It’s 7am and I’m driving down Hull city centre to pick up Brett Johnson, known in cyberspace by the alias Gollumfun and dubbed the “Original Internet Godfather” by the US Secret Service.
Johnson was on the notorious US Most Wanted list in 2006, before being arrested for cybercrime and laundering US$4m. I’ve never met anyone whose name has been on that list, and so our encounter comes with some level of subliminal intimidation. Turns out, he’s both casual and friendly and I’m keeping an open mind.
But I also have to remind myself that he’s a former cybercriminal, who invented a “popular” online tax-return fraud scheme, plenty of identity theft variants and ShadowCrew – the precursor to the dark web.
We’re scheduled to spend two days together. I invited Johnson to give a talk at the Business School of the University of Hull and, some weeks after his talk – in partnership with the FBI – at the University of Tulsa in Oklahoma, he flies over for his first trip to the UK.
Johnson – who over the course of the next 48 hours takes me through his former criminal mindset blending cybersecurity and money laundering (a topic that I’ve spent more than a decade researching) – exudes confidence, but admits that being involved in cybercrime was the biggest mistake of his life.
He has nothing but good words for US Secret Service agents, but he did disappoint them when they let him out of prison on the understanding that he would work as an informant (he carried on committing fraud from within their premises).
Johnson praises the FBI, as we walk along campus, and tears well up when he mentions the name of special agent K.M, who guided him in dropping cybercrime for good. His sister Denise and wife Michelle always come up when discussing how he turned his life around. They “saved my life”, he says, while recalling the hardships of his formative years when he felt pushed into skulduggery at the age of ten: the family fraud ring was led by his mother who also convinced Johnson’s grandmother to join in.
“It was almost written in stone that I was going to end up in some sort of fraud,” he says.
His first marriage in 1994 was paid for courtesy of insurance fraud. Johnson staged a fake car accident to finance his wedding day. By the time he started using the web, it was a natural progression to shift his fraudulent behaviour online.
He started by scamming eBay buyers. Then he exploited a loophole when a Canadian judge ruled that satellite dishes can be “pirated” legally (in Canada but not the US). Johnson reprogrammed the transmission cards for his Canadian customers and discovered he couldn’t fulfil the orders fast enough. Soon enough, he thought: “Why send them the product altogether? Who are they going to complain to?”
Clearly, Johnson made many, many mistakes. He’s the first to admit it and often points to himself as “this idiot” who broke the law, then broke it again, and took quite some time in prison (including eight months of solitary confinement) to come to terms with what he had done.
More than a decade later, he now channels his expertise in darknet intelligence gathering, blackhat auditing, penetration testing and social engineering into his consultancy firm, Anglerphish Security. Johnson, who now advises Fortune 500 companies, seems confident that he has turned his back on crime. He tries, he says, to convince young cybercriminals – who contact him online – to quit their deceptive ways.
Schooled in the dark (web) arts
Cybercriminals are deluded when it comes to sidelining the consequences of their actions, Johnson explains. They repeatedly deny negative outcomes and, later on, accept they’ll carry on committing crime no matter what. Cybercriminals focus on the joy of their dark craft, harvest interconnected practicalities and exploit subtleties that stretch way beyond the confines of a computer screen and escalate to geopolitics.
As a simple example, Johnson used to hijack IP addresses in Eastern Europe when committing identity fraud as they were less likely to be reported to the US, due to the deteriorating political relationships between the countries. Everything matters. Detail matters most. That’s why, he explains, in the context of “friendly fraud” (or refund fraud), miscreants do their homework.
“Really, criminals are the only people on the planet who read the Terms of Service on websites. No one else reads them,” he says. They do it, he adds, to “get an idea of how that website operates.”
Time, he says, is also critical and “if you wait out a victim long enough then they’ll go away exasparated” – a lesson he learned early from his first eBay scam. Online victims rarely report a crime to the cops. It’s a trend that frustrates cybercrime police units. Worse still, some companies decline to report cyberattacks and can – as was recently revealed with the latest Uber scandal – go to extreme lengths to conceal a system hack affecting customer data.
When it comes to cyber-enabled financial crime, Johnson says, hijacking identities remains central to the process. It was this knowledge that, in 2004, led him to take over Counterfeitlibrary.com: the site that attracted cybercriminals who wanted a fake identity.
One of the cornerstones of cybercrime is “networking between individuals to realise maximum success or potential for financial crime”, he explains. The vast majority of online fraudsters aren’t “professionals”. Instead, they feed off each other: publishing manuals, guides, notes and helping out in forums wherever possible. If one cybercriminal finds a loophole in a multinational’s system, then it’s all hands on deck. The £2.5m stolen from Tesco Bank in the UK last year started from a single forum post of someone claiming that they had taken out £1,000.
That’s exactly why monitoring what’s going on in the dark web is so important for companies. But it’s not just potential corporate victims who are being trained in this dark art. Top cybercriminals charge wannabe scammers hundreds of dollars for six-week online courses on how to commit fraud. They also protect each other; giving advice on how to maintain and secure their own anonymity online. Back in the day, Johnson did the same thing for free for ShadowCrew members. Now, everything is monetised.
Johnson ran the ShadowCrew network, where he sold fraudulent bank accounts, prepaid debit cards and collaborated extensively with others to combine phishing scams and the CVV1 hack. ShadowCrew moderator Albert Gonzalez was sentenced to 20 years for masterminding the online theft of 170m card numbers. And it was that network that eventually landed Johnson behind bars.
But it doesn’t end there: Johnson also established online tax fraud based on hijacked identities – a highly lucrative criminal activity. It became central to the illegal flow of money that he’d set up. He used the California Death Index and filed tax returns for the dead; surprisingly, it worked. He could file one tax return every six minutes but couldn’t open online bank accounts fast enough. Over the course of his cybercriminal activities, Johnson had opened “hundreds of accounts”. Some weeks he claims he was “pulling out US$160,000 in cash.”
Despite being an early architect of online crime, even Johnson is amazed by the scale of it today. ShadowCrew had 4,000 members, he says, whereas AlphaBay boasted 240,000 users before it was shutdown by the FBI. But with what appears to be an ongoing multi-state orchestrated distributed denial of service (DDoS) attack on major darknet forums, cybercriminals quickly flock elsewhere. Bitcoin, Johnson adds, is an almost perfect tool for cybercrime.
Banks, companies and many different institutions routinely adopt anti-fraud tools to prevent their systems from being vulnerable to hacks and scams but – at the same time – fraudsters embrace them, too. They test the tools to make sure that their activity avoids detection. They also purchase off-the-shelf software that blocks detection attempts altogether and scrambles behavioural detection efforts.
Another tool he demonstrates allows anyone to buy hijacked IP addresses from a wide list of countries, including the UK, and costs around 30p per IP address. It also calculates, for a further 15p, a risk score for the fraudster of the probability of detection/blocking of that IP address by commercial anti-fraud and anti-spam software.
I find it difficult to get past the subtle irony of IP risk scores informing the decisions of cybercriminals. Then again, if they’re doing their own operational security, fraud-based “risk management” seems a natural next step in this evolving tango.
There’s so much to discuss with Johnson that our allotted two days go by very quickly. After his visit, we connect online and he suggests renaming my long lost Unix alias from carlito, which is a moniker now reserved by someone else, to carl1to – with the number “1” denoting the first Carlito in a nod to a 90s mobster movie starring Al Pacino. Somehow, it feels like a fitting end to my time with the Original Internet Godfather.
For the long form discussion between Demetis and Brett Johnson, listen to the audio file below.