24
Jun 14

The ‘Fly’ Has Been Swatted

facebooktwittergoogle_plusredditpinterestlinkedinmail

A Ukrainian man who claimed responsibility for organizing a campaign to send heroin to my home last summer has been arrested in Italy on suspicion of trafficking in stolen credit card accounts, among other things, KrebsOnSecurity.com has learned.

Sergei "Fly" Vovnenko was arrested in Naples, Italy.

Passport photo for Sergei “Fly” Vovnenko. He was arrested in Naples, Italy earlier this month.

Last summer, appropos of nothing, an infamous cybercrook known as “Fly,” “Flycracker” and “Muxacc” began sending me profane and taunting tweets. On top of this, he posted my credit report on his blog and changed his Twitter profile picture to an image of an action figure holding up my severed head.

The only thing I knew about Fly then was that he was the founder and administrator of a closely-guarded Russian-language crime forum called thecc.bz (the “cc” part referring to credit cards). Fly also was a trusted moderator on Mazafaka, one of the most exclusive and venerable Russian carding forums online today.

Shortly after Fly began sending those nasty tweets, I secretly gained access to his forum, where I learned that he had hatched a plot to buy heroin on the Silk Road, have it shipped to my home, and then spoof a call from one of my neighbors to the local police when the drugs arrived (see Mail from the Velvet Cybercrime Underground).

Thankfully, I was able to warn the cops in advance, even track the package along with the rest of the forum members thanks to a USPS tracking link that Fly had posted into a discussion thread on his forum.

Angry that I’d foiled his plan to have me arrested for drug possession, Fly had a local florist send a gaudy floral arrangement in the shape of a giant cross to my home, complete with a menacing message that addressed my wife and was signed, “Velvet Crabs.”

Irina Gumenyuk-Vovnenko lists her hometown as Naples in her Odnoklassniki.ru profile.

Irina Gumenyuk-Vovnenko’s lists her hometown as Naples in her Odnoklassniki.ru profile.

After this incident, I became intensely curious about the identity of this Fly individual, so I began looking through databases of hacked carding and cybercrime forums. My first real break came when Russian computer forensics firm Group-IB provided a key piece of the puzzle (they also were quite helpful on the heroin sleuthing as well). Group-IB found that on the now-defunct vulnes[dot]com, Fly maintained an account under the nickname Flycracker, and signed up with the email address mazafaka@libero.it (.it is the country code for Italy).

According to a trusted source in the security community, that email account was somehow compromised last year. The source said the account was full of emailed reports from a keylogging device that was tied to another email address — 777flyck777@gmail.com (according to Google, mazafaka@libero.it is the recovery email address for 777flyck777@gmail.com).

Those keylog reports contained some valuable information, and indicated that Fly had planted a keylogger on his wife Irina’s computer. On several occasions, those emails show Fly’s wife typed in her Gmail address, which included her real first and last name — Irina Gumenyuk.

Later, Gumenyuk would change the surname on her various social networking profiles online to Vovnenko. She even mentioned her husband by name several times in emails to friends, identifying him as 28-year-old “Sergei Vovnenko”. Payment information contained in those emails — including shipping and other account information — put the happy couple and their young son in Naples, Italy.

Fly replies to my direct messages telling him I know his real name and where he lives.

Fly replies to my direct messages telling him I know his real name and where he lives.

Last week, Mazafaka forum administrators began removing Fly’s account and postings from the forum. They typically do this when one of their members is suspected of having been arrested by the police, but in this case nobody on Maza seemed to know what had become of Fly. One thing was painfully clear, Fly’s forum — thecc[dot]bz — had been offline for nearly a week, and no one had heard from Fly for just as long.

According to information gathered from Vovnenko’s various social networking profiles, he was born in St. Petersburg, Russia but is a Ukrainian citizen. Neither Sergei nor Irina Vovnenko responded to requests for comment.

A government source confirmed that Vovnenko was arrested earlier this month in Naples after a joint investigation by Italian and U.S. law enforcement agents. Another government source said Vovnenko was arrested while carrying identification documents under an assumed name – Sergei Volneov. He is reportedly being held in an Italian jail waiting to be extradited to the United States, although he may stand trial in Italy first.

Investigators tell KrebsOnSecurity that Vovnenko routinely bought Italian credit card dumps and cashed out the stolen cards through high-end Italian stores, and that he owns a variety of equipment for embossing and printing credit cards.

This case is another reminder that nobody is anonymous, and that operational security is hard to do well consistently. But here’s a pro tip: If you’re a big time cybercrook and you’re planning to keylog your spouse’s computer, it’s probably best to delete the messages once you’ve read them.

Fly identifies himself as "Sergei" in an email about changing the vehicle ID number on a 2010 Mercedes Benz E250.  Source: Group-IB.

Fly identifies himself as “Sergei” in an email about changing the vehicle ID number (VIN) on a 2010 Mercedes Benz E250. He lists a mobile phone number in Italy.

Tags: , , , , , , ,

81 comments

  1. This is damn good news, Brian. Well done to the law enforcement agencies involved!

  2. LOL @ “Neither Sergei nor Irina Vovnenko responded to requests for comment”

  3. This article makes me happy! You da man, Brian Krebs!

  4. Excellent news, effort and results from your work Brian!

    Let’s hope we get a good result out of the sentencing and can send him somewhere nice . Rikers comes to mind :)

    Kudo’s to the Italian authorities as well!

  5. Brian – you are a true cyber super hero!!!

  6. “According to a trusted source in the security community, that email account was somehow compromised last year
    The key to all this was accessing the attackers email account. ”

    1. What is the legality of using stolen (hacked) credentials to access to a private email account ? (unauthorized access)

    2. How did this site and others (legally) gain the credentials for the email account, screen shots indicate it was accessed.

    3. The email regarding the Mercedes VIN’s shows that emails were read without looking for a specific piece of evidence.

    We may all agree with the results but in this case the methods used seem questionable.

    • 1) Brian is not a member or agent of law enforcement. Any action he takes is done as a private citizen. The prosecutor in the jurisdiction can decide to bring a criminal or civil suit. Any aggrieved party is free to bring forward a civil suit that might trigger a criminal investigation.
      2) This site is not obliged to reveal any information about it’s sources. An argument can be made that the entity that runs “kerbsonsecurity.com” is a news outlet and has the same source protection rules applied to it as NYT or The Washington Post. As to the legality of accessing other people’s emails via hacked credentials:
      It appears that the writer and the person whose credentials were used had a relationship that was initiated by the a person other than the writer. While there is no express permission from the other party to have their emails read, there is ample evidence to suggest that the nature of their relationship is such that they are allowed to mess with each other’s lives (as shown with showing the writer’s credit report). An argument can be made that it is a classic case of oneupmanship of two people who are ok with messing with one another (RE: “LOL I am going to jail”) He did LOL.
      3) The email regarding the Mercedes VIN issue was not obtained with a warrant for a specific topic. If a warrant was issues then it would still cover because it would read “evidence relating to the identity…” the telephone number (that was singled out in italics in the image caption) is a Personal Identifying Information and would be covered under even the narrowest of warrants for electronic communication logs.

      Disclaimer: I would advise you to obtain competent legal representation before posting to the internet. Everything in this comment could be wrong, misleading and a malicious lie. The information contained in this comment does not represent the author’s opinion.

    • @Eric,too bad your high standards don’t apply to the scum like Vovnenko. I guess you’ll be the only one attending his candle light vigil…

  7. Excellent news! I hope he rots in prison for the rest of his life.

  8. Maybe while they send stuff on internet you can intercept. While they try to swatt your home door, you can fix it with local police. But man, you are not the Iron Man, maybe one day they can get it to be someone with a gun ready to shot your face. You are not afraid of that?

    • Isn’t that the chance every reporter, investigator, prosecutor or anyone else who tries to catch criminals takes in order to make the world a better/safer place for the rest of us?

    • That’s a definite problem, and it does have a chilling effect on a lot of people. People who’ve went to journalism programs in college would’ve likely heard the name “Veronica Guerin” during their time as a student. And she’s far from the only one; the Committee to Protect Journalists has had a site listing known ones murdered for some time now (http://cpj.org/killed/murdered.php).

      But that said, uncovering such criminal enterprise is precisely one of the reasons reporters do the work they do. If each of them succumbed to threats by criminals, then they’ve not only ceded a victory to them, they’ve also hurt their readership by not informing them of such activities they’ve discovered.

      Yes, it’s dangerous. That’s why criminal enterprise is bad, and should be fought.

  9. Well done, Mr. Brian.

    ” All that is necessary for the triumph of evil is that good men do nothing.”

    As a good man, you have proven Mr. Burke’s point and potentially helped saved countless others from the pain and suffering that this evil animal would inflict in the future.

  10. While others already expressed pretty much the same, let me add:
    Brian, you are superb. Not only very competent, but also dedicated, persevering. In addition, you provide for more fascinating reading than the vast majority of what one can find elsewhere.

    Just be careful.

  11. Wow! I am so thankful you & others were able to foil this guy’s plans, & I am grateful you & your family are safe.

  12. While others already expressed pretty much the same, let me add:
    Brian, you are superb. Not only very competent, but also dedicated, persevering. In addition, you provide for more fascinating reading than the vast majority of what one can find elsewhere.

    Just be careful.

    p.s. You must have been under DOS earlier; when I tried to enter this comment your site was no accessible.

  13. Sorry for the duplicate entry – it just showed up for me. right after I entered the duplicate.

  14. yes, I am happy too
    Great job Brian and great article as always.
    Ad maiora!

  15. You’re one in a million, Brian! You do unbelievable work! God Bless & protect you & your loved ones!

  16. Glad to read of his arrest.

    Now push to have him extradited to USA, not prosecuted in Italy.

    Justice and prisons in Italy are a farce: he would get a discharge or spend just few weeks in prison.

  17. Wow, this is unbelievable, good work, well done Brian!

  18. Ok Ok im the RAT .you got me .

  19. Even better ProTips:
    1. Don’t be a dumbass.
    2. Put all that energy into white-hat hacking. Then when everything is revealed, you get to keep all the money you made legitimately and you don’t have to go to jail.

    • Have you watched the news and seen what’s going on in the Ukraine lately? Not saying that’s why he left, but it’s a good enough reason.

  20. If you business is carding and you’re and Ukrainian, why would you leave the safety of the Ukraine and travel to a country that’s willing to cooperate with the U.S. and is also willing to actually prosecute and jail carders?

    These guys are stupid.

    • Based on my reading of this story, it sounds like he was Ukrainian, but was running his operation out of Italy. This would explain why he inexplicably had .it email accounts. In other words, he was born in the Ukraine, but at one point moved to Italy. I’d be a little askance at calling him a Ukrainian if he had Italian citizenship though.

      More details will surely follow though, as they usually do in criminal cases.

      • It doesn’t really matter. He’s a Ukrainian who left the safe harbor provided by a country that’s willing to accommodate carders.

        • Born in Russia, got a Ukrainian passport and lived in Italy. He is still a citizen of Ukraine but by birth is Russian.

  21. On Sunday the Greece Coast Guard with the U.S. Drug Enforcement Administration seized a 987 Kg shipment of Heroin originating from Afghanistan and shipped through Iran and the Suez Canal. The Taliban this week is attacking police checkpoints in Helmand Provence.

  22. Technical expertise earns admiration, and courage earns respect. May we also offer empathy to your family for having gotten a threatening, omious message?

    As all delight in this adventure’s happy ending, may we further suggest allocating donations to a family evening out – with champagne? Living well is the best revenge.

  23. Congrats to you, I hope he and his kinds die painfully in prison.

  24. You’re becoming a bit of a pain for your scriptwriters – how are they supposed to include all of this new stuff in your movie?

    Good news none-the-less, another one off the streets and hopefully a significant deterrent for others as well.

  25. I’m a little surprised that the DEA didn’t confiscate everything you own ‘just to be sure’

  26. Brian, I don’t know how you have the courage to do what you do. But thank goodness you do!

  27. Outstanding work Brian

  28. Good news, yes.

    Hilarious, also yes. A key-logger on his wife’s computer! What a loser.

  29. I wonder if Vovnenko had any sort of contingency plan, a stash of cash for his wife and son in case he was ever arrested. Probably not, he probably assumed he would never be caught. Do you think any computer/communication equipment has been left in their home or has it all been carted away because it’s evidence? If they were here in the U.S., the home would be wiped clean of it.

  30. “muxacc” also stands for “муха цц” in Russian language http://en.wikipedia.org/wiki/Tsetse_fly

  31. If you’re really Fly, and really in control of the email address that you included in your comment, then you know how to reach me. I’ll ignore any emails that come from somewhere else.

  32. Why should I reach you? Got my drop lolz, nice try krabs

Leave a comment