrested for it. I lied to family, friends, everyone I knew. I was a truly despicable person.
One of my Ukrainian associates, Script, had someone who owed him money kidnapped and tortured. He posted pictures of it online. Another member, Iceman, used to flood his enemies’ email addresses with child pornography then call the police on them.
Did you earn a lot from cyber crime? How do today's hackers make their money, generally?
I didn’t “earn” anything. I stole money. Starting out, there was almost no money coming in, and I constantly hustled to pay the bills.
But once I became adept, I stole money through eBay fraud: USD$20,000 monthly. Also, Card not Present, a transaction where the card is not present at the time of purchase, and ATO, American Tax Office, [which brought in] USD$40,000 per month. Tax Return Identity Theft brought in ASD$500,000 a month.
Most hackers and cyber crooks don’t make a lot. They’re often running around trying to learn, and never become an expert criminal.
Did you ever feel guilty about what you were doing?
Generally, no. Although once I got to the point where I was stealing massive amounts of money, I would sometimes send some victims their money back if I believed their story was sad enough. That wasn’t me feeling guilty [though], it was me justifying my crimes. I could tell myself I was a good person. It took me going to prison to realise what I’d done and to turn my life around.
You helped create Shadow Crew, an online forum that facilitated the communication of cybercriminals. What was your goal with this online hacking movement?
Shadow Crew was really the first organised cybercrime network. It was a precursor to today’s darknet markets—along with Carder Planet, which was run by an associate of mine.
When I co-created Shadow Crew, we didn’t think of it as pioneering anything. We were simply building a place where we could conduct business and make money. We needed some way to network with other criminals and to make sure that none of our members were ripped off by scammers. I mean, after all, we were crooks. We had to build a system to make sure that there was honour among crooks.
You were convicted by the US government, and was once on the US most wanted list. Yet, you continued to engage in hacking. What drove you to continue, and did you ever worry about being caught?
The reason I continued to engage in hacking and breaking the law is complicated. First, I was desperate. I’d been arrested and lost everything I’d stolen. The only thing I had left was my stripper girlfriend. I was so screwed up in the head, I would have done anything to keep her. For me, that meant stealing more money.
Then there was the fact that the Secret Service had hired me—that gave quite the ego boost. Then, breaking the law from within the Secret Service offices, not many people able to do that. Another ego boost. I knew I was going to be caught: before my initial arrest, we had intercepted Secret Service text messages about them investigating us. But we kept on.
After my arrest and while I was working for them, I knew they would find out. I was just so depressed, so desperate, I kept going. I adopted a philosophy of fatalism.
What finally turned you into an informant?
Being arrested. I was arrested three weeks before I was set to marry my fiancé—the stripper. I was so desperate to try to save the relationship that I immediately agreed to be an informant. Elizabeth, my fiancé, didn’t know anything [about what] I was doing until my arrest. I thought I could salvage the relationship, so I became an informant.
Of course, as soon as the Secret Service released me from jail, I began breaking the law again. That very day. I thought I needed to buy Elizabeth’s love. I guess a part of me thought I could work with the Secret Service and break the law at the same time. I was pretty screwed up at the time.
How do you compare the calibre of cybercriminals out there today with your peers?
Criminals back then were much more adept. Because we were figuring out many of these crimes as we went, we understood the dynamics of those crimes, inside and out. We knew every nuance.
Most of today’s cybercriminals have no understanding of the dynamics of the crimes they commit. They read an article about how much money a hacker has stolen and think they can do they same. They go on a crime forum, buy a tutorial, or take a class and start breaking the law. Today’s cyber criminals don’t need to know anything, they are basically a form of script kiddies [a term used to discredit someone who claims to be a skilled hacker].
That doesn’t mean cybercrime is any less successful. The sheer number of people trying to steal money means more successful crimes occur. Today’s businesses are much more likely to be victims of this new generation of criminals than an expert.
How easy is it for cybercriminals to perform their work? What are the biggest challenges they face?
These days it’s pretty easy. A new person entering cybercrime can engage in something like Amazon refunding and make a profit of $10,000 per month. This allows the aspiring crook to make money while learning other types of crime. That didn’t used to be possible with cybercrime. It used to be that crooks would basically starve until they learned how to really commit a crime.
Cybercrime has gotten so sophisticated now that a crook can enter in and buy a tutorial for a few dollars, which gives step-by-step instructions on how to commit a crime. Or they can take online classes taught by master criminals who teach them how to steal money. These classes typically cost $600 and last for about six weeks. Many come with a guarantee that if the student doesn’t make money their money will be refunded.
The biggest challenge crooks face is finding a unique technique that will last, because websites adapt. Law enforcement has also recently got very good at sowing the seeds of distrust among cybercriminals. There isn’t really any central forum for people to network and right now, cybercriminals are very paranoid—they have no idea who to trust or where to go to network and conduct business.
Do you think the government, or ethical hackers, effectively help protect citizens against cybercriminals?
I think government can be effective. The problem is that government is often swayed by businesses who don’t have citizens’ best interests at heart. They’re more concerned with money.
What's more, a white hat [ethical computer hackers, or a computer security experts] works his job for eight hours then goes home and forgets about it. A criminal hacker works until he succeeds; it’s almost like a degree of Asperger’s, that level of concentration.
I’m not saying white hats aren’t skilled; they are. They just lack the criminal mindset. That’s one of the things that makes a reformed cybercriminal so important—people like me who can bridge that disconnect.
If you hadn't been convicted, would you have carried on?
It took being arrested and sent to prison for me to change. Prison was necessary for me to reform. But more important was my wife, Michele, and my sister, Denise. I credit them for saving me.
I also credit the assistance of the FBI, the Identity Theft Council, The Card Not Present Group, and countless other companies and individuals who took me under their wing and gave me a chance. Without them, I don’t know how things would have turned out for me.