Hector Monsegur once sat on the FBI’s Most Wanted list.
As "Sabu," the infamous hacker behind LulzSec and a key player in Anonymous, he was a digital outlaw exposing government vulnerabilities. On the other side of the law stood Chris Tarbell, the FBI agent responsible for infiltrating Anonymous and leading the takedown of the notorious Silk Road marketplace.
Now, years later, they sit side by side—not as adversaries, but as allies. Together, they share an unusual friendship and a common goal: strengthening cybersecurity by exposing the dangers that lurk in the shadows of the internet.
At a recent fireside chat at Zero Trust World 2025 in Florida, the two reflected on their pasts, the evolution of hacking, and the ethical lines that have blurred in the age of cryptocurrency and AI.
A former hacker and an FBI agent walk into a conference…
“You arrested him,” the moderator quips, gesturing toward Monsegur. “And yet, here you are—smiling. How does that happen?”
Monsegur grins. “Well, it’s nothing. I still don’t like him,” he jokes. “Nah, for sure, we’re good friends now. But it took time. I mean, at the end of the day, I had to make a choice—spend the rest of my life in prison or actually do something meaningful.”
That choice wasn’t easy. When Tarbell’s team knocked on Monsegur’s door, he was staring down a maximum sentence of 125 years for his cybercrimes. "Chris sat me down and said, ‘Do you really want to spend the rest of your life in a cell because you hacked into a government server?’ And I realized—this isn’t a game anymore.”
Tarbell chimes in, reflecting on how the experience changed him, too. "Hector made me see criminals as humans. Before, I saw crime in black and white. You arrest the bad guy, put them away, and that’s the end of the story. But working with Hector, I realized—people don’t always start off as criminals. Sometimes, they get radicalized into it.”
The unlikely duo now work together to educate businesses, law enforcement, and everyday users about real-world cybersecurity threats. And if there’s one thing they both agree on, it’s this: hacking isn’t what it used to be.
The changing ethics of hacking
“Back in the day, hackers had a code,” Monsegur explains. “We were curious. We wanted to understand how systems worked, where they were vulnerable. But it never would have occurred to us to hack a hospital for ransom.”
Tarbell nods. “Exactly. But now? That line is gone. And you know what changed? Money.”
The introduction of cryptocurrency has completely altered the hacking landscape. In the past, cybercriminals had to be careful—stealing money meant moving it through traditional banking systems, leaving a trail for law enforcement. Now, with crypto, that barrier is gone.
“These ransomware groups are richer than ever,” Tarbell says. “And they’re getting more sophisticated. They can afford to buy zero-day exploits—previously, only nation-states had that kind of power. Now, a well-funded ransomware group can outbid a government agency for an exploit.”
Monsegur adds, “Back in the 2000s, we were trading exploits for free. If I had a remote exploit for a telnet service, I’d swap it for a different exploit with another hacker. Now? These guys are selling them for millions. You can thank crypto for that.”
The financial incentives have also changed the morality of hacking. Where old-school hackers might have had an unwritten rule against targeting hospitals, today’s ransomware groups deliberately go after medical facilities. They know hospitals are more likely to pay up, desperate to restore critical systems.
"There's no ethics anymore," Tarbell laments. "It’s just business."
Accountability and the human factor
But it’s not just elite hackers that companies have to worry about. According to Tarbell, insider threats remain one of the biggest security risks.
“Look, there are people out there selling their own login credentials for $40. And for $80? You can get access to a company’s multi-factor authentication (MFA) credentials.”
Then there are the mistakes—the employees who click on phishing links, download malware, or reuse weak passwords.
“We talk a lot about security culture,” Tarbell says. “But let me ask you something—if James from accounting clicks on a phishing link that costs the company millions… should he lose his job?”
The audience murmurs.
“I mean, where’s the accountability?” Tarbell presses. “Right now, if someone falls for a scam, we send them to a training session. Maybe they take an extra cybersecurity class. But if they’re careless again and again? Shouldn’t there be consequences?”
Monsegur jumps in, “And here’s the thing—attackers know this. They know they just need to find the weakest link inside your company. And if your weakest link is ‘James from accounting’… well, congratulations. You just got hacked.”
The Future: AI, social engineering, and the next big threats
If the last decade has been defined by ransomware, the next one will be shaped by AI-driven cybercrime.
“We’ve already seen AI being used for fraud,” Tarbell warns. “Scammers are using deepfake voices to impersonate family members, tricking people into sending them money. Give it a couple of years, and we’ll see fully AI-generated phishing campaigns—emails, phone calls, even video messages—all tailored to manipulate people into giving up access.”
Monsegur agrees. “Back in the 90s, if I wanted to social-engineer someone, I had to actually talk to them. Now? AI can generate thousands of phishing emails instantly, each one customized to its target. And once we hit autonomous AI cyberattacks—bots that can identify vulnerabilities and exploit them without human input? That’s when things get scary.”
So what can companies do?
Invest in resilience.
According to Monsegur, too many organizations assume breaches won’t happen. “You have to build security with the mindset that an attack will happen. If ransomware locks up your systems tomorrow, what’s your plan? If your CEO’s voice is cloned to authorize a fraudulent transfer, how do you verify it? These aren’t hypothetical scenarios anymore. This is reality.”
The takeaway
The conversation ends on a reflective note.
“I’ve seen what unchecked cybercrime can do,” Monsegur says. “I’ve been part of it. And I’ve seen the consequences.”
Tarbell nods. “And I’ve seen how law enforcement fights back. But let me tell you something—FBI arrests don’t stop cybercrime. The only way to stay ahead of the bad guys is for everyone to take cybersecurity seriously. That means businesses, governments, and individuals.”
As they leave the stage, the message is clear:
The ethics of hacking have changed. The rules of the game have changed. And the stakes? They’ve never been higher.
