• Brett Shannon Johnson, an ex-cybercriminal, now advises on cybersecurity to prevent identity theft.
• He once ran a darknet network and was arrested by the Secret Service.
• Johnson said freezing everyone in your home's credit is one of the first safety steps.

This as-told-to-essay is based on a conversation with Brett Shannon Johnson, a former cybercriminal turned cybersecurity professional. Business Insider confirmed Johnson's criminal history using court documents and contemporaneous news reports. The conversation has been edited for length and clarity.

I'm a reformed cybercriminal who used to commit credit card fraud and identity theft, but I've thankfully turned my life around.

I helped build and run an early version of the "darknet," which provided a trust mechanism that many criminals continue to use to this day. In October 2004, the Secret Service arrested 33 people associated with my network. They picked me up four months later and offered me a job as an informant. I'm the idiot who continued to break the law for the next 10 months while working for the Secret Service until they found out about it.

I was arrested, escaped, caught, and then sent to prison to serve seven years. Still, I was given the opportunity to turn my life around, and I took it. I'm well aware that I didn't deserve that, but I'm very blessed.

I now consult and speak as a cybersecurity expert, and I help protect internet users from the types of crimes I used to commit.

How to build a toolbox for online safety

Protecting yourself from someone like I used to be, starts with understanding your place in the cybercrime spectrum — everyone has a place.

If you work in food service, that's different than if you're a CEO or working payroll. I'll still get you, but it differs. It's not likely that I'll hit a food service worker with a business email compromise or send them a deepfake. Understand what's realistic and design security around that.

Whenever I give a presentation about protecting yourself online, I tell people to think of it as building a toolbox. The criminal has a toolbox, and in it, they have a variety of tools with which to attack you. As a defender, you need to have a toolbox, as well, to prevent a stolen identity.

The good thing is that the tools you need aren't horribly sophisticated.

1. Use situational awareness online

People tend to have very good situational awareness in the physical world. If we're in a store, we know if something's off or if something just feels wrong. That doesn't translate very well in an online environment, but it should.

Understand that every platform and every website that you go to has predators — every single one. That doesn't mean not to go there, it just means to be aware of that. If we can just have that awareness in the back of our heads, that will automatically raise our security level.

2. Freeze the credit of everyone in your house

Contacting the three main credit agencies to block access to your credit accounts is the best tool to stop new account fraud.

Credit freezes are free. Unfortunately, only about 12% of the population has one. A credit freeze stops all new account fraud, so, as a criminal, I cannot pull your credit report.

It's a good idea to freeze the credit of every single person in your family, including kids, because kids are often targeted for identity theft. Most adults have existing accounts. It doesn't stop fraud on those. So you also have to monitor those accounts.

3. Place alerts on accounts where you can

You must also be aware of your email, retail, social media, bank, and credit card accounts. Every account has value to an attacker.

Make sure you have alerts on those accounts that communicate whenever they're accessed or used.

4. Practice good password security

Make sure that you're practicing good password security. Most people use the same or similar credentials across multiple websites, and hackers know that. This opens you up to credential stuffing.

It's an automated program. I can fish you out, get your password, and log in to your Hulu account. I go to sleep, plug those credentials in and this program will actually ping tens of thousands of different websites overnight and see what it gets access to.

If you use the same credentials for Hulu as you do for your Chase account, Bank of America, tax records, or whatever, I have access to those as well.

To avoid this, I use the free Google Chrome password manager, which generates unique passwords for every login and saves them for you.

5. Set up multifactor authentication for your accounts

Multifactor authentication is an outstanding tool. It's not bulletproof, but when you use it in conjunction with other tools, you become much more secure.

I used to preach about password managers. These days, I'm not explicitly recommending them because they've had some issues. I use a combination of passkeys, authenticators, and a password manager.

6. Watch what you share on social media

Understand that those 3,000 Facebook friends aren't friends. One of the things that I used to do was see what a person had on Facebook. I'd pull your identity profile and see what you had posted of interest. I'd find out your birthday, your mother's maiden name, when you're going on vacation, those types of things.

So, watch what you share on social media.

Getting inside the mind of a cybercriminal

You need to understand that these attacks happen for one of three reasons. It's status, cash, or ideology.

Most attacks are cash-based. When cybercriminals attack for status, it's to impress their criminal peers. They're trying to do something that no one else can do and gain respect — that equates to more money at the end of the day. When it's done for ideology, someone's pissed them off, and they're looking to attack them.

The criminal is simply looking to profit at the end of the day. That means they attack the lowest-hanging fruit. They're looking for the easiest access that gives them the largest return on that criminal investment.

If you just put the base level of security, you're not that lowest-hanging fruit anymore. That matters because, as a criminal, I'm not going to waste my time trying to hit you when there are much easier targets that are out there.

Editor's Note: This article was originally published in September 2022 and has been updated.