One of Brett Johnson’s earliest scams was selling a dyed Beanie Baby on eBay for $1,500.  

The elephant was supposed to be royal blue. His version looked like it had mange. But the buyer trusted the platform, trusted the photo, and most of all, trusted the idea of the deal.

That’s the formula for most cybercrime:

1. Find someone who wants something.
2. Build just enough trust to get them to act emotionally.
3. Make it look legitimate.
4. Exploit.

A few weeks ago, I sat down with Brett, once dubbed the “Original Internet Godfather” by the U.S. Secret Service and formerly one of America’s most-wanted cybercriminals. How often do you get the chance to have an open conversation with someone who built the infrastructure of modern cybercrime — then helped tear it down?

What struck me most in our conversation was how plainly he explained something we tend to overcomplicate in cybersecurity: trust. Or, more accurately, the way criminals exploit it.

Let’s talk about what trust really means to an attacker and what that means for how we defend against them.

Cybercriminals don’t hack you. They exploit your trust.

“The perception of reality is more important than reality itself.”

That’s Brett’s mantra. And it should scare every security leader reading this.

From his point of view, breaching a system isn’t about technical brilliance. It’s about psychological manipulation. He doesn’t need to know your network inside out or be an infrastructure genius. He just needs to convince your help desk he’s your CFO.

Trust, he told me, is the true attack surface. In a digital world built on convenience and connectivity, that surface is massive.

The perception of reality is more important than reality itself.

Today, criminals exploit your trust in devices, in browser tabs, in voices on Zoom calls. Deepfake a CEO and ask payroll to wire money? Easy. Spoof a known phone number with a SOCKS5 proxy? Common. Register a lookalike domain? Child’s play.

The attacker’s mindset is simple: if it looks real, it is real.  

Zero Trust is a response to criminal logic

What would have stopped Brett back then? What stops attackers now?

Zero Trust.  

“Every new engagement should be from a Zero Trust standpoint,” he told me. “Don’t just assume someone’s who they say they are — verify. Then verify again.”

Think about what that looks like in action:

• Don’t trust a cookie. Inspect the context around it — device, IP, behavior.
• Don’t trust a voice or face on a video call. Validate offline.
• Don’t trust a credential just because it worked yesterday. Challenge it anew.

To attackers, friction is failure. The more layers they hit, the more likely they are to give up and move on.  

That’s why Zero Trust works. Not because it’s airtight, but because it makes attacks cost more and succeed less.

Criminals collaborate. So should we.

Another thing that stuck with me: Brett said threat actors are winning because they share better.

“We were more of a society than you are,” he told me, referring to his days running ShadowCrew, an online cybercrime forum.

Criminals trade tips, tools, and tactics. They help each other, mentor, and share failures and successes. Meanwhile, defenders too often stay siloed — by industry, regulation, or fear.  

That needs to change. If cybercriminals can treat crime like a community project, then cybersecurity must become a team sport.

Rebuilding trust when deception is the default

Brett ended our conversation with a warning and a challenge.

We’re heading toward a future where we won’t be able to trust anything we see or hear online. There will be more and more real-time deepfakes, AI-generated scams, and impersonations so good you won’t spot the difference.

If perception can be faked, and truth no longer matters, then trust must be rebuilt — not granted. And that means rethinking everything from authentication to awareness.

Zero Trust isn’t just a defensive strategy. It’s a mindset shift for an era where deception is the default.

Let’s shift with it.