5 Things I Learned From a Former FBI Most-Wanted Hacker

In cybersecurity, we often say, “Think like an attacker.” But few of us ever get the chance to hear directly from someone who lived that life — and turned it around.

In one of the most unforgettable episodes of The Segment, I sat down with Brett Johnson, once dubbed the “Original Internet Godfather” by the U.S. Secret Service.

After building the first organized cybercrime community and landing on the FBI’s Most Wanted list, Brett rebuilt his life and now serves as a trusted voice for law enforcement and security leaders alike.

Here are five lessons Brett shared from his reformed life of crime that stuck with me the most.

1. Perception is the new reality

At the core of Brett’s message is a chilling truth: “It doesn't matter what the truth is. It matters what I can convince you of."

That’s not just a criminal tactic — it’s a societal concern. From phishing emails to political misinformation, trust is being weaponized. And with deepfake video and audio evolving rapidly, the line between real and fake is disappearing fast.

“We're getting to the point where deepfakes are going to be real time,” Brett warned.

He used an example of an attack where bad actors can deep fake a CEO over a Zoom video conference. Payroll thinks they’re speaking to the CEO in real time, but they’re actually being tricked to send money to another bank account.  

“That’s very effective,” he said. “And it's going to work like a charm.”

The takeaway is to build systems that verify, not assume. Zero Trust is a security framework, but it’s also a way to restore confidence in a world of digital deception.

“We're getting to the point where deepfakes are going to be real time.”

2. Criminals are opportunists, not geniuses

Hollywood paints hackers as brilliant outlaws. Brett sees it differently.

“Most attacks are cash-based and opportunistic,” he explained. “I’m looking for the easiest access that gives me the largest return on that criminal investment.”

That’s why basic cyber hygiene still matters: patch vulnerabilities, secure credentials, close open ports. These steps aren’t flashy, but they’re often skipped.

Security doesn’t have to be expensive. But it must be consistent.

3. Trust is built on behavior

Attackers know we trust our devices. They use that trust against us.

“We inherently trust our cell phones, our laptops, our desktops,” Brett said. “We trust the websites we go to, and that tends to open the door of trust.”

Brett urges people and organizations alike to redefine trust in our digital systems. Verify behavior, pay attention to the context, and design systems that don’t rely on a single signal of legitimacy.

“You can stop all the fraud in the world. The only thing you have to do is shut down the web,” he joked. “You want to have that balance between security and friction, but that balance absolutely has to weigh more toward the security side.”

4. Hackers collaborate. So must defenders.

One of his sharpest critiques? “The bad guys are better at sharing and collaborating than you guys,” he says.

Cybercriminals trade tools, tactics, and tips. But defenders are often siloed by industry, competition, or bureaucracy.

“If I’m in a particular industry and my company gets hit by a specific type of attack, sharing that information means others in the same space can protect themselves before they’re targeted, too,” he said.

The bottom line: the threat landscape isn’t siloed, so our defenses shouldn’t be either.

“If I’m in a particular industry and my company gets hit by a specific type of attack, sharing that information means others in the same space can protect themselves before they’re targeted, too.”

5. Zero Trust is how we rebuild trust

Brett believes that AI-generated content, like deepfakes, is making it harder for people to know what to trust. It’s crucial to think critically and stay skeptical online. But organizations must find ways to rebuild trust.

“Every new engagement between the customer and the organization should be from a Zero Trust standpoint,” he recommends.  

In a world where perception can be faked in real time, trust can’t be assumed. It must be earned — again and again.

“Do everything that you can in the background to anticipate the potential for fraud, and then act at that point,” Brett advised.

Zero Trust isn’t just a technical strategy. It’s a daily habit and a mindset. And in this evolving threat environment, it’s our best shot at staying prepared.

Listen, subscribe, and review The Segment

Want to hear more from Brett Johnson? Catch the full episode of The Segment: A Zero Trust Leadership Podcast on our website, Apple Podcasts, Spotify, or wherever you listen.