Ex-Hacker Brett Johnson Warns: Deepfakes, Scam Farms and Synthetic IDs Are Fueling an AI-Driven Surge in Cybercrime

Brett Johnson, a reformed identity thief who later advised law enforcement and private companies (including the Secret Service), warns that cybercrime has evolved into an industrial, AI-accelerated business. Having made millions through identity theft and dark-web marketplaces, Johnson says criminals now combine automation, organization and synthetic data to run fraud at scale.

Three rising threats

1. Deepfakes

Deepfake technology can convincingly imitate voices and faces in real time, and criminals are already using it to impersonate trusted colleagues and executives. Johnson warns this short-circuits the usual trust-building process fraudsters rely on: instead of slowly gaining a victim's confidence, attackers can pose as an already trusted person.

"In order for me to defraud you, I have to get you to trust me," Johnson said. "Deepfakes enable criminals to bypass that effort by posing as someone you already trust."

In a high-profile example, a finance clerk approved overseas transfers totaling more than $25 million after participating in a video call populated by deepfaked versions of his coworkers, including the CFO. As AI becomes faster and more precise at replicating speech, faces and messaging tailored to a target, it will be harder to trust anything seen or heard online.

2. Scam farms

Scam farms are organized operations—often housed in buildings with dozens or hundreds of workers—running coordinated fraud campaigns. Some employees are trafficked or coerced; others work shifts under supervisors to run high-volume scams. Common schemes include "pig butchering," long-term romance-style cons that coax victims into investing life savings in fake opportunities.

These operations operate like businesses with management structures and specialization, a degree of organization Johnson says was rare when he was active in the 1990s and early 2000s.

3. Synthetic identity fraud

Synthetic identity fraud combines real and fabricated personal data to create new, non-existent persons. Johnson calls it the world's leading form of identity theft because it is difficult to detect: the identity does not map to a single real individual.

He estimates synthetic fraud represents roughly 80% of new-account fraud, about 20% of credit-card chargebacks, and roughly 5% of outstanding credit-card debt. Once established, a synthetic identity can open accounts, take loans or facilitate money-laundering before institutions detect the scheme.

Why this matters

Automation and easy access to tutorials and tools mean newcomers can quickly become effective fraudsters without deep technical skills. Combined with AI-generated content and well-run scam farms, the result is faster, harder-to-detect crime that targets individuals and institutions alike.

Six practical protections

1. Practice situational awareness online: Assume predators operate on every platform and be skeptical of unsolicited requests.
2. Freeze household credit: Freeze the credit files of everyone in your home — not just yourself — to block new-account fraud immediately.
3. Enable alerts: Turn on notifications for account activity so you’re alerted to suspicious transactions or logins in real time.
4. Use strong, unique passwords: Never reuse passwords; use a password manager to create and store unique credentials.
5. Enable multifactor authentication (MFA): MFA substantially raises the cost and difficulty for attackers, especially when combined with other safeguards.
6. Limit social sharing: Restrict public personal details like birthdays and family names that scammers can use to impersonate or socially engineer you.

Johnson's core message: cybercrime is becoming industrialized and AI-driven, so layered defenses and constant vigilance are essential. Individuals and organizations should assume fraud will grow more sophisticated and prepare accordingly.

Source: Interview with Brett Johnson, as reported by Business Insider.