A Ukrainian hacker who once hatched a plot to have heroin sent to my Virginia home and then alert police when the drugs arrived had his first appearance in a U.S. court today, after being extradited to the United States to face multiple cybercrime charges.
Sergey Vovnenko, a.k.a. “Fly,” “Flycracker” and “MUXACC1” (muxa is transliterated Russian for “муха” which means “fly”), was set to appear in a Newark courtroom today on charges of stealing and selling credit card and banking data, emptying bank accounts, and running a botnet of more than 12,000 hacked computers and servers, among other alleged crimes.
Fly replies to my direct messages telling him I know his real name and where he lives.
I first became acquainted with Fly in 2013, when his Twitter persona (warning: images here may not be safe for work) began sending me taunting tweets laced with epithets and occasional attempts to get me to click dodgy-looking Web links. Fly also took to his Livejournal blog to post copies of my credit report, directions to my home and pictures of my front door.
After consulting with cybercrime researchers at Russian security firm Group-IB, I learned that Fly was the administrator of a closely-guarded but now-defunct cybercrime forum dedicated to financial fraud called thecc[dot]bz (“cc” is a reference to credit cards).
Not long after that, I secretly gained access to his forum. And none too soon: In one lengthy discussion thread on the forum, I found that Fly had solicited donations from fellow fraudsters on the forum to donate Bitcoin currency for a slush fund Fly created for the express purpose of purchasing heroin off of the Silk Road — which was at the time the leading source of illicit drugs on the Dark Web.
Flycracker discussing the purchase of a gram of heroin from Silk Road seller “10toes.”
Fly’s plan was simple: Have the drugs delivered to my home in my name, and then spoof a call from one of my neighbors to the local police informing them that I was a druggie, that I had druggie friends coming in and out of my house all day long, and that I was even having drugs delivered to my home.
The forum members took care to find the most reputable sellers of heroin on the Silk Road. After purchasing a gram of the stuff from the Silk Road’s top smack seller — a drug dealer who used the nickname “Maestro” — Fly posted the USPS tracking link for the package into the discussion thread on his forum.
An ad for heroin on the Silk Road.
At that point, I called the local police and had a cop come out to take an official police report. The officer asked me to contact him again if the drugs actually arrived. Three days later, our local Postal Service carrier hand delivered a thin USPS Express Mail envelope that was postmarked from Chicago. Inside was another blank envelope containing a May 2013 copy of Chicago Confidential, a weekly glossy magazine from the Chicago Tribune.
On the back of the magazine, taped to a full-page ad for jewelry from LesterLampert, were a baker’s dozen individually wrapped packets emblazoned with the same black and gold skull motif that was on Maestro’s Silk Road ad. I immediately contacted the police, who came and dutifully retrieved the drugs, which turned out to be almost pure heroin.
12 packets of what appears to be heroin arrived at my home via the Silk Road on July 29, 2013.
I wrote about the experience of foiling Fly’s plan in a story titled Mail From the (Velvet) Cybercrime Underground. This did not sit well with Fly, who was made to look bad in front of his forum members who’d contributed roughly two Bitcoins to the scheme.
Angry that I’d foiled his plan to have me arrested for drug possession, Fly had a local florist send a gaudy floral arrangement in the shape of a giant cross to my home, complete with a menacing message that addressed my wife and was signed, “Velvet Crabs.”
The floral arrangement that Fly had delivered to my home in Virginia.
After this incident, I became intensely curious about the identity of this Fly individual, so I began looking through databases of hacked carding and cybercrime forums. My first real break came when Group-IB provided a key piece of the puzzle: Group-IB researchers found that on the now-defunct vulnes[dot]com, Fly maintained an account under the nickname Flycracker, and signed up with the email address mazafaka@libero.it(.it is the country code for Italy).
According to a trusted source in the security community, that email account was somehow compromised in 2013. The source said the account was full of emailed reports from a keylogging device that was tied to another email address — 777flyck777@gmail.com (according to Google, mazafaka@libero.it is the recovery email address for 777flyck777@gmail.com).
Those keylog reports contained some valuable information, and indicated that Fly had planted a keylogger on his then-fiancee Irina’s computer. On several occasions, those emails show Fly’s wife typed in her Gmail address, which included her real first and last name — Irina Gumenyuk.
Sergey “Fly” Vovnenko, in an undated photo.
Later, Gumenyuk would change the surname on her various social networking profiles online to Vovnenko. She even mentioned her husband by name several times in emails to friends, identifying him as 28-year-old “Sergei Vovnenko”. Payment information contained in those emails — including shipping and other account information — put the happy couple and their young son in Naples, Italy.
This information later was shared with federal authorities in Italy. In June of last year, I received a call from a U.S. law enforcement source who said plainly that “the Fly has been swatted.” Vovnenko had been arrested and was awaiting extradition proceedings that would send him to face charges in the United States.
In July 2014, I received the first of several letters from Vovnenko, who was at the time sitting in Poggioreale Jail, a place of confinement in Naples that Fly described as “the worst prison in Italy.” I didn’t open the letter immediately; I notified my contacts in U.S. federal law enforcement who had an open case on Vovnenko, and they offered to retrieve the letter and test it for any dangerous substances (hey, the previous time he sent me mail it had heroin inside!).
The envelope was clean. It contained only a hand-written letter. The opening paragraph was a friendly greeting written in English; the rest was penned in Ukrainian script. A professional translation of the letter revealed it to be a deeply personal and — I believe — heartfelt apology from Vovnenko for sending the heroin, for posting my credit report, and for otherwise terrorizing my family. I believe he was perhaps 12-stepping it, because he also used the occasion to say that he forgave me for posting his personal information and photo of him in my blog shortly after his arrest in Italy.
In December 2014, I received another missive from Fly, still awaiting extradition in Poggioreale. It was a postcard with a nice picture of Naples on the front, and simple holiday greetings on the back: “Happy New Year! And Merry Christmas!” the message read. “With Best Regrads [sic], From Fly!”
The postcard Vovnenko sent to me from prison in Naples.
Cybercrooks have done some pretty crazy stuff to me in response to my reporting about them. But I don’t normally get this kind of closure. I look forward to meeting with Fly in person one day soon now that he will be just a short train ride away. And he may be here for some time: If convicted on all charges, Fly faces up to 30 years in U.S. federal prison.
Seasons greetings from my pen pal, Flycracker.
The Justice Department’s press release on Vovnenko’s indictment is here (PDF). The actual indictment can be found at this link (PDF).
Awesome story, don’t you just love a happy ending?
One note: the link for the “Mail From the (Velvet) Cybercrime Underground” appears to be broken.
Thanks, Scott. Fixed.
Brian, Great story.. Enjoyed seeing and hearing you speak in Vancouver a few weeks ago. Keep up the great work!!
You live a very interesting life, Brian. I’m glad that you and your family continue to stay safe and I (and many others) appreciate all of the reporting that you do.
Brian, ..you just can’t make this stuff up. Stay safe buddy
Scumbag! Anyone that attacks a journalist is just that! I don’t care if he’s 12 stepping it, or crawling on his knees, he needs to do hard time! In fact anyone that tries to foist off illegal evidence to an innocent party, framing or not, needs to do hard time! X-(
Brian, I have been involved with the Internet from it’s MilNet beginnings. I have been a software security engineer providing penetration testing and security architecture services on contract to large companies and State and Federal Government Agencies for over 30 years. I have been reading your very informative articles for several years now and hope you continue. However, I have never been involved with the criminals you do. Don’t you ever worry about you or your families safety? Having asked that question, you do provide a great service and I hope you can pass the torch on when you decide to stop writing or retire.
And many people got their start, “hopefully in the right direction” reading your books Stu. Nothing got me more excited about computer security than the Hacking Exposed series.
Thanks,
Scott
You rock, Brian. Love what you do. So glad Fly got his, but I will keep you and your family in my prayers — for peace of mind at a minimum.
If they don’t make a movie about you I don’t know how the world will appreciate someone like you. I am halfway done reading their book Spam Nation purchased it on Google play. It’s been such a pleasure to read the book and get updates from your website. Thank you for doing all you do where are you get justice from the rest of them or not just know that there are many people who support you and thank you for everything you do. Please tell your wife we really appreciate her patience, and I love towards you. I wish you and your family all the best.
Touché comrade citizen! Туше товарищ гражданин!
Too many people with too much time on too many power trips.
It’s nice to know that what goes around, does come around, eventually.
Was it good heroin?
Alas, I did not partake.
Excellent news, Brian. Of course the little b*st**d is sorry now–since he’s unlikely to see his wife and child again, other than from behind a bulletproof screen. As someone whose account has been hacked twice, I am receiving enormous vicarious pleasure from thinking of at least one piece of scum locked up in prison for the foreseeable future. For all our sakes, I’m grateful that you persevered in your pursuit.
Great story. Stay safe. Need a place to hideout one day, look me up! Plenty of room for the whole family.
And I’m a good cook. Just saying…
Alright! I’m coming then! Oh, that wasn’t intended for me… 😉
This (boy) has set himself up to become “fly-food”. Ruskie thug style.
Good job, watch your 360;
Best regards to you and yours.
What a clever young man
Everything from being cocky to not covering his tracks right through to using a clear net email address that was linked to an illegal keylogger.
When you order drugs whether they are for you or someone else, you’re not suppose to tell anyone!
Guess this fly is going to be sprayed with a special type of fly spray from some very horny very angry and very queer male prison inmates 🙁
so much good in this article. very much appreciate the 12-step mention!
brian, please follow up when fly settles into a prison, meeting with him is an important, overlooked step in the evolution of security; something a lot of people don’t get to see in the sec communities is forgiveness, and there’s been enough evidence in the past 20 years that even the most horrible crimes can transform into healing experiences (just search for “man forgives daughter’s killer” or “mother reconciles with son’s murderer” and you’ll see these stories, while counter to the narrative of society, end with more love and security than situations where anger is held tightly by victims and guilt by perps, and internalized hate by all)
forgiveness and understanding are the only way to hit the core problem of security, which is the psychological development of a computer scientist. outside of social engineering, psychology is rarely considered a white hat or black hat practice, but in our bio/neuro-system’s reality it’s the foundation of all those practices
Brian, that was a perfect opportunity to sell the heroin for 3 bitcoin.
Your boy is an idiot for any number of reasons. Paying $500 a gram for smack tells me he doesn’t know his drugs market any better, than thinking that taking you on is a safe bet.
He bought the heroin back in april 2013, when bitcoin was $80-100.
They spent about $190 to get a gram.
very nice it all worked out for you, ‘for us in the field’ things can get exciting. the personal touch is not funny though. all the best mate,
Minor typo: “warning: images here my not be safe for work”
Should be: “warning: images here may not be safe for work”
Very interesting story.
They think they are invincible, they can stand above all others and never even contemplate that someone will take action against them. Its seems like a mindset of ignorance, over zealous “ego-testical” mental state that overrides common sense.
Sure some cannot be touched due to the political nature of where most of these thugs live, but if they are willing to risk it all no matter where they reside, its either an act of ill responsibility or a head slapping duh moment.
I am glad the “event” had Brian come out on top. I know he does not speak of the emotional rollercoaster he and his family have gone through with just this one crook, and soon to be convict.
Should you travel to his trial, I suggest keeping your distance, even though he shows some remorse. Many thoughts fly through people’s heads when they have many hours and days to think about what took place to get them where they are soon to be. I had many a days floating around on an ocean and I can relate to a lot of down time. His actions will get him time, and only he knows if he is willing to serve that time without and harsh reactions.
Remember – once he is out – he will be within close
proximity to you. Mark the calendar and post a watch.
Good sleuthing. Someone like you who is willing to take the risk to identify these crooks should be offered a free vacation to a tropical paradise – with no electronic devices – for a week to ten days of down time and worldly enjoyment with the family.
Well done Brian.
Interesting read!
And impressive detective work.
I do feel a bit sorry for Fly though. Out of touch with reality, like many behind computer screens, he obviously had no way of empathizing with any of his victims. Probably some Aspergers in the mix as well.
A rude awakening for him. Guess he messed with the wrong guy in the end.
Let’s hope he gets a reasonably balanced sentence so he can start again with a clean slate instead of wasting away his entire life.
I guess the depersonalisation of cyber crime victims is not entirely unlike the dehumanisation of far-away victims of war.
Brian,
Great investigative/detective work, thank you for the article and I am very glad that for you and your family it has ended and you are ok.
30 years in federal prison though. He will not see his child grow up, live a lifetime behind bars, for someone with some IT skill even if totally misguided, instead of doing something of value with his life now he will be remanded at significant cost to the tax payer.
I know that:
– this is simply the maximum sentence in law for Wire Fraud Conspiracy
– you are an info sec investigative reporter not a law maker, you have done your job very well and you didn’t deserve any of this
– I should probably go post on a law site somewhere
But do you think this is the best possible outcome?
That guy will regret nothing more in his whole life I expect. Very sad.
This is easily my favorite blog. Love the investigative nature.
Keep the bad guys running!
Great research, thanks for sharing!
30 years for exposing weaknesses in the credit card system?
There are murderers and rapists doing less time.
He’s being 30 years in prison, lost wife, lost son growth… I wouldn’t believe for a single moment he “forgave” you or anything similar.
Much more possible he’s just staging it to make a false friendship with you and then make you pay when it’s time.
He’s probably a complete psychopath, and you can expect this from him.
Call me sentimental and old fashioned ~ I live by the code of not ratting anyone out, or maybe it’s “vengeance is mine, sayeth the Lord”
If in your wimpy world you think it makes you a better person for having this idiot loser arrested than that’s fine. That is your right.
But when you start bragging about it, posting it online about them, you make yourself out to be a sanctimonious self righteous a hole.
Walking a spiritual life allows us to let things go, Brian. We don’t have to be anyone’s judge or jury, or even dwell on them or let them rent space in our heads, let alone on our websites and blogs! Letting go of outcomes is the biggest part of maturity and personal growth.
Thinking we can control outcomes is the surest sign that we have more spiritual growth to do.
talk about sanctimonious. Because he helped get the guy put away, others won’t be victimized by this guy. Has nothing to do with maturity and personal growth. If you let things go, bad people just keep on doing bad things to good people. Lock them up or even more people will think it’s ok to go online and steal, or deal drugs. The former founder of the Silk Road was also caught and got life in prison for his part. Letting the bad guys go has nothing at all to do with personal growth.
Karma’s a bitch!! Hope they throw the book at him. And give him a copy of yours as well!!
hehehehehe = Þ