A Ukrainian hacker who once hatched a plot to have heroin sent to my Virginia home and then alert police when the drugs arrived had his first appearance in a U.S. court today, after being extradited to the United States to face multiple cybercrime charges.
Sergey Vovnenko, a.k.a. “Fly,” “Flycracker” and “MUXACC1” (muxa is transliterated Russian for “муха” which means “fly”), was set to appear in a Newark courtroom today on charges of stealing and selling credit card and banking data, emptying bank accounts, and running a botnet of more than 12,000 hacked computers and servers, among other alleged crimes.
I first became acquainted with Fly in 2013, when his Twitter persona (warning: images here may not be safe for work) began sending me taunting tweets laced with epithets and occasional attempts to get me to click dodgy-looking Web links. Fly also took to his Livejournal blog to post copies of my credit report, directions to my home and pictures of my front door.
After consulting with cybercrime researchers at Russian security firm Group-IB, I learned that Fly was the administrator of a closely-guarded but now-defunct cybercrime forum dedicated to financial fraud called thecc[dot]bz (“cc” is a reference to credit cards).
Not long after that, I secretly gained access to his forum. And none too soon: In one lengthy discussion thread on the forum, I found that Fly had solicited donations from fellow fraudsters on the forum to donate Bitcoin currency for a slush fund Fly created for the express purpose of purchasing heroin off of the Silk Road — which was at the time the leading source of illicit drugs on the Dark Web.
Fly’s plan was simple: Have the drugs delivered to my home in my name, and then spoof a call from one of my neighbors to the local police informing them that I was a druggie, that I had druggie friends coming in and out of my house all day long, and that I was even having drugs delivered to my home.
The forum members took care to find the most reputable sellers of heroin on the Silk Road. After purchasing a gram of the stuff from the Silk Road’s top smack seller — a drug dealer who used the nickname “Maestro” — Fly posted the USPS tracking link for the package into the discussion thread on his forum.
At that point, I called the local police and had a cop come out to take an official police report. The officer asked me to contact him again if the drugs actually arrived. Three days later, our local Postal Service carrier hand delivered a thin USPS Express Mail envelope that was postmarked from Chicago. Inside was another blank envelope containing a May 2013 copy of Chicago Confidential, a weekly glossy magazine from the Chicago Tribune.
On the back of the magazine, taped to a full-page ad for jewelry from LesterLampert, were a baker’s dozen individually wrapped packets emblazoned with the same black and gold skull motif that was on Maestro’s Silk Road ad. I immediately contacted the police, who came and dutifully retrieved the drugs, which turned out to be almost pure heroin.
I wrote about the experience of foiling Fly’s plan in a story titled Mail From the (Velvet) Cybercrime Underground. This did not sit well with Fly, who was made to look bad in front of his forum members who’d contributed roughly two Bitcoins to the scheme.
Angry that I’d foiled his plan to have me arrested for drug possession, Fly had a local florist send a gaudy floral arrangement in the shape of a giant cross to my home, complete with a menacing message that addressed my wife and was signed, “Velvet Crabs.”
After this incident, I became intensely curious about the identity of this Fly individual, so I began looking through databases of hacked carding and cybercrime forums. My first real break came when Group-IB provided a key piece of the puzzle: Group-IB researchers found that on the now-defunct vulnes[dot]com, Fly maintained an account under the nickname Flycracker, and signed up with the email address mazafaka@libero.it(.it is the country code for Italy).
According to a trusted source in the security community, that email account was somehow compromised in 2013. The source said the account was full of emailed reports from a keylogging device that was tied to another email address — 777flyck777@gmail.com (according to Google, mazafaka@libero.it is the recovery email address for 777flyck777@gmail.com).
Those keylog reports contained some valuable information, and indicated that Fly had planted a keylogger on his then-fiancee Irina’s computer. On several occasions, those emails show Fly’s wife typed in her Gmail address, which included her real first and last name — Irina Gumenyuk.
Later, Gumenyuk would change the surname on her various social networking profiles online to Vovnenko. She even mentioned her husband by name several times in emails to friends, identifying him as 28-year-old “Sergei Vovnenko”. Payment information contained in those emails — including shipping and other account information — put the happy couple and their young son in Naples, Italy.
This information later was shared with federal authorities in Italy. In June of last year, I received a call from a U.S. law enforcement source who said plainly that “the Fly has been swatted.” Vovnenko had been arrested and was awaiting extradition proceedings that would send him to face charges in the United States.
In July 2014, I received the first of several letters from Vovnenko, who was at the time sitting in Poggioreale Jail, a place of confinement in Naples that Fly described as “the worst prison in Italy.” I didn’t open the letter immediately; I notified my contacts in U.S. federal law enforcement who had an open case on Vovnenko, and they offered to retrieve the letter and test it for any dangerous substances (hey, the previous time he sent me mail it had heroin inside!).
The envelope was clean. It contained only a hand-written letter. The opening paragraph was a friendly greeting written in English; the rest was penned in Ukrainian script. A professional translation of the letter revealed it to be a deeply personal and — I believe — heartfelt apology from Vovnenko for sending the heroin, for posting my credit report, and for otherwise terrorizing my family. I believe he was perhaps 12-stepping it, because he also used the occasion to say that he forgave me for posting his personal information and photo of him in my blog shortly after his arrest in Italy.
In December 2014, I received another missive from Fly, still awaiting extradition in Poggioreale. It was a postcard with a nice picture of Naples on the front, and simple holiday greetings on the back: “Happy New Year! And Merry Christmas!” the message read. “With Best Regrads [sic], From Fly!”
Cybercrooks have done some pretty crazy stuff to me in response to my reporting about them. But I don’t normally get this kind of closure. I look forward to meeting with Fly in person one day soon now that he will be just a short train ride away. And he may be here for some time: If convicted on all charges, Fly faces up to 30 years in U.S. federal prison.
The Justice Department’s press release on Vovnenko’s indictment is here (PDF). The actual indictment can be found at this link (PDF).
Haha you ruined his life man, he will never forget you now )
I’m pretty sure he ruined it himself when he decided to mail pure heroin.
Or saved it. The guy was deep into a world that doesn’t give due process. Hopefully, he’s contrite and will get much less than 30 and get his life back together.
Oh man. Ha. They sure do love you Brian.
if i were him. and still had influence… id arrange for bad things to happen to you with an unprovable christmas theme. while still sending you christmas cards.
That is an awesome story. You are amazing Brian.
Seriously, Krebs, that guy wants you dead. The happy cards are a distraction.
N.B. I don’t know anything about this matter other than what I read on this page. That… and common sense.
I agree- the kindness is a ploy of deception.
Totally agree with you Dave. Nothing about this feels good or safe. The Feds involvement doesn’t guarantee your safety, nor your family’s. Be proactive.
wow, that’s the level)) 30 years entire life, nice job
The guy threatened to kill his wife, so he told the cops. Seems like a measured proportional response to me.
Whether he “meant it” or not is immaterial– how is Brian supposed to know if the guy is serious or not? He was serious enough to try to entrap with heroin. When it comes to your family’s lives, you play it safe.
Because Fly is from the internetz.
The heroin case would have brought Brian a few hours work and talking to the police if their plan would have worked, nothing else. I think Brain can laugh about it in retrospect and now he knows how thai H is looking 😀
DPR tried to hire a killer two times at the darkweb. Ross had much more money than Fly. He communicated 2/2 times with LE and also sent them money to “do” the job.
While I must admit I find the whole “sending heroin and SWAT teams to Brian” a _little_ bit funny, I really wish they went after someone who actually deserved it instead. Even in my pitch-black-hat malware author days I always respected Krebs; he’s one of the few public faces in the industry who actually has some integrity and basic honesty.
I’m passing along the SANS NewsBites mention of Brian in relation to this story.
“[Editor’s Note (Murray): Don’t mess with Brian Krebs.]”
After reading this story, if I were you I would definitely move to a new location. Best to play it safe. Don’t ever let pride get in the way of your safety.
This is awesome, your so great dude, dumb Russians lulz.
Snitching is bad .
What plugin do you use for lazy loading of images?
Hello Brian,
I want to report https://www.reddit.com/r/FakeID to you.
A community of sellers and buyer of fake identification cards, fake drivers licensees, fake diplomas, fake student cards…
It may look at the first glance ” ah, only some college kids looking to buy few drinks ” , but what about the identity theft going on , those fake ids acquired there to commit fraud ( credit card fraud , bank fraud, tax fraud and so on).
Please take action and close this community.You have the knowledge and resources to do it.
Thank you
Thank you Brian for your courage, curiosity, and determination to pursue this bad hacker. My guess/hope is that news of this hacker’s arrest and trial will deter some others from similar acts.
I am an atheist, but when I hear a story like this, I begin to have doubts. Maybe there is justice in this world after all! Well, Mr. Krebs deserves my praise “to high heaven” for bringing this man to justice.
It doesn’t have much to do with malware or viruses, but I have been leading a discussion with an East European about software/intellectual property piracy. I am dismayed at the attitude that this is not such a bad crime. My friend insists that since he is poor, he is entitled to get his hands on software, e-books and movies any way he can. He has several times offered me these pirated items for free, and laughs at me for refusing them. All my arguments that we are living in the information era and that stealing such information without paying the authors for it impoverishes them and eventually us were all to no avail. I am shocked at how some (usually younger) people sincerely desire a world of anarchy where there is no rule of law. I think they should go to summer camp in Syria ad see how they really like it.
Well, if you ever do go, Shake his hand.
I mean, given all that he did, it WAS kinda stand-up for him to apologize.
There have been situations where criminals used unsuspecting drop sites for drugs leading to no-knock warrants.
https://en.wikipedia.org/wiki/Berwyn_Heights,_Maryland_mayor%27s_residence_drug_raid
You’re lucky you didn’t get shot.
I do feel that this guy deserves some jail time, but 30 years is a bit excessive. Last think you want is his young son blaming you for his dad’s actions and targeting you when he’s older.
I do not believe the 30 years has anything to do with the Heroin stunt.
” was set to appear in a Newark courtroom today on charges of stealing and selling credit card and banking data, emptying bank accounts, and running a botnet of more than 12,000 hacked computers and servers, among other alleged crimes.”
Wow, Brian this stuff reads like a movie script, I darn sure would not put my guards down about this fellow, particularly if he get the 30 year sentence. I would dig a bit more about his associates, since he now hasn’t much to look forward it terms of his life. The is not being nice about sending you those postcards and those apologies are an attempt to soften you and gain your trust, perhaps you could be expected to give him a good reference and ease his punishment impact. I am sure the Feds have done work on him, however, I would not trust anything about this situation.
Agreed.
Perhaps it’s some sort of reverse Stockholm syndrome but I find Fly’s change of heart utterly predictable.
We spent years fighting scammers online. They would put your life in danger and/or try to cause as much harm as possible to anyone trying to expose their criminal enterprise. But as soon as they are apprehended or otherwise foiled, they’d act like we were friends.
It could be grudging respect. It could be submission in the face of perceived temporary adverse circumstances. Whatever the reason, they are still opportunists and criminals. A interesting conversation? Perhaps. Any sort of friendship or trust? Forget it!
dB
There is only one way to make sure you dont have to worry about backlashes: treat the criminals with respect!
But you can never be sure, that one of the kids you helped to get caught, is a crazy nutcase and out of any measurable limits.
Is it worth the risk? I decided its not because my family suffered.
Thank you very much for all you do, Brian.
You are walking point in the never ending
battle to expose and shut down malicious
blackhat forces.
I count 13 packets
“… a baker’s dozen …”
https://en.wikipedia.org/wiki/Dozen#Baker.27s_dozen
Awesome and scary story!
My wife and I would pay to see this movie in the theater but it would have to have a super cast. Reverting!!!
Latin letter “c” sounds like Russian letter “ц”
“MUXACC” translates as “муха це-це” = “tsetse fly”
thecc[dot]bz: “cc” is plausible as reference to credit cards AND/OR site admin “це-це”
I believe he’s actually used MUXACC referring to the two registers used in assembly language MUX and ACC (multiplexer and accumulator).
Nothing bad has ever happened from someone screwing over someone in the drug business, right?
http://lostangelesblog.com/wp-content/uploads/2015/01/scarface.jpg
I sincerely hope if you get a chance to talk to the judge that presides over his hearing, that you ask him to give mercy on him.
It honestly sounds like he was just a young, and immature-for-his-age man caught in a world that no one belongs in.
And it honestly sounds like he really is sorry for it. He had a child. Maybe he was slowly growing up, and I think what he has been through ought to be enough punishment. Maybe.