June 24, 2014

A Ukrainian man who claimed responsibility for organizing a campaign to send heroin to my home last summer has been arrested in Italy on suspicion of trafficking in stolen credit card accounts, among other things, KrebsOnSecurity.com has learned.

Sergei "Fly" Vovnenko was arrested in Naples, Italy.

Passport photo for Sergei “Fly” Vovnenko. He was arrested in Naples, Italy earlier this month.

Last summer, appropos of nothing, an infamous cybercrook known as “Fly,” “Flycracker” and “Muxacc” began sending me profane and taunting tweets. On top of this, he posted my credit report on his blog and changed his Twitter profile picture to an image of an action figure holding up my severed head.

The only thing I knew about Fly then was that he was the founder and administrator of a closely-guarded Russian-language crime forum called thecc.bz (the “cc” part referring to credit cards). Fly also was a trusted moderator on Mazafaka, one of the most exclusive and venerable Russian carding forums online today.

Shortly after Fly began sending those nasty tweets, I secretly gained access to his forum, where I learned that he had hatched a plot to buy heroin on the Silk Road, have it shipped to my home, and then spoof a call from one of my neighbors to the local police when the drugs arrived (see Mail from the Velvet Cybercrime Underground).

Thankfully, I was able to warn the cops in advance, even track the package along with the rest of the forum members thanks to a USPS tracking link that Fly had posted into a discussion thread on his forum.

Angry that I’d foiled his plan to have me arrested for drug possession, Fly had a local florist send a gaudy floral arrangement in the shape of a giant cross to my home, complete with a menacing message that addressed my wife and was signed, “Velvet Crabs.”

Irina Gumenyuk-Vovnenko lists her hometown as Naples in her Odnoklassniki.ru profile.

Irina Gumenyuk-Vovnenko’s lists her hometown as Naples in her Odnoklassniki.ru profile.

After this incident, I became intensely curious about the identity of this Fly individual, so I began looking through databases of hacked carding and cybercrime forums. My first real break came when Russian computer forensics firm Group-IB provided a key piece of the puzzle (they also were quite helpful on the heroin sleuthing as well). Group-IB found that on the now-defunct vulnes[dot]com, Fly maintained an account under the nickname Flycracker, and signed up with the email address mazafaka@libero.it (.it is the country code for Italy).

According to a trusted source in the security community, that email account was somehow compromised last year. The source said the account was full of emailed reports from a keylogging device that was tied to another email address — 777flyck777@gmail.com (according to Google, mazafaka@libero.it is the recovery email address for 777flyck777@gmail.com).

Those keylog reports contained some valuable information, and indicated that Fly had planted a keylogger on his wife Irina’s computer. On several occasions, those emails show Fly’s wife typed in her Gmail address, which included her real first and last name — Irina Gumenyuk.

Later, Gumenyuk would change the surname on her various social networking profiles online to Vovnenko. She even mentioned her husband by name several times in emails to friends, identifying him as 28-year-old “Sergei Vovnenko”. Payment information contained in those emails — including shipping and other account information — put the happy couple and their young son in Naples, Italy.

Fly replies to my direct messages telling him I know his real name and where he lives.

Fly replies to my direct messages telling him I know his real name and where he lives.

Last week, Mazafaka forum administrators began removing Fly’s account and postings from the forum. They typically do this when one of their members is suspected of having been arrested by the police, but in this case nobody on Maza seemed to know what had become of Fly. One thing was painfully clear, Fly’s forum — thecc[dot]bz — had been offline for nearly a week, and no one had heard from Fly for just as long.

According to information gathered from Vovnenko’s various social networking profiles, he was born in St. Petersburg, Russia but is a Ukrainian citizen. Neither Sergei nor Irina Vovnenko responded to requests for comment.

A government source confirmed that Vovnenko was arrested earlier this month in Naples after a joint investigation by Italian and U.S. law enforcement agents. Another government source said Vovnenko was arrested while carrying identification documents under an assumed name — Sergei Volneov. He is reportedly being held in an Italian jail waiting to be extradited to the United States, although he may stand trial in Italy first.

Investigators tell KrebsOnSecurity that Vovnenko routinely bought Italian credit card dumps and cashed out the stolen cards through high-end Italian stores, and that he owns a variety of equipment for embossing and printing credit cards.

This case is another reminder that nobody is anonymous, and that operational security is hard to do well consistently. But here’s a pro tip: If you’re a big time cybercrook and you’re planning to keylog your spouse’s computer, it’s probably best to delete the messages once you’ve read them.

Fly identifies himself as "Sergei" in an email about changing the vehicle ID number on a 2010 Mercedes Benz E250.  Source: Group-IB.

Fly identifies himself as “Sergei” in an email about changing the vehicle ID number (VIN) on a 2010 Mercedes Benz E250. He lists a mobile phone number in Italy.


81 thoughts on “The ‘Fly’ Has Been Swatted

  1. MalwareTech

    I guess you could say the fly got….smacked.
    ( •_• )
    ( •_• )>⌐■-■
    (⌐■_■)

    1. Blame the Frame

      Thanks, Malware. Thanks. Try “swatted”.

      YEAAAAAAAAAAAAHH!

  2. Jeff

    If you are a bad guy that has been busted by Brian Krebs. Best not to mess with Krebs like this. Best to move on and go to your next scam.

  3. FraudGuy

    Even though I am 43, I want to be Brian when I grow up. Great read Mr. Krebs.

  4. Edward

    …..and another on bites the dust! Great post Brian.

  5. SeymourB

    I’d say the lesson here is to keep your private and “professional” lives separate. If you’re going to perform the extremely questionable act of installing a keylogger on your significant other’s system, have it report activity to a different email address than your criminal enterprise, er, professional email address.

    Why are thieves always such lazy thinkers? I suppose its because they’re thieves…

    1. Chriz

      Absolutely. Makes me laugh when I hear people say: “Ho, this guy would have done amazing things in the legal world. Check out his criminal enterprise!”

      Not so much. It’s quite easy to steal from others. Making money legally is completely another story. And this guy just proved how even stupid people can steal easily from others.

      Good job Brian! You took out the trashes handsomely.

      1. KFritz

        Most of the successful cybercrooks in Russian, Ukraine, and elsewhere don’t do things like shipping smack to BK, conducting high-profile cyber-wars with their compatriots, or (worst of all) preying on fellow Russians and Ukrainians. They’re also careful not to get arrested outside their own countries. This one is a grotesquely incompetent outlier.

    2. Michael Sean

      “Why are thieves always such lazy thinkers?”

      Because they are so much smarter than everybody else. No one will ever catch them.

    3. Jon Marcus

      Because, as Brian says, operational security is hard. You only need to slip up once, over years and years.

  6. TJ

    Brian, with each post, you’re actually writing the screenplay for you own movie — no need for a screenwriter.

  7. Jeffry Martini

    Brian………here is a great synopsis for the screenplay of the projected movie screenplay on you. Your patience in handling this incredible breach of your family’s safety & security is beyond compare. Another badguy bites the dust….”Westerns” are still alive!

  8. Likes2LOL

    The Fly vs. digital flypaper — you can run, but eventually the bits will byte you!

  9. Likes2LOL

    “But here’s a pro tip: If you’re a big time cybercrook and you’re planning to keylog your spouse’s computer, it’s probably best to delete the messages once you’ve read them.”

    Thanks for the tip, Brian, I’ll try to remember that! 😉

  10. Rescator's Selfie

    You are the only thing standing between me and my Toyota Solara!!!

  11. Suanne Meyer

    I can’t wait until the movie comes out! Seriously, Krebs has been in front of every serious cyber security issue in the news, days or weeks ahead of the rest and has been helpful to me in my work in IT Security and Privacy Management.

  12. Big Sally

    Kudos on the tango. They are extremely violent and he looks like he would run.
    Best Regards, Mr. Krebs

  13. Only Truth

    Ukrainians are nation chosen by god!
    How long you are going to oppress them by posts like this one?
    Looks like Brian Krebs is a new Vladimir Putin…

  14. KFritz

    Interesting that he was living in Naples. If the ‘Gomorrah’ knew he was there, they would certainly have ‘wet their beaks,’ with some of his ill-gotten gains. Was he under their protection, or as it were, under their radar?

  15. TheOreganoRouter.onion.it

    Good article, keep doing the research and I will keep reading

  16. JimV

    Brian, if (and when) this part of your sleuthing stories gets wrapped into an epic film, I really hope the financial backers will be able to afford Queen’s “Another One Bites the Dust” for the soundtrack, because it’s so apropos….

    https://www.youtube.com/watch?v=rY0WxgSXdEE

  17. Lisa

    BK, if Marvel needs a new superhero you’re their man 😉

  18. Jasmine G

    I’ve actually considered this scenario before. If someone really wanted to **** with another person’s life in the 21st century, it would be a fairly easy task to accomplish. I’m not so much afraid of Brian’s criminal (he was a dope with a big mouth who couldn’t keep quiet about what he’d done), but I am terrified of the bad guys who are smart enough to keep quiet.

    It would be foolish to assume that all criminals are stupid bumblers with big mouths. Many of them fit perfectly into this category. We should be afraid of the quiet ones, the ones we don’t know anything about.

  19. P K Sengupta

    As always, it is a pleasure to read these articles, where we see a cyber detective at work

  20. redsmurf

    Brian-
    Even though you look like a privileged white-bread type of guy, I grudgingly admit you’re quite competent.

  21. AlphaCentauri

    I’d just like to thank Brian’s wife for not freaking out and cancelling their internet subscription after all this. Dealing with the surprises that arrive at the Krebs household requires a pretty cool head and a good sense of humor.

  22. Tom

    “FraudGuy
    June 24, 2014 at 3:19 pm
    Even though I am 43, I want to be Brian when I grow up. Great read Mr. Krebs.”

    What he said.

    Thanks for the hard work.

  23. Narn

    Opsec is not only seriously screwed in that case, I’d say it’s not actually present.

  24. KinZdaZda

    I’m getting burned out on Ukrainian and Russian cyber criminals. They seem to account for most cyber heists. What’s with the widespread sociopathy there? I assume complicit paid-off banks and police are the key ingredients for such a large sustained community of merciless financial hackers.

    So many people in Russia like Putin, too, because they think he’s “strong” and is making the world respect Russia again, which is shear pathetic stupidity. The world didn’t respect the USSR. There is no “again” possibility, just a chance for a new original respect, which Russia just trashed like someone with a personality disorder. What would Russia do again with the Ukraine, cause another Chernobyl or harvest of sorrow? Wow, Russians, you can even manage your own mega country that spans 12 time zones, but think the world would respect you if you bully a little piece of the Ukraine? You have plenty to work with already, Idiot.

    Didn’t Stalin rob banks in western Europe before the revolution?

    PS I was in Russia again last fall and my Russian friends there want to leave because the troglodytes have taken over and have mustered enough support to hang on indefinitely. The freaks in government there, with their $25 million USD homes, form a continuum of graft and sociopathy down to little hackers.

    Russian hackers = weak soul-less sociopaths ruled by a pathetic weak-souled sociopath.

  25. Rachael O'Halloran

    Brian, what happened to you is a worriment to anyone who is outspoken when writing on websites (blogs, etc.), especially if using their real name which makes for easier access in being located. I also have been a target and it isn’t a comfortable place to be in not knowing when the next brick will be hurled through a window or a bank account will be compromised. It is downright scary.

    Your sleuthing is an excellent example of the wealth of information that can be collected. Kudos to you for finding and exposing Fly and thwarting off more potential danger to your home and family.

    The stress you and your wife were under for so long takes its toll – knowing that someone like Fly was sending things to your home, conspiring to have you arrested by sending drugs to your home and what constitutes identity theft by opening accounts in your name. A less tenacious person might have buckled under or maybe even asked to go into Witness Protection Program.

    You are the quintessential cyber-detective. Yes, you succeeded in swatting the Fly, but more importantly, you succeeded in protecting you and your family, and that is quite an accomplishment.

    You can expect to hear “well done” repeated over and over and you deserve it.

  26. JC

    Nice take down.The weakest link continues to be human beings.Always.

Comments are closed.