Cybercrime and How Hackers Prey on Human Nature
54:26 Share

This message comes from Progressive Insurance. Progressive makes it easy to see if you could save when you bundle your home and auto policies. Try it at Progressive.com. Progressive Casualty Insurance Company and affiliates. Potential savings will vary. Not available in all states. This is The Pulse, stories about the people and places at the heart of health and science. I'm Maiken Scott. ♪

One night in October 2020, neurologist Kaylee Kinnaman was getting a lot of messages from her colleagues at the University of Vermont Medical Center. Saying that the computers just weren't working, like kind of that they were having a hard time turning them on. The hospital serves about a million people in the region. Now they couldn't access patient files like treatment histories or test results.

A few colleagues were still logged into working computers, so they started frantically printing out everything they could: pages and pages of patient information.

By the next day, none of the computers were working. Nobody knew why. And Kaylee says it became really hard to provide care. Almost everything that we do is computer-based. That's where we document all of the notes. So everything that the patients say to us in the morning when we see them, you know, what the plan is for the day. Things that were usually accomplished with a few clicks now took a lot more time. You know, we're doing things like...

running samples down to the lab and, you know, we would have to either call or walk down to the lab. And so, you know, everyone was kind of scrambling. Kaylee says since the medical staff had to switch to paper records, they also had to write out a lot of notes by hand. That meant having to learn how to read each other's handwriting. Doctors notoriously have bad handwriting, so it actually made communication much, much more difficult.

And then they found out what was causing this problem. Hackers had taken and encrypted the hospital's data and demanded that the hospital contact them if they wanted the data back.

The hospital did not comply. Instead, they called the FBI. The hospital IT staff shut down their network to prevent the damage from spreading. It was probably my most stressful time period I've ever had in my life. It was really hard because you knew that you weren't providing the best care that is available, right? You didn't have near as much time because you were spending so much time like doing administrative tasks that are usually managed by the computers.

Stephen Leffler, president and CEO of Vermont Medical, later testified about the attack before Congress. Early in the cyber attack, the first two days, we didn't have a phone system because our phone is on the internet. We literally went to Best Buy and bought every walkie-talkie they had. He also spoke about the incredible toll this took on their organization and staff. The cyber attack was much harder than the pandemic by far. The cyber attack, while it did not affect our patient information,

did infect 1,300 servers at the University of Vermont Medical Center and 5,000 desktop computers. Every single computer needed to be wiped clean and then re-imaged. The hospital did have good backups for all of the data and was able to bring the system back after a few weeks. But it took so much work, the state sent in a National Guard cybersecurity team to help scan computers for malware.

Cyber attacks often cause massive domino effects that go far beyond computers and tech. They can paralyze critical infrastructure, airports, public transit, healthcare systems. Scammers can get a hold of our most private data and use it to steal money. And fighting back or preventing cybercrime is becoming ever more complicated and expensive.

On this episode, cybercrime and how scammers prey on human nature. ♪

To get started, let's rewind and look back to the first truly global cyber attack, which happened 25 years ago. It sort of ushered us into this new age of online threats and gave us a preview of just what was possible. Grant Hill reports on a virus that spread like wildfire, much to the surprise of the people who created it. In the morning of May 4th, 2000, the U.S. Army was under attack.

It started around 6:45 when technicians at Fort Bragg in North Carolina got word from two other bases that something was up with their computer networks. The issue was quickly narrowed down to the email server of the Army's largest command. Something was spreading amongst its 50,000 users. Exactly what it was, no one really knew. But just an hour later, the server was completely overloaded and taken offline.

A local radio station was broadcasting reports of some kind of worldwide computer virus, one that had just paralyzed the communications of a large chunk of the U.S. military. Jeff White was working for an internet company back then. He now reports on cybercrime. He says in 2000, the tech world had just gotten over a major, potentially scary hurdle, Y2K.

The big concern around this time was the millennium bug, the millennium fault, which was moving from 1999 into 2000. There was a concern, and it was a legitimate concern, that computers might struggle with that changeover. He says, back then, most people in tech worried more about computer glitches than targeted attacks. And we managed to get through that period. We managed to, you know, with a lot of preparation, you know, the clocks ticked midnight at the millennium and the computers held up. And I think people sort of breathed a sigh of relief.

And then a few months after that, we got this virus. Whatever it was, wherever it came from, this virus was remarkable. It was like a sort of auto-spreading computer virus, really hard to stop, really contagious, and went around the world in a very short amount of time.

The U.S. military had essentially created the internet, and now it was being used against them. Within hours, the virus had penetrated international banking systems, more than a dozen federal agencies, and several large companies, including Jeff's, mucking up email servers all over the globe, all while secretly stealing internet passwords from millions of people along the way.

It took days for some organizations to flush out the virus and experts raised to understand the code causing all this chaos and to find whoever unleashed it. But a closer look under the hood did not reveal anything that advanced.

It was your standard worm virus, code that corrupted files to exploit weak points in email software and internet browsers. The virus technically wasn't cutting edge, but it's more than I could do in the year 2000. What was cutting edge about this whole scheme was how it spread. For that, the virus relied on a different kind of weakness.

human nature. The way it worked was it would spread from email inbox to email inbox. And what happened was the virus would get sent to a particular individual and there was an attachment with the tempting title, I love you. And the attachment looked like a text file. And so obviously as the recipient to the email, you'd think, oh my gosh, somebody loves me. You know, I'll open this mysterious, you know, non-Valentine's Valentine's card and see who it is.

What you didn't realize was that actually it wasn't a text file. It was disguised as a text file and it was actually a piece of code. And when you opened that attachment, the code went into effect. And what it would do would be to scan your email address book and send itself automatically to the first 50 people in your address book. So they would all get a copy of this email again with the attachment on it. And of course, a bunch of them would click on the attachment and send it to 50 people and so on.

Now, once you start doing the maths on that, you can take your calculator out and just give it a go. 50 times 50 times 50 times 50. You suddenly get to thousands upon thousands of infections. New dangers tonight from the love bug computer virus. This is far from a childhood prank anymore. Experts say that the I love you virus could end up costing the world economy $10 billion in lost work time.

I think one of the things about the I Love You virus that made it incredibly successful is it used two things.

trust and curiosity. Stephanie Carruthers is the chief people hacker for IBM's X-Force, a group of white hat or good guy hackers, analysts and researchers who provide cybersecurity solutions for companies all over the world. So when someone would open up their email, they would see it coming from someone that they knew and trusted. And then it played into their curiosity because the subject line or the file name was I love you. It's like, OK, what?

What does this mean? What's this all about? And I think that's incredibly impactful and something that we still do in today's world. It's Stephanie's job to think like an Internet scammer, to understand how people work. She says we all generally want the same things.

And that makes us vulnerable. Really, any type of scam at its core is social engineering. I mean, scams and cons have gone back even to the Middle Ages. If you've heard of the term pig in a poke, that's something at the time, local scam artists, they would find instead of a suckling pig, which was valuable, that's what people were buying in a poke, which is a burlap sack. They would find like stray animals, right? Cats and dogs, sew them up shut in a burlap sack.

and sell that, but then they would just keep moving city to city so they wouldn't get caught. The I Love You virus was really the first to apply social engineering to internet scams. To use people's curiosity and that brief moment of tingling excitement to get them to click first

And think later. That's why we're still talking about it today. It affected, I believe, 10% of people who use the internet at its time, which is huge. Compared to modern scams Stephanie deals with now, the I love you virus was quaint. The ones that keep me up at night are the AI deepfakes. Stephanie is constantly warning clients about fake phone calls.

Voice clones made to sound like friends or family in crisis, needing money. To have those kinds of audio deepfakes be so successful terrifies me. Hackers are still working with the same emotional playbook the I Love You virus first scaled up for the digital age all those years ago, with an emphasis on trust and curiosity. Technology changes, people don't.

The internet promised to connect the world, and the I love you virus, for the first time, exposed just how spectacularly dangerous that promise could be. Authorities scoured for clues about the mad genius behind it. A foreign adversary, perhaps. Some psychologically attuned terrorist organization, maybe.

The FBI does have some leads in the case but is cautiously checking out reports that the "I love you" author may be from the Philippines. Digital forensic experts followed the data where the code was funneling all those passwords scraped up by the virus. Was stealing information from some of the computers it infected and sending those pieces of information back

to a computer server in the Philippines, which was the first indication as to where this virus might have set out from. That's Jeff White again. But it was very, very confusing because it didn't seem to be the work of a nation state, didn't seem to be the work of a computer hacking gang. All those types of attacks were sort of in their infancy at this point.

So the actual purpose of it was really quite murky. In fact, it was sending so much data back to this server in the Philippines that the server actually crashed. It got overloaded with information that was incoming, which again was another indication that the person behind this virus didn't necessarily predict how successful it would be. Authorities tracked down this server in the Philippines, which led them to a small group of computer science students in Manila.

a bunch of kids who were basically experimenting with different types of computer viruses. And they've got to realize, you know, this was the days still of kind of floppy disks. And so they would pass around, you know, viruses to each other on floppy disks. There was a lab where they would work, where they would kind of swap bits of code

And at this time, computer hacking was not a crime in the Philippines and in several other countries, because all of this was still so new. And so when the investigators started looking and they started getting the names of some suspects within this university, these computer science students who'd clearly been experimenting with these computer viruses, they

Yes, they could identify some of the names that were likely in the frame, but they couldn't actually convict any of these people. But the media was not ready to let this go. Press descended on Manila and focused their cameras and microphones on one particular student. The person was closely connected to the creation of the love bug.

a young man named Onel de Gutsman. He had this bizarre moment where the lead candidate, the key suspect, Onel de Gutsman, is sort of paraded in front of the cameras, gave a very non-committal answer to the journalist's questions. Onel had long black hair, wore sunglasses, and held a cloth over his mouth as his lawyer took questions. He's not really aware whether or not the acts imputed to him were indeed done by him, but he...

admits that he has been using the internet extensively. And it's one of those moments where you sort of hang your head in shame at how bad the journalism was at the time because you just wanted someone to throw the obvious question at him, you know, did you do it? But he managed to dodge that question, sort of shuffled out of the press conference and then was never seen again. Just like that, the world's foremost pioneer of hacking via social engineering disappeared.

Jeff never forgot about him, though. And 20 years later, when Jeff started writing a book on cybercrime, he got a tip on Goodsman's whereabouts. He'd been hanging around working at a market in the Philippines, in Manila, working on a mobile phone store.

in this marketplace. Fixing cell phones for a living. So Jeff flew to Manila and scoured different markets for hours, armed only with a piece of paper with Goodsman's name written on it. And I'd showed the piece of paper to people and most people thought I was just mad. But one person said, well, yes, I know him. One person sort of pointed down this kind of alley and

And sure enough, went down there, you know, found the mobile phone stall, tapped this guy on the shoulder and he turns around and it's him, which was quite a surprise for both me and for him. So finally, you know, come face to face with with Onel de Goodsman. Jeff matched the moles on his face with the moles he could see in that old press conference video. It was really him. We sat down and we had a coffee and he decided he was going to do an interview with me. And that's when Onel de Goodsman admitted for the first time publicly that

that it was true. He did create the I love you virus. He did send it out. It was him who crashed the communications of the world's most powerful army and countless others. You know, he still seemed quite shy and quite reticent. He chuckled about things occasionally. He had a good sense of humor. He also said that he regretted what he'd done. He told Jeff he didn't realize how bad this virus was going to get.

In fact, he says that after he unleashed the virus back in 2000, he went out and just got drunk and then woke up probably with a stonking hangover to discover that he'd caused worldwide mayhem and the police were banging a path to his door. Basically at that point, he told his family to trash all of his computers and just went on the run for a little bit. So it was a pretty traumatic thing to happen. And I genuinely don't think he understood the kind of

mayhem he was going to cause as a result of this. But as to why he set the virus loose in the first place, why he tricked 10% of the internet and stole everyone's passwords...

The answer was simple. O'Neill wanted internet access. Back then, you were charged for internet access. Monthly fees usually billed to your phone line. Costs that were too high for a computer science student in the Philippines to afford. So O'Neill wanted free internet access. He's like, everybody else has access to this vast trove of information.

I'm in the Philippines. I can't earn the kind of money that gives me, you know, the kind of internet access other people have. So if I can invent a virus that will go out and steal their passwords, I'll be able to log on to the internet using their passwords and then effectively hijack their internet connection and get the information that they can get. But that was what was the heart of it is, you know, he wanted information. He wanted it for free. He wanted what everybody else had. That story was reported by Grant Hill.

Coming up, how hacking evolved from a pastime for gamers to a global threat. You now have an entirely different cast of characters that are wielding these things. It's no longer disaffected teenagers. It's spies. It's people that want to create problems for their adversaries. That's next on The Pulse. The Pulse

This message comes from the Nature Conservancy. People from all walks of life depend on nature for the food they eat, the water they drink, and the air they breathe, for strengthening their communities, powering their livelihoods, and safeguarding their health. Nature is common ground for everyone, and uniting to protect nature can help solve today's challenges and create a thriving tomorrow for future generations. Discover why at nature.org slash NPR.

This message comes from Amazon Business. How can you grow your business from idea to industry leader? Bring your vision to life with smart business buying tools and technology from Amazon Business. Simplify how you stock up to get ahead. Go to amazonbusiness.com for support.

These days, there is a lot of news. It can be hard to keep up with what it means for you, your family, and your community. Consider This from NPR is a podcast that helps you make sense of the news. Six days a week, we bring you a deep dive on a story and provide the context, the backstory, and analysis you need to understand our rapidly changing world. Listen to the Consider This podcast from NPR. ♪

Keeping up with the news can feel like a 24-hour job. Luckily, it is our job. Every hour on the NPR News Now podcast, we take the latest, most important stories happening and we package them into five-minute episodes so you can easily squeeze them in between meetings and on your way to that thing. Listen to the NPR News Now podcast now.

This is The Pulse. I'm Maiken Scott. We're talking about cybercrime and how scammers prey on human nature. You know, as long as there has been computing, there has been hacking. Dan Gooden is senior security editor for Ars Technica. He has been reporting on hackers and cybersecurity for 20 years. In the early days of computers, Dan says hackers were not as nefarious as what we're seeing today. A lot of them were gamers.

They were people that had computer games that they wanted to play, and often those games came with very sort of restrictive licenses that prevented them from being able to copy the game or do other types of things. And when you approach the world as this kind of mathematician and you get mad that your game can't do something, you start figuring out ways to override it, which is essentially just a hack.

And once you start reverse engineering how the game works, how its copy protections are implemented, you start figuring out how to get around them. And I think the genesis of hacking was something along these lines. And it was only much later that it became the domain of

Cybercriminals or pretty much all of the developed countries now have spy networks. Cybercrime can now be weaponized globally like a silent military attack. In 2017, a ransomware attack called WannaCry targeted Microsoft Windows operating systems all over the world.

WannaCry shut down emergency rooms. It shut down train stations. It created just global chaos. And multiple intelligence agencies around the world have attributed WannaCry to North Korea. And suddenly we're seeing that a small nation, you know, with a comparatively very small budget can create a huge problem for the rest of the world.

Just a few months later, another global cyber attack hit. This one is called NotPetya. And according to multiple intelligence agencies around the world, this was the work of hackers working for Russia. And NotPetya goes on.

and becomes even more destructive than WannaCry. It shut down shipping ports, sabotaged a pharmaceutical company, food producers, and hospitals. The estimates are over $10 billion in damage. You know, Russia has been

Their use of these things has been rampant. They also found hacks that they were able to shut down the power grid in parts of Ukraine during some of the coldest months of the year. They did it two years in a row. I think these attacks just make all of us realize how vulnerable we are.

that all kinds of things that we take for granted can suddenly no longer function because they all depend on different servers functioning, whether it's our airports or our hospitals or security systems. It's terrifying. It really is a house of cards. There are just so many things that can go wrong.

Some cybercriminals work in syndicates, which mostly deal in ransomware attacks where they steal and lock up data until they get paid. Dan recently wrote about the inner workings of one of those syndicates called Black Basta after almost 200,000 of their chat messages were leaked.

And it kind of sounded like a typical nine-to-five office job. It is like a normal business. They often work at very specific times of day, just like many of us do.

You have people grumbling about management and their incompetence or their rules that don't make any sense or are bureaucratic, you know, the rest of that kind of thing. I mean, these are money-making organizations. You know, some of them rake in like tens of millions of dollars.

And so in the same respect that any business that's making money wants to protect itself and, you know, continue moving on, you know, the ransomware syndicates are really no different at all. They are full-fledged businesses and the people that are running them want to do everything they can to keep that the case.

I have a friend who works in cybersecurity at a hospital, and all day he basically spends fending off these attacks, boom, boom, like tennis balls coming over a net, right? And here are all the patients in the hospital who thankfully have no clue that any of this is happening. Many of the employees even are still somewhat unaware, but he's sitting there behind the scenes

fighting off these attacks that never stop coming. Yeah, I don't envy your friend, his job and the stress level. There are just so many, you know, so he's in a department that is probably overseeing dozens of different systems. You know, we're talking the VPNs that employees are going to use to log in from, you know, remote locations. We're talking endpoint protection, you know, essentially antivirus protection.

There are so many different systems that are running different pieces of software. And all it takes is one vulnerability in one of those things that gets exploited. And your friend now has like the worst month of his life. And there are just so many different ways

of failure that can go wrong and can create really, really dire consequences. Yeah. And then there are employees who are in any situation

using their work computers to whatever, buy something on Etsy or go on some other website and do some other thing, you know, so you're really, you're trying to protect a fort. But meanwhile, you have like maybe 1000 employees who are constantly opening one door or another.

Yeah, that's a really good point. And I think that maybe the best place that you can see that is with the susceptibility of almost everyone, you and me for sure, to fishing. A lot of us want to think, well, I'm too smart for that. That won't happen to me. And it can, and it does. We all have times when we're tired or do something else and we end up clicking on something that we shouldn't have or...

Getting a call from somebody that pretends to be from your bank and they need some password or something like that. These types of attacks, it turns out, it's the hardest thing for your friend to defend against. Because once again, you've got maybe 10,000 employees in a large organization.

And all it takes is one of them to be duped. And suddenly all these elaborate defenses that you have constructed are

have been bypassed. Yeah. You know, it's like, what do you do about that? How do you train people to not get taken? Nobody really has a good answer. I mean, one of the things that people are trying to do now, they talk a bit about like zero trust networks. And the idea is I'm going to design my network in a way that will withstand the

you know, employee making a bad choice like this. And I'm going to, you know, either segment my network in a way so that this attacker has very limited access to resources or other things. I'm going to build layers of defenses so that, you know, when employees make bad choices or other things like that, it's not just sort of a game over situation.

And I wonder how much worse that is going to get with the help of AI and being able to clone people's voices. So, you know, if you get a call from somebody who sounds like your friend or sounds like your coworker to say, hey, I need access to X, Y, and Z.

You know, what are you going to do if this person or if this really sounds like this is your co-worker? So it's only going to get harder to distinguish. It really is. And I mean, we're hearing already about, you know, grandparents who get a phone call from somebody that

sounds just like their granddaughter. Yep, happened to my mom. Yeah. Grandma, I'm in Portugal and I got arrested. Yes. They're really going to hurt me. I need you to wire a bunch of money to me. We could see how a lot of people will fall for that. What do you do about that? If you're really proactive, you might

decide to come up with a safe word or something ahead of time. Or at least if somebody's on their toes, they might say, well, can you remind me where we spent your 10th birthday? Something that the attacker wouldn't know. But I mean, who's going to have the presence of mind to do that if they're just getting a call and they think that their granddaughter is in a prison somewhere?

So, yeah, I mean, AI is going to make it a lot harder. It's going to simplify the job of the social engineer folks because they can now come up with very credible sounding voices that are almost identical to the real thing. And I think a lot of times when people get duped by scammers, there is a certain amount of shame attached to it. And then people might not want to talk about it.

Because it feels like, oh, I should have seen that coming, but I didn't. You know, that's a really good point. And I think, you know, for a long time, we've all thought, well, you know, the people that get hacked are, you know, stupid or how could they have done it, you know? And it really does create a huge stigma. And that's a big part of the problem because...

People don't feel comfortable saying, I don't know what to do in this situation. How do I prevent this type of thing? And they may not want to come forward if they suspect they've been hacked. They may want to keep it quiet and hope that nobody notices as opposed to being very proactive and saying, hey, I just got this phone call. I gave the person my password. Can you look into this?

I had a family member who got taken by what we call scareware. You know, this is my father shortly before he died and he had Parkinson's. And, you know, so this was a guy that was in Mensa and had a very distinguished career as a teacher and, you know, scholar. And he ends up surfing the net and his Chrome browser goes,

says that the computer has been infected and it ends up looking like it's a system message from the operating system. And it gives a phone number for him to call to get it fixed. And so he called the number and he gave these folks his credit card number. And he was just incredibly ashamed afterwards. He just couldn't believe that he had done this. And you think about this, it's hard enough for

and me and everybody to stay safe. But if you're up over 80 and, you know, your cognitive abilities aren't exactly what they were, you know, heaven forbid, you've got ADHD or autism or other things like that. It becomes even harder. And there's such a stigma and it's a really, really unhealthy thing. People need to understand that these types of mistakes happen and

They need to understand how they happen. They usually happen when we are stressed out or when we're tired, when the hackers love to create some kind of emergency situation. Hey, somebody's just got into your account. We need to lock it down before anything happens. What they want to do is they want to create a sense of urgency. And by doing that, the victim...

suspend some of their normal skepticism or some of their normal care that they would put into something. And so much of the shame and the stigma around this is just really counterproductive and really plays into the hands of the people that are trying to pull off these types of crimes.

What about companies? A lot of companies try to keep it a secret when they've been hacked. Some are forced to disclose because customer data has been compromised, but a lot of companies just try to make things go away, right?

Oh, they absolutely do. They have lawyers in-house that are just absolutely paranoid of shareholder lawsuits, of actions taken by the Federal Trade Commission or government agencies.

And so they're thinking, well, what can we do to limit our liability? And so they pretty much always, I'd say 90% of them just want to sweep everything under the carpet. They wanna not discuss it to begin with.

And if they do have to somehow come up with a disclosure, it's very opaque language. They don't say what really happened. They leave out important details. They leave out all the missteps that they made. It's really unfortunate because there's a lot of education. I mean, if Microsoft, they had a series of major breaches last year by some hackers working for the Chinese government,

They still have never really fully explained what happened and how it happened. But it was, you know, I mean, we're talking State Department email addresses that were managed by Microsoft were accessed for months and months. And, you know, it'd be really useful to know how this thing happened. And we've gotten a few more details online.

near the end of the year, but Microsoft sat on really key details for months and months and months. And not to say that Microsoft isn't unusual. This type of thing happens a lot. And not only does it prevent us from being able to take actionable steps to protect our security,

But there isn't enough sharing of information. The information that Microsoft has about its breach could be very useful to Google or Oracle or, you know, many other people in the industry. Where do you see all of this going? Is this just going to be an ever escalating war with it?

It's almost sometimes it feels like a game where you just keep going into a new level and then you figure out that level and then there is a new challenge and then you figure that out and then there's something else. So it just feels like there's no end to this. I have to sadly agree with you. Things are so complex these days and it's just so easy to get one detail wrong that just causes the whole thing to –

your whole system to get hacked. I don't see that changing. I think that these types of breaches are just kind of a fact of life. And my real concern is that if there is ever a real sort of international conflict, take China finally going and taking over Taiwan or something along those lines, if there is ever...

a major conflict. There are just, you know, I mean, the U.S., China, North Korea, Iran, Russia, all of these countries have massive hacking apparatuses that could do who knows what types of things. You know, they just have all of these tricks and, you know, these tools in their arsenals that we may not even know about. And so, you know, it's hard to be really optimistic about,

Dan says there are some things we can do to protect ourselves as much as possible. Make sure that your operating system and the browser that you use are regularly up to date. That means that when Microsoft releases a big Windows update, you want to make sure that that thing is installed in the next week at a minimum, and ideally within the first 24 hours.

This can prevent a lot of just basic types of hacks. When it comes to phishing and scams, slow down. You want to be on the lookout for people that are trying to create a sense of urgency or a sense of panic because that's when you're going to slip up and make a mistake. So easier said than done, but really what you want to do is even just delay something by 10 minutes and think about it.

And finally, make sure you're using strong passwords. It's not something that is like, you know, three of your kids' names all put together. It's not, you know, your phone number. It's got to be, you know, at least 11 characters long. It needs to be randomly generated. And then it needs to be unique for every site. Dan Gooden is a reporter and senior security editor at Ars Technica. Coming up...

One man's journey from petty thief to internationally known cyber criminal and how he managed to manipulate people. We just tend to be very good social engineers. We know what it takes to manipulate someone into giving up information, access, data or cash. That's next on The Pulse. The Pulse

I'm Tanya Mosley, co-host of Fresh Air. At a time of sound bites and short attention spans, our show is all about the deep dive. We do long-form interviews with people behind the best in film, books, TV, music, and journalism. Here our guests open up about their process and their lives in ways you've never heard before. Listen to the Fresh Air podcast from NPR and WHYY.

Witnesses were ending up dead.

How the hunt for gangster Al Capone launched the IRS to power. Find NPR's ThruLine wherever you get your podcasts. This is The Pulse. I'm Maiken Scott. We're talking about cybercrime and how scammers prey on human nature.

When we think of hackers, we usually think of shadowy, menacing figures like the group Anonymous with their white face masks and black hoodies. Or maybe basement-dwelling computer geniuses who spend their days chugging energy drinks and breaking into government websites.

But who are hackers, really? And what motivates them? Reporter Liz Tung has this profile of a petty thief turned major cybercriminal. When I first started talking to Brett Johnson, I asked him to introduce two versions of himself—

The current version. Today, I work as a cybersecurity, cybercrime and identity theft expert. And the old version. I was formerly top 10 most wanted in the United States for being a cybercriminal. And if that weren't enough, I also built and ran the first organized cybercrime community. A community that was called Shadow Crew, which was in the early 2000s, a precursor to today's dark web. In other words,

In other words, Brett was a pioneer hacker, though he says he personally doesn't like the term. I don't like to think of myself or really anyone who commits crime online as a hacker because we typically are not. We are criminals. You know that mental picture you have from TV and movies of hackers as computer geniuses who can break into anything online?

Brett says that's actually a tiny minority. The 98, 99 percent of attackers, we just tend to be very good social engineers. We know what it takes to manipulate someone into giving up information, access, data or cash. And that, Brett says, is the key to how he became a cyber criminal in the first place.

Because from the time he was a little kid, he had been learning about social engineering, or to put it more bluntly, lying and manipulating. And his main teacher? His mom. We're from eastern Kentucky, and my mom was basically the captain of the entire fraud industry. This is a woman who, no crime too big or too small. ♪

Everything from stealing a 54-ton Caterpillar D9 tractor to suing convenience stores over fake slip and falls. Brett's own criminal career started when he was about 10 years old. My mom had been leaving me and my sister home for days at a time. We didn't have any food in the house. I'm 10. My sister Denise is 9.

Denise walks in one day, she's got this pack of pork chops in her hand. And I asked her, I was like, where did this come from? And she's like, I stole it. And I'm like, show me how you did that. From there, Brett and his sister's shoplifting careers took off. Eventually, their mom and even their grandmother started to join in on the Capers. In fact, that whole side of the family was into crime.

So as Brett got older, he received a comprehensive education in scams of all kinds. Faking stolen cars, faking accidents, burning homes for cash, charity fraud, document fraud, you name it. I had a background in it.

By the early 1990s, Brett was living on his own, along with his young wife, making a meager living mostly through theft and street scams. Until he caught an episode of the TV show Inside Edition about rare collector's item Beanie Babies. And the one they were profiling was Peanut, the royal blue elephant, selling for $1,500.

And I'm sitting there watching. I'm like, I got to find me a peanut. So the next day, Brett goes hunting for Peanut, the royal blue elephant, at all the local stores. Of course, he couldn't find one. But he did find a different Beanie Baby elephant, a gray one selling for $8.00.

So Brett bought it, dyed it blue in his bathtub and sold it for $1,500 to an unsuspecting collector on eBay. That is the first online crime that I committed. I got away with it. And because I got away with it, I was emboldened and kept going and got better at it and started to understand the dynamics of how crime and fraud should operate online.

This was a pivotal point in Brett's criminal career. The moment he realized that online scams could pay way more than he'd ever earned on the street. So over the next few years, Brett started teaching himself about the full menu of online scams he could get into. He also started connecting with other cybercriminals online. And pretty soon, he realized something. So if you look at online crime, or cyber attacks in general,

They're successful because of three things. And I call them the three necessities of cybercrime. You have to gather data, you have to commit the crime, and then finally you have to be able to cash that crime out. All three of those necessities have to work in conjunction. If they don't,

the crime fails. But most criminals didn't seem to have all three skill sets, which is what ultimately inspired Brett and a few of his friends to create Shadow Crew in 2002, which sort of functions like an anonymous LinkedIn for cybercriminals. It was a large communication channel

forum-type structure where individuals from different time zones can reference conversations, days, weeks, months old, take part in those conversations, learn from those conversations. It was the first criminal marketplace of its kind. And pretty quickly, it blew up into a global phenomenon. We dealt in all things

financial and identity related. Every element of financial online crime, Shadow Crew dealt in. So stolen identities, identity theft, credit card theft, new account fraud, phishing attacks, cashing out people's retirement accounts. And it wasn't long before Brett was making money hand over fist. So at my peak, I was able to steal about $160,000 a week, 10 months out of the year.

And a lot of these crimes required real ingenuity, but more, like Brett said before, on the social engineering side than on the tech side, which Brett says was ultimately about establishing trust.

Take, for example, a scam called account takeovers. It would all start with Brett buying someone's complete identity profile from another cybercriminal. It would include their name, their date of birth, their social security number, banking info, mother's maiden name, driver's license, address, background check, all of it.

Next, Brett would call the person's bank, pretending he was them, and ask what his account balance was. Of course, they would run through the security questions and he would answer them all correctly, except for one, the mother's maiden name. I'm going to say any other name, but I'm going to say it with confidence. Johnson. No, sir, that's not what we've got.

So Brett, still calm, cool, and collected, would answer, well, I think I know my own mother's maiden name. What kind of operation are you running over there anyway? Since he'd gotten all the other answers right, the customer service rep would go ahead and change the mother's maiden name, tell Brett the available balance. And as they're hanging up that...

This was the real reason for the call. To change the phone number so that Brett could gain full control over the account.

Because now, any call related to the account, like, for example, about suspected fraud, would go straight to Brett's phone. And now here's why that works. I'm going to create a problem. I'm going to miss the mother's name. By me missing the mother's name, it allows me to build rapport with that customer service agent. It also allows me to layer more trust by answering more of those security questions correctly. And

As that's going on, you have to understand that these customer service agents, they may get a few hundred calls a day. They think that the only reason I'm calling is for the account balance. Once they solve the problem, once they give me the account balance, they are mentally disconnecting from that call and looking forward already to the next incoming call. At that point is when I strike. Can you change or update the phone number that's on file? And the answer typically is yes.

That is a social engineering effect. So these were the kinds of scams that Brett and Shadow Crew were running. And they were so successful that within a couple of years, by 2004, they were being covered in the likes of Forbes magazine. This newfound notoriety was a badge of pride.

But it also meant the authorities were onto them. And in October of 2004, the FBI cracked down, arresting two dozen members of Shadow Crew across six countries.

But there was at least one member who got away, Brett Johnson. He stayed on the lam for several months before finally being arrested for something else. By this time, his case had been handed from the FBI over to the Secret Service, which was eager to learn the ins and outs of this new kind of crime. So in exchange for a reduced sentence, they asked Brett to teach them and to help them track down other cybercriminals.

It could have been a great opportunity for Brett to move from the dark side over to the light side. Except that Brett was still pulling scams. In fact, he was pulling scams inside the Secret Service offices. And of course, they eventually found out. So once again, Brett fled.

This was when he ended up on the FBI's most wanted list and eventually back in prison, this time for five years. Brett had gotten the chance to not only avoid any more jail time, but to start building a whole new career.

So why did he blow it? Well, make no mistake, it absolutely is an addiction. So with me, it's initially money and what I could do with that money. But especially in online, you never have to see the damage that you do to your victim. It's much easier to commit those crimes and victimize people because you don't have to see the damage that you're causing because you can say, well, I'm stealing from a bank or from a government and they can afford it. I'm

So it allows you to rationalize things. There was also arrogance, enjoying the fact that he was outsmarting the federal government's top guys and the fact that it gave him a sense of self-worth. My priority was crime because I was good at it. Growing up as a criminal and finally becoming a very competent criminal,

It's very difficult to make the choice to do away with that and start your, if you're getting your value from that, start your value again at zero. How are you going to become valuable at that point? And there was also the deeper psychological pull, the one formed in childhood.

Because Brett's mom wasn't just a petty thief. She was abusive, physically and especially emotionally. Her parents were, too. That's the type of environment that I grew up in. And growing up in that type of environment, a child has to...

They either learn to survive or they don't survive. They break. And I was one of the kids that learned to survive. I learned to notice when the adults in my circle were going to go off. And, you know, you had to stay on point constantly.

because you never knew when things were about to explode. And because of that, as a child, I started to learn to pay attention to every single thing that the adults were doing, you know, the emotional, the mental, any type of tics that they had, any changes in behavior, anything else like that. I learned to do that, but it goes deeper than that. I also learned that if you were going to properly survive, how do you diffuse that?

what those adults are doing. We had a grandfather that used to chase everyone through the house with a butcher knife at one point. How do you diffuse something like that? And as a child, again, you either learn to take care of that or you don't take care of that. That in essence is learning, excuse me, that's learning how to be a social engineer as a child. And it's not just me. I, uh,

Especially since coming over to the good guy side, I've had a lot of people that reach out to me these days because it turns out that while a lot of people want to turn their lives around, a lot of people aren't able to. So for Brett, learning to read people, to understand them and ultimately manipulate them was how he and based on his experiences, a lot of cyber criminals managed to survive their abusive childhoods.

But when you become an adult, you have to take responsibility for your life. There are people out there who had much worse upbringings than I did. My sister had the exact same upbringing that I did. She doesn't choose a life of crime. I did. I made that choice to do that.

Brett might have stayed trapped in the revolving door of crime and prison, but he says over the years, three things ultimately changed him. First was his sister, Denise. When Brett was arrested in 2005, he'd been out of touch with Denise for a while, but he managed to get a message to her saying he loved her.

In response, Denise, while pregnant no less, got in her car and drove seven and a half hours to see him, to tell him that she loved him too. Second was the woman who would later become Brett's second wife, Michelle.

They first met shortly after he'd gotten out of jail for the second time. It was a struggle for a while. He couldn't find steady work. And so, feeling guilty that he wasn't contributing, he ended up relapsing, using stolen credit card numbers to buy food for the home. Once again, he got caught. But Michelle stayed with him. She even spoke up for him to the judge. And that's when I find out that Michelle didn't need me for what I could give her.

She just needed me for me. And I had never, I'd never had that in a relationship. I'd had it with my sister, but I'd never had that in a relationship before.

After Brett was released from prison for the third and final time, he and Michelle got married. And it made Brett want to stay on the straight and narrow. So he reached out to an FBI agent who had arrested a bunch of his cybercrime buddies and told him he was looking for a job, a real job. And the man responded within two hours.

He took me in under his wing. He gave me references. He gave me advice. He's retired from the FBI now, but he still continues to do that today. That gave me validation. So it was my sister. It was Michelle. It was finally the FBI. Since then, Brett has been working as a cybercrime consultant and public speaker. He now gives talks at some of the biggest cybersecurity conferences around the world. But he still thinks of himself as a criminal, a

A criminal who just doesn't commit crimes anymore. You know, I'm on the right side of the fence today and it is not, it's not an easy thing. You know, it's one of these things where you have to choose every day to do what's right and to stand up and not be silent and by God, just do it. That story was reported by Liz Tongue.

That's our show for this week. The Pulse is a production of WHYY in Philadelphia, made possible with support from our founding sponsor, the Sutherland Family, and the Commonwealth Fund. You can find us wherever you get your podcasts. Our health and science reporters are Alan Yu and Liz Tong. Charlie Kyer is our engineer. Our producers are Nicole Curry and Lindsay Lazarski. I'm Maiken Scott. Thank you for listening.

As NPR's daily economics podcast, The Indicator has been asking businesses how tariffs are affecting their bottom line. I paid $800,000 today. You paid $800,000 in tariffs today. Yes. Wow. And what that means for your bottom line. Listen to The Indicator from Planet Money. Find us wherever you get your podcasts.

This message comes from Square. You probably know Square from your favorite local spots, but you might not know that there's a lot more to Square than meets the eye. What started as a little white card reader is now being used to rapidly scale, build loyal followings, cover cash flow gaps, and expand to new locations. Wherever your business is growing, Square meets you there. Go to square.com slash go slash NPR to learn more.

Shortwave thinks of science as an invisible force showing up in your everyday life, powering the food you eat, the medicine you use, the tech in your pocket. Science is approachable because it's already part of your life. Come explore these connections on the Shortwave podcast from NPR.