Robert Hanssen was the most damaging spy in American history.
A senior FBI agent turned traitor, he sold classified secrets to Russia for more than two decades, compromising US intelligence at the highest levels.
I was the undercover operative assigned to stop him. Working inside FBI headquarters, I became Hanssen's assistant in name, while secretly gathering the evidence that would lead to his arrest.
That operation became the basis of my book Gray Day and the film Breach, in which Ryan Phillippe portrayed me.
Since then, my path has evolved. I transitioned from spy hunter to national security attorney and cybersecurity strategist. But one constant remains: I view the cyber threat landscape through the lens of a spy hunter.
Because the truth is, there are no hackers. There are only spies.
We have mistakenly framed cybercrime as a technical problem. In reality, it is an intelligence problem. Hacking is simply the natural evolution of espionage.
The tactics haven't changed, only the tools. Whether it's a hostile nation-state actor or a cybercriminal syndicate, the method of attack is rooted in deception. The goal is always the same: gain access, gather intelligence and exploit the target.
What separates a cyber spy from a cybercriminal is not technique, but intention. The spy infiltrates quietly, extracts valuable information, and disappears without leaving a trace.
The criminal does the same - until the moment of departure. That's when the damage becomes visible.
Data is encrypted or destroyed, and the victim is hit with a ransom demand. We call it ransomware, but it's just espionage with a smash-and-grab exit.
And all of it - the malware, the stolen credentials, the illicit transactions - flows through the same underground marketplace: the dark web.
Today, the dark web operates like a shadow economy. If it were a country, it would rank as the third-largest economy in the world, behind only the US and China.
Cybercrime now generates over $12trillion annually. That figure is expected to balloon to $20trillion by 2026.
These numbers aren't abstract, they represent real people, businesses, hospitals, governments and families, all suffering real losses.
The dark web is no longer the domain of a few hoodie-clad hackers typing in basements.
It's a sophisticated criminal ecosystem. Malware is bought and sold like software. Stolen data is packaged and priced by the terabyte. Ransomware is offered as a service, complete with customer support.
It's industrialized crime, scaled by artificial intelligence, fueled by human error and enabled by global anonymity.
And if you think you're not a target, think again.
Even with my background in espionage and cybersecurity, I nearly fell victim to a cyberattack a few years ago. It started with what seemed like a legitimate request: an invitation to speak at an international conference at a spectacular venue.
Everything looked real. The conference had a website. The organizer had a professional email signature and speaker's contract. The offer included business-class travel, five-star accommodations, and a generous speaking fee.
But something felt off. I couldn't shake the sense that it was all a little too perfect. My instinct - the same one that once kept me alive during undercover operations - told me to investigate further.
In my case, the organization claimed to be affiliated with a global church network, but the domain name didn't match. A quick check of the contact's credentials turned up nothing verifiable.
And the deeper I dug, the clearer it became: this was a scam. A sophisticated one, designed to trick speakers into sharing personal data and banking information. I used my investigative skills to identify the criminals, reported them to local police and moved on.
But the experience stayed with me. If I almost fell for it, anyone could.
This is the world we live in now. A world where digital trust is a liability. Where cybercriminals don't break into your systems, they walk through the front door because someone accidentally handed them the keys. And often, that 'someone' is you.
We are all on the front lines - every employee, every parent, every student, every business owner. Cybersecurity is no longer just an IT concern, it is personal security, and we can't outsource it anymore.
That's why I wrote Spies, Lies, and Cybercrime, a practical field manual for defeating digital deception. It draws from my experience in the FBI and my years advising individuals and companies.
The book outlines how to think like a spy - understanding the tactics used against you - and act like a spy hunter. We may not be able to eliminate cybercrime, but we can outsmart it.
Here are five key principles I use and teach to stay ahead of the threat.
Kill the password
Passwords are broken. Most people reuse them; many can be cracked in seconds.
Multi-factor Authentication (MFA) adds a second layer - like locking your front door and adding a bolt.
Whether it's a biometric scan, a one-time code or an authentication app, it's your best shot at locking out unauthorized access. Use it everywhere.
Use an app like Duo Mobile (my favorite) or Google or Microsoft Authenticator.
Turn on MFA for your email, bank and all social media.
Ditch text message codes if possible - they're better than nothing, but not ideal.
Develop 'cop instinct'
When I was undercover, I learned to listen to my gut. If something felt off, I paid attention.
In the digital world, this instinct is just as important. Be skeptical of every email, message or text. Inspect addresses, scrutinize links and verify everything before you trust it.
If a message pressures you to act fast, offers something too good to be true, or comes from someone you haven't heard from in a while, pause. Investigate. Cybercrime thrives on urgency and distraction. Slow down and think.
Hover over links before clicking - does the URL look legit?
Call or text someone if an email from them feels off. Don't trust, verify!
Don't download attachments from unknown senders.
Never share personal info unless you're 100 percent sure who you're talking to.
Never scan a QR code unless you are 100 percent certain it's safe.
Beware your lying eyes
We are entering the age of synthetic media. AI can now clone voices, mimic writing styles, and generate hyper-realistic video deepfakes. What you see is not necessarily what's real.
A British man was recently conned out of hundreds of pounds after being bombarded with messages from deepfake celebrity accounts on social media.
Paul Davis, 43, who suffers from depression, said he was 'relentlessly' targeted by AI-generated videos - including ones that appeared to feature Mark Zuckerberg, Elon Musk and Jennifer Aniston.
Tragically, Paul believed the message was real and sent money in the form of non-refundable Apple gift cards.
I have brilliant friends who have tossed out their smartphones altogether and have chosen to write on aged, mechanical typewriters, all to protect their most critical information.
Others have replaced their recorded voicemail messages with the generic robotic message.
By 2026, experts predict that 90 percent of online content will be synthetic. That means almost everything you read or watch could be manipulated.
Therefore always assume deception. Train yourself to question authenticity. Verify through secondary channels.
That urgent phone call from your daughter? Cybercriminals only need a 20-second sample to create an AI-generated cloned voice, so settle on a family code phrase to ensure that the person you are talking to is who you think they are.
That message from your boss asking you to send a wire or pay an invoice? It might be a scammer deceiving you with a deepfake email.
That Zoom invite from a business partner? Criminal gangs have stolen billions from organizations with AI avatar imposters on video conferences.
Compartmentalize your digital life
In espionage, spies don't keep all their secrets in one place - you shouldn't either.
Use different email addresses for different aspects of your life such as personal, financial, work and shopping.
Store passwords in a secure manager like 1Password or Bitwarden, or use Microsoft or Apple Passkeys.
And don't overshare on social media. That includes details like your full birthday, your kids' school names, details about your work or daily routine and your vacation dates (that's an open invite for burglars).
Kim Kardashian said she blamed herself for a terrifying armed robbery in Paris in 2016 that resulted in the loss of $10 million-worth of jewelry, and vowed to stop flaunting her wealth on social media.
The more data you expose, the easier it is for criminals to profile and exploit you.
Keep your digital footprint as minimal and fragmented as possible.
Monitor your exit points
Spies don't just infiltrate, they exfiltrate.
In cybersecurity, the same principle applies - so know what's leaving your system.
Use tools like GlassWire, Bitdefender or Little Snitch (Mac) that alert you to large data transfers or unauthorized access.
Install cybersecurity protection software such as Symantec, Malwarebytes or AVG Internet Security (Mac).
Regularly check app and device permissions. Who has access to your cloud storage? What apps are using your camera, mic or location? Remove anything you don't use or recognize.
And keep your software updated, because outdated programs are full of holes. Don't wait for your data to walk out the door before you realize there was a breach.
The truth is that cybercrime will continue to grow. It will outpace security spending. It will evolve faster than most people can respond. But that doesn't mean we are powerless. We just need to change how we think.
Stop thinking like a victim. Start thinking like a spy, then act like the person hunting them. Because the dark web isn't going anywhere, but neither am I.
Eric O'Neill is a former FBI counterintelligence operative, national security attorney and author of Gray Day and the forthcoming Spies, Lies, and Cybercrime (October 7). He is the founder of The Georgetown Group and speaks internationally on espionage, cybersecurity and how to defeat digital deception. Follow Eric at ericoneill.net/newsletter.
