13
Oct 15

Hacker Who Sent Me Heroin Faces Charges in U.S.

A Ukrainian hacker who once hatched a plot to have heroin sent to my Virginia home and then alert police when the drugs arrived had his first appearance in a U.S. court today, after being extradited to the United States to face multiple cybercrime charges.

Sergey Vovnenko, a.k.a. “Fly,” “Flycracker” and “MUXACC1” (muxa is transliterated Russian for “муха” which means “fly”), was set to appear in a Newark courtroom today on charges of stealing and selling credit card and banking data, emptying bank accounts, and running a botnet of more than 12,000 hacked computers and servers, among other alleged crimes.

Fly replies to my direct messages telling him I know his real name and where he lives.

Fly replies to my direct messages telling him I know his real name and where he lives.

I first became acquainted with Fly in 2013, when his Twitter persona (warning: images here may not be safe for work) began sending me taunting tweets laced with epithets and occasional attempts to get me to click dodgy-looking Web links. Fly also took to his Livejournal blog to post copies of my credit report, directions to my home and pictures of my front door.

After consulting with cybercrime researchers at Russian security firm Group-IB, I learned that Fly was the administrator of a closely-guarded but now-defunct cybercrime forum dedicated to financial fraud called thecc[dot]bz (“cc” is a reference to credit cards).

Not long after that, I secretly gained access to his forum. And none too soon: In one lengthy discussion thread on the forum, I found that Fly had solicited donations from fellow fraudsters on the forum to donate Bitcoin currency for a slush fund Fly created for the express purpose of purchasing heroin off of the Silk Road — which was at the time the leading source of illicit drugs on the Dark Web.

Flycracker discussing the purchase of a gram of heroin from Silk Road seller "10toes."

Flycracker discussing the purchase of a gram of heroin from Silk Road seller “10toes.”

Fly’s plan was simple: Have the drugs delivered to my home in my name, and then spoof a call from one of my neighbors to the local police informing them that I was a druggie, that I had druggie friends coming in and out of my house all day long, and that I was even having drugs delivered to my home.

The forum members took care to find the most reputable sellers of heroin on the Silk Road. After purchasing a gram of the stuff from the Silk Road’s top smack seller — a drug dealer who used the nickname “Maestro” — Fly posted the USPS tracking link for the package into the discussion thread on his forum.

An ad for heroin on the Silk Road.

An ad for heroin on the Silk Road.

At that point, I called the local police and had a cop come out to take an official police report. The officer asked me to contact him again if the drugs actually arrived. Three days later, our local Postal Service carrier hand delivered a thin USPS Express Mail envelope that was postmarked from Chicago. Inside was another blank envelope containing a May 2013 copy of Chicago Confidential, a weekly glossy magazine from the Chicago Tribune.

On the back of the magazine, taped to a full-page ad for jewelry from LesterLampert, were a baker’s dozen individually wrapped packets emblazoned with the same black and gold skull motif that was on Maestro’s Silk Road ad. I immediately contacted the police, who came and dutifully retrieved the drugs, which turned out to be almost pure heroin.

12 packets of what appears to be heroin arrived at my home via the Silk Road on July 29, 2013.

12 packets of what appears to be heroin arrived at my home via the Silk Road on July 29, 2013.

I wrote about the experience of foiling Fly’s plan in a story titled Mail From the (Velvet) Cybercrime Underground. This did not sit well with Fly, who was made to look bad in front of his forum members who’d contributed roughly two Bitcoins to the scheme.

Angry that I’d foiled his plan to have me arrested for drug possession, Fly had a local florist send a gaudy floral arrangement in the shape of a giant cross to my home, complete with a menacing message that addressed my wife and was signed, “Velvet Crabs.”

The floral arrangement that Fly had delivered to my home in Virginia.

The floral arrangement that Fly had delivered to my home in Virginia.

After this incident, I became intensely curious about the identity of this Fly individual, so I began looking through databases of hacked carding and cybercrime forums. My first real break came when Group-IB provided a key piece of the puzzle: Group-IB researchers found that on the now-defunct vulnes[dot]com, Fly maintained an account under the nickname Flycracker, and signed up with the email address mazafaka@libero.it(.it is the country code for Italy).

According to a trusted source in the security community, that email account was somehow compromised in 2013. The source said the account was full of emailed reports from a keylogging device that was tied to another email address — 777flyck777@gmail.com (according to Google, mazafaka@libero.it is the recovery email address for 777flyck777@gmail.com).

Those keylog reports contained some valuable information, and indicated that Fly had planted a keylogger on his then-fiancee Irina’s computer. On several occasions, those emails show Fly’s wife typed in her Gmail address, which included her real first and last name — Irina Gumenyuk.

Sergey "Fly" Vovnenko, in an undated photo.

Sergey “Fly” Vovnenko, in an undated photo.

Later, Gumenyuk would change the surname on her various social networking profiles online to Vovnenko. She even mentioned her husband by name several times in emails to friends, identifying him as 28-year-old “Sergei Vovnenko”. Payment information contained in those emails — including shipping and other account information — put the happy couple and their young son in Naples, Italy.

This information later was shared with federal authorities in Italy. In June of last year, I received a call from a U.S. law enforcement source who said plainly that “the Fly has been swatted.” Vovnenko had been arrested and was awaiting extradition proceedings that would send him to face charges in the United States.

In July 2014, I received the first of several letters from Vovnenko, who was at the time sitting in Poggioreale Jail, a place of confinement in Naples that Fly described as “the worst prison in Italy.” I didn’t open the letter immediately; I notified my contacts in U.S. federal law enforcement who had an open case on Vovnenko, and they offered to retrieve the letter and test it for any dangerous substances (hey, the previous time he sent me mail it had heroin inside!).

The envelope was clean. It contained only a hand-written letter. The opening paragraph was a friendly greeting written in English; the rest was penned in Ukrainian script. A professional translation of the letter revealed it to be a deeply personal and — I believe — heartfelt apology from Vovnenko for sending the heroin, for posting my credit report, and for otherwise terrorizing my family. I believe he was perhaps 12-stepping it, because he also used the occasion to say that he forgave me for posting his personal information and photo of him in my blog shortly after his arrest in Italy.

In December 2014, I received another missive from Fly, still awaiting extradition in Poggioreale. It was a postcard with a nice picture of Naples on the front, and simple holiday greetings on the back: “Happy New Year! And Merry Christmas!” the message read. “With Best Regrads [sic], From Fly!”

The postcard Vovnenko sent to me from prison in Naples.

The postcard Vovnenko sent to me from prison in Naples.

Cybercrooks have done some pretty crazy stuff to me in response to my reporting about them. But I don’t normally get this kind of closure. I look forward to meeting with Fly in person one day soon now that he will be just a short train ride away. And he may be here for some time: If convicted on all charges, Fly faces up to 30 years in U.S. federal prison.

Seasons greetings from my pen pal, Flycracker.

Seasons greetings from my pen pal, Flycracker.

The Justice Department’s press release on Vovnenko’s indictment is here (PDF). The actual indictment can be found at this link (PDF).

Tags: , , ,

110 comments

  1. Great story Brian. Will you be sending Sergei a Christmas card this year? I’ll pitch in some bitcoin.

  2. Would also love to donate some bitcoin for a card. Or maybe we could see if we could get him some company for those lonely holiday nights in lock up.
    Well done piece.

  3. Well done. It’s good to see a good outcome, especially when I group of wanna be online thugs (don’t forget there was a forum of people who contributed to purchase the drugs) get shown that attempting to run someone’s life will have consequences.

  4. Congratulations, Brian. This clown will be a long time out of sight because of your determination and guts. May you continue the good fight, not only helping to bring guys like this down, but educating us as well.

  5. Good story. But something’s missing: Why did the hacker wanted to you be arrested for drug possession?
    Did he get mad for something you did, he just hate your blog or what?

  6. Brian, I am so glad that this individual will be given time to think upon his personal attacks against you, and especially, your family.

    It would be interesting to see an interview with him about this experience from his point of view, if he were willing. It might be educational to hear from the ‘Dark Side’.

  7. Great story and looking forward to your update when you eventually visit with him.

  8. I feel that his remorse and happy new years letters are poor recompense for potentially sending you to prison. Also, if this is what he tried to do to you, think of what he did to hundreds of not thousands of others.

    He can rot in prison for about 15-20 before we can talk forgive and forget.

  9. Brian, you are great!

    (Yes, I know, I and all the others have said it before …).

    Reading your blog is not only educational, but also more interesting than most of what shows up on the web.

  10. I can’t help but wonder if Fly is sending the apology, the Christmas card, 12-stepping it, etc, as a way to look better & sooner for the sake of getting some leniency or quicker parole. In other words, playing the saint.

    I keep seeing “happy ending,” or similar, in comments. It’s not a happy ending for his family. Too bad his wife didn’t have better judgement in picking men with whom to father children.

  11. I would think by now most hackers and people who want to try this stuff would know the local and state authorities probably know Brian and his address fairly well.

    I would also think they’d be a little smarter and just leave him alone since none of these schemes has paid off and has sent several people to jail trying.

  12. I am so happy for you Brian. This whole thing must have been very frightening for you and your family! These are dangerous people and I am so glad that they are now being prosecuted. Please let us know how things go with this. I would love to hear what the government does.

  13. The wheels of justice are slow but it is still very satisfying when they complete a turn.

    Nicely done.

    SiL

  14. Brian’s wife must be the most chilled person in the world. If the same happened to me I feel certain I would have been in more danger from mine than from the internet bad guys.

  15. I think there is an interesting take away here. The people who conduct this type of crime often think of it as justified. After all, Americans are rich aren’t they? How could it hurt them to lose some money? We are poor, if they won’t share, we’ll just take it. We will make them share!

    They think of it as a game. A lucrative game in which they get to win over and over again. Even those of them who may be kind to their friends and even generous with those they love, don’t really see their victims as people. Not being a member of their group makes the rest of us not quite human.

    This type of tribal thinking isn’t as uncommon as you might want to believe. I’ve seen it here in the US over and over during my lifetime. Most people who suffer from it don’t consider themselves evil. They just consider the rest of us their lawful prey.

    We tend to feel otherwise. Thanks for the great work Brian.

  16. MUXACC = “Tsetse fly”

  17. Great story, tnx..
    I’m hoping he and his family can pay for his own incarceration, or, I have an idea, send him back over to do his time at Poggioreale Jail.

  18. Nice job taking away a young child’s father. You must be proud.

    • Ray, that’s BS and you know it.

      Fly himself took the father away from the child by embarking on a life of crime. That was his choice and the results are his responsibility alone.

      If he cared about his kid(s) he would have sought an honest living. Cybercriminals aren’t teetering on the edge of going hungry or homeless. They’re greedy and want to live large, and many of them do until the day when “large” means “big” as in “the Big House” (prison).

      Predators are not an endangered species, and they deserve no sympathy.

      • +1 Roberto

      • It was fly’s ego that did him in. Sucks for his family, but that’s what happens when you let your ego take you off the edge. That, and his ignorance of International extradition law.

  19. (muxa is transliterated Ukrainian for “муха” which means “fly”)

    Fixed that for you

  20. Well done Mr K. People like him don’t show respect so don’t deserve respect. Making a living by preying on the innocent and naïve, deceiving and stealing their possessions and identity takes them down a dark and dangerous lane. Looks like the ‘Fly’ picked on the wrong guy this time, and that guy – a good guy – had just the kind of help he needed to bring him down.

  21. Either the aptly-named Fly guy is starting to get serious remorse, OR he’s a cold sociopath engaged in an attempt at social engineering.

    Given his history, the risk of the latter is high enough that the thing to do is stay the hell away from him.

    Keep it polite but firm in maintaining distance. If he wants to reform his life he can start by being a model prisoner and taking advantage of whatever opportunities exist for rehabilitation. (And he can drop a dime on his former crime buddies.)

    I read your other article about the heroin delivery. Anyone else here ever get in a similar situation DO NOT open the little baggies of drugs, that’s tampering with evidence and exposing yourself to risk if the substance inside is a serious poison or biological agent.

    Anyone who receives a suspicious envelope or package should put it outside the house, in a safe container if it’s small, and immediately call their local emergency number. Don’t even open it. Let the proper authorities deal with it safely.

  22. “Atta Boy”
    Great work, you keep getting em…….

  23. Kreb this is how people change when they take some vacation into Poggioreale Prison.

    Sometimes people forget that in the South of Italy there are powerful organization such as Camorra, in case of Naples and is a tough vacation if you are not affiliate with it.

    I suppose this guy was someone important of the NET…things change in real life especially when you are not in a swiss prison.

  24. Simply superb!!

    I hope you can have an interview with him to understand more of him. Also, from your contacts in Law enforcement agency, try to figure out who were his victims in the past. May be, you can write a nice article about him.

    Great work.

  25. Top story. Respect for Brian since he is able to show some empathy for this guy. I think the crux of the story is how the mazafaka@libero.it was “somehow” compromised. From that point on everything started t unravel for poor Sergey as a badly knit sweater. Is anything known about that ? Was the work of law enforcement ? A security researcher ? A rival hacker ? A three letter agency ? Even wild speculation on the subject would make another story just as interesting as the one we just read.

  26. Wow, he even looks like a pudgy little scumbag in that picture. Good riddance, I hope he enjoys getting raped in prison.

  27. “Bad men need nothing more to compass their ends than that good men should look on and do nothing” (Mill)

    Thanks for being a good man Brian!

    Great to shake your hand at P.S.R as well

    Cheers.

  28. I am glad things worked out. I also must add, When you play with, fire, sometimes you get burnt. Hopefully, the next hacker does not seriously harm you or your family. I would suggest finding something safer to do, for the sake of your family. This is just plain nuts.

    • meme, if we all took safe jobs we’d be overrun by criminals and invaders. The courageous people keep us safe.

  29. Priceless….

  30. Franchesco Luarias

    Krebs didn’t actually do anything, though. It was federal law enforcement. It’s not difficult to register on most illicit darkweb forums.