25
Sep 19

Interview With the Guy Who Tried to Frame Me for Heroin Possession

In April 2013, I received via U.S. mail more than a gram of pure heroin as part of a scheme to get me arrested for drug possession. But the plan failed and the Ukrainian mastermind behind it soon after was imprisoned for unrelated cybercrime offenses. That individual recently gave his first interview since finishing his jail time here in the states, and he’s shared some select (if often abrasive and coarse) details on how he got into cybercrime and why. Below are a few translated excerpts.

When I first encountered now-31-year-old Sergei “Fly,” “Flycracker,” “MUXACC” Vovnenko in 2013, he was the administrator of the fraud forum “thecc[dot]bz,” an exclusive and closely guarded Russian language board dedicated to financial fraud and identity theft.

Many of the heavy-hitters from other fraud forums had a presence on Fly’s forum, and collectively the group financed and ran a soup-to-nuts network for turning hacked credit card data into mounds of cash.

Vovnenko first came onto my radar after his alter ego Fly published a blog entry that led with an image of my bloodied, severed head and included my credit report, copies of identification documents, pictures of our front door, information about family members, and so on. Fly had invited all of his cybercriminal friends to ruin my financial identity and that of my family.

Somewhat curious about what might have precipitated this outburst, I was secretly given access to Fly’s cybercrime forum and learned he’d freshly hatched a plot to have heroin sent to my home. The plan was to have one of his forum lackeys spoof a call from one of my neighbors to the police when the drugs arrived, complaining that drugs were being delivered to our house and being sold out of our home by Yours Truly.

Thankfully, someone on Fly’s forum also posted a link to the tracking number for the drug shipment. Before the smack arrived, I had a police officer come out and take a report. After the heroin showed up, I gave the drugs to the local police and wrote about the experience in Mail From the Velvet Cybercrime Underground.

Angry that I’d foiled the plan to have me arrested for being a smack dealer, Fly or someone on his forum had a local florist send a gaudy floral arrangement in the shape of a giant cross to my home, complete with a menacing message that addressed my wife and was signed, “Velvet Crabs.”

The floral arrangement that Fly or one of his forum lackeys had delivered to my home in Virginia.

Vovnenko was arrested in Italy in the summer of 2014 on identity theft and botnet charges, and spent some 15 months in arguably Italy’s worst prison contesting his extradition to the United States. Those efforts failed, and he soon pleaded guilty to aggravated identity theft and wire fraud, and spent several years bouncing around America’s prison system.

Although Vovnenko sent me a total of three letters from prison in Naples (a hand-written apology letter and two friendly postcards), he never responded to my requests to meet him following his trial and conviction on cybercrime charges in the United States. I suppose that is fair: To my everlasting dismay, I never responded to his Italian dispatches (the first I asked to be professionally analyzed and translated before I would touch it).

Seasons greetings from my pen pal, Flycracker.

After serving his 41 month sentence in the U.S., Vovnenko was deported, although it’s unclear where he currently resides (the interview excerpted here suggests he’s back in Italy, but Fly doesn’t exactly confirm that). 

In an interview published on the Russian-language security blog Krober.biz, Vovnenko said he began stealing early in life, and by 13 was already getting picked up for petty robberies and thefts.

A translated English version of the interview was produced and shared with KrebsOnSecurity by analysts at New York City-based cyber intelligence firm Flashpoint.

Sometime in the mid-aughts, Vovnenko settled with his mother in Naples, Italy, but he had trouble keeping a job for more than a few days. Until a chance encounter led to a front job at a den of thieves.

“When I came to my Mom in Naples, I could not find a permanent job. Having settled down somewhere at a new job, I would either get kicked out or leave in the first two days. I somehow didn’t succeed with employment until I was invited to work in a wine shop in the historical center of Naples, where I kinda had to wipe the dust from the bottles. But in fact, the wine shop turned out to be a real den and a sales outlet of hashish and crack. So my job was to be on the lookout and whenever the cops showed up, take a bag of goods and leave under the guise of a tourist.”

Cocaine and hash were plentiful at his employer’s place of work, and Vovnenko said he availed himself of both abundantly. After he’d saved enough to buy a computer, Fly started teaching himself how to write programs and hack stuff. He quickly became enthralled with the romanticized side of cybercrime — the allure of instant cash — and decided this was his true vocation.

“After watching movies and reading books about hackers, I really wanted to become a sort of virtual bandit who robs banks without leaving home,” Vovnenko recalled. “Once, out of curiosity, I wrote an SMS bomber that used a registration form on a dating site, bypassing the captcha through some kind of rookie mistake in the shitty code. The bomber would launch from the terminal and was written in Perl, and upon completion of its work, it gave out my phone number and email. I shared the bomber somewhere on one of my many awkward sites.”

“And a couple of weeks later they called me. Nah, not the cops, but some guy who comes from Sri Lanka who called himself Enrico. He told me that he used my program and earned a lot of money, and now he wants to share some of it with me and hire me. By a happy coincidence, the guy also lived in Naples.”

“When we met in person, he told me that he used my bomber to fuck with a telephone company called Wind. This telephone company had such a bonus service: for each incoming SMS you received two cents on the balance. Well, of course, this guy bought a bunch of SIM cards and began to bomb them, getting credits and loading them into his paid lines, similar to how phone sex works.”

But his job soon interfered with his drug habit, and he was let go.

“At the meeting, Enrico gave me 2K euros, and this was the first money I’ve earned, as it is fashionable to say these days, on ‘cybercrime’. I left my previous job and began to work closely with Enrico. But always stoned out of my mind, I didn’t do a good job and struggled with drug addiction at that time. I was addicted to cocaine, as a result, I was pulling a lot more money out of Enrico than my work brought him. And he kicked me out.”

After striking out on his own, Vovnenko says he began getting into carding big time, and was introduced to several other big players on the scene. One of those was a cigarette smuggler who used the nickname Ponchik (“Doughnut”).

I wonder if this is the same Ponchik who was arrested in 2013 as being the mastermind behind the Blackhole exploit kit, a crimeware package that fueled an overnight explosion in malware attacks via Web browser vulnerabilities.

In any case, Vovnenko had settled on some schemes that were generating reliably large amounts of cash.

“I’ve never stood still and was not focusing on carding only, with the money I earned, I started buying dumps and testing them at friends’ stores,” Vovnenko said. “Mules, to whom I signed the hotlines, were also signed up for cashing out the loads, giving them a mere 10 percent for their work. Things seemed to be going well.”

FAN MAIL

There is a large chronological gap in Vovnenko’s account of his cybercrime life story from that point on until the time he and his forum friends started sending heroin, large bags of feces and other nasty stuff to our Northern Virginia home in 2013.

Vovnenko claims he never sent anything and that it was all done by members of his forum.

-Tell me about the packages to Krebs.
“That ain’t me. Suitcase filled with sketchy money, dildoes, and a bouquet of coffin wildflowers. They sent all sorts of crazy shit. Forty or so guys would send. When I was already doing time, one of the dudes sent it. By the way, Krebs wanted to see me. But the lawyer suggested this was a bad idea. Maybe he wanted to look into my eyes.”

In one part of the interview, Fly is asked about but only briefly touches on how he was caught. I wanted to add some context here because this part of the story is richly ironic, and perhaps a tad cathartic.

Around the same time Fly was taking bitcoin donations for a fund to purchase heroin on my behalf, he was also engaged to be married to a nice young woman. But Fly apparently did not fully trust his bride-to-be, so he had malware installed on her system that forwarded him copies of all email that she sent and received.

Fly,/Flycracker discussing the purchase of a gram of heroin from Silk Road seller “10toes.”

But Fly would make at least two big operational security mistakes in this spying effort: First, he had his fiancée’s messages forwarded to an email account he’d used for plenty of cybercriminal stuff related to his various “Fly” identities.

Mistake number two was the password for his email account was the same as one of his cybercrime forum admin accounts. And unbeknownst to him at the time, that forum was hacked, with all email addresses and hashed passwords exposed.

Soon enough, investigators were reading Fly’s email, including the messages forwarded from his wife’s account that had details about their upcoming nuptials, such as shipping addresses for their wedding-related items and the full name of Fly’s fiancée. It didn’t take long to zero in on Fly’s location in Naples.

While it may sound unlikely that a guy so immeshed in the cybercrime space could make such rookie security mistakes, I have found that a great many cybercriminals actually have worse operational security than the average Internet user.

I suspect this may be because the nature of their activities requires them to create vast numbers of single- or brief-use accounts, and in general they tend to re-use credentials across multiple sites, or else pick very poor passwords — even for critical resources.

In addition to elaborating on his hacking career, Fly talks a great deal about his time in various prisons (including their culinary habits), and an apparent longing or at least lingering fondness for the whole carding scene in general.

Towards the end, Fly says he’s considering going back to school, and that he may even take up information security as a study. I wish him luck in that whatever that endeavor is as long as he can also avoid stealing from people.

I don’t know what I would have written many years ago to Fly had I not been already so traumatized by receiving postal mail from him. Perhaps it would go something like this:

“Dear Fly: Thank you for your letters. I am very sorry to hear about the delays in your travel plans. I wish you luck in all your endeavors — and I sincerely wish the next hopeful opportunity you alight upon does not turn out to be a pile of shit.”

The entire translated interview is here (PDF). Fair warning: Many readers may find some of the language and topics discussed in the interview disturbing or offensive.

Tags: , , , , ,

48 comments

  1. The Sunshine State

    This one was a real good article !

  2. arguably, the best Krebs piece ever written.

  3. Nothing better than a story with personal touches. Thank goodness, Karma is real. And if he hasn’t grown a conscience by now, I doubt he ever will.

  4. I’ve often wondered what it is like on the dark side, Brian. Thank you for this fascinating yarn

  5. Intriguing, on so many levels. You’ve reported on some scary characters, and I have been concerned at times about the possibility that your safety might be in jeopardy. Excellent article; thank you!

  6. Marcus Aurelius Tarkus

    Wait a minute…isn’t this guy now the president of Ukraine, currently in nefarious cahoots with our president?

  7. The question I have is what kind of mother would leave her child before the age of 13 and go live in Italy? This is probably the reason this piece of human waste turned out the way he did.

    • It is a quite common thing in the Western part of Ukraine, especially at Zakarpattya.
      A lot of females are going to Italy, Spain, France to work as maids or farm workers. And motivation can vary from a better salary to an opportunity to find an old real estate owner to get his/her flat/house/etc.

    • When blaming the mother, don’t forget also to ask where the father was. Which this story at least sheds no light on.

    • A kid born in Ukraine in 1988 will have had a horribly impoverished childhood because of the implosion of the Ukrainian economy after the collapse of the Soviet Union in 1991 – Ukraine’s GDP fell by half in only five years and there was hyperinflation. That’s what he grew up in and if his mother escaped to Italy so too did hundreds of thousands of other Ukrainians desperate to find a better place to live. At least she made arrangements to get him out of Ukraine to join her in Naples. Don’t blame the mother.

  8. Brian, I am so sorry you and your family has gone through such awful retribution from the Dark Side. But I am also extremely grateful for the work you do to keep us informed and safer.

  9. One gram of heroin is a lousy prank. Real pranksters would do a full kilogram.

    Or a box of perfumed glitter, which is arguably worse.

    I still think it’s unfair that he was extradited to the United States. Computer crimes should be tried and punished where they are performed, not where victims reside.

    The US is very unbalanced towards prosecutors and away from defendants, with some of the most draconian sentences in the Western world. US prisons are also shamefully cruel and inadequate for human rights, compared to other modern Western powers.

    Italy has fine laws on the subject, as does the EU. If the US trusts these entities enough to sign extradition treaties, the US should also trust them to root out evil criminals and punish them.

    Fly is scum and deserved jail, but it shouldn’t have included time in the US.

    • “Fly is scum and deserved jail…

      Well at least there is one set of words in your comment with which most of us agree.

    • it’s great that the FLY’s ass was dragged over to the USA so he could be raked over the coals by the USA prosecutors to be tossed into the USA prison system to be turned into Big Bubba’s nightly bitch! brouhahahahaha!!!!

    • “Computer crimes should be tried and punished where they are performed, not where victims reside.”

      This is all well and good when the jurisdiction in which those crimes are committed have a functioning criminal justice system that cares about the victims abroad.

      This theory quickly falls apart when you realize that the vast majority of cybercrime occurs in the places is does specifically *because* those jurisdictions are incredibly weak on criminal justice (and, in far too many cases may actually be supporting the criminal activity at a state level).

      The answer isn’t to leave justice up to places that have little to no interest in actually carrying it out; the answer is to reform our own systems away from purely punitive punishments and closer to rehabilitative sentencing where applicable.

      • That makes much more sense. Russia, Iran, Pakistan etc aren’t going to punish a hacker… they’d give him/her a medal.

    • 4 years for ripping off thousands of people sounds pretty mild IMHO. Prison is prison but there a lot worse places to spend time in prison than the USA, even the Fed.
      And BTW the Ukrainian president is a comedian, kinda like ours.

    • “Computer crimes should be tried and punished where they are performed, not where victims reside.”

      A. When a cyber criminal is physically in State A, using a site hosted on a server physically located in State B, where is the cyber crime performed? Query whether State A, or State B, would have an interest in pursuing a crime committed on a resident of State C.

      B. If “performing” all those heinous acts against Mr Krebs is not a crime in State A, or in State B, because it occurred outside its borders, then your comment suggests it is not pursued as a crime at all.

  10. Personally, what is most disturbing about reading this article are these two realizations:

    First:

    Would we all be blessed with dumb digital attackers? I.E., hackers on forums that were ratting out other hackers? Or, knowledge ahead of time of the plot to be carried out against you and/or your family? Yeah, no problem, surely all of these things will happen for us general public if something like this attack were ever to occur to us.

    Second:

    Of those of us unlucky enough to have had an online attack carried out to the extreme (into the analog world) that Brian did, well, how can I put this as eloquently as possible: none of us, and stop kidding ourselves that we would possess such abilities, would have Brian’s knowledge, skill, experience, and/or connections to deal with something like this.

    What I mean is this: digital threats against myself, personally, are one thing. But threats that analog manifest themselves and appear against my family? Against my children?? All delivered to our home???? And originating, for most of us, from God knows where?????

    I’d be a wreck, plain and simple, 24/7/365.

    The above two realizations should bother us all….a lot. A very, very, VERY lot.

    Those realizations should lead us to where we all can become incessant “advocates” for quicker change in how our current State & Local law enforcement agencies are structured and set up to deal with this sort of online attack-abuse-threat that enters the real world.

    If that “advocating” (mentioned above) means raising my local taxes to accomplish this change in my local area and/or State, then do it.

    This problem of online attacking, harassment, and abuse will never go away by themselves. We’ve got to stop acting like the Internet is some fairyland where things will eventually work out, where it’s just a few bad people saying sticks&stones things.

    Shock newsflash: the Internet has been found to be a reflection of the human animal. A wide-swath of human animals. And we humans have proven time & time again immemorial that it is only the “threat of punishment”, not “altruism” and not “peace and love and MANNERS”, that keeps us all, so-to-speak, in-line.

    Stop hallucinating that the great awakening of the digital world(s) will eventually be different? Stop thinking that what is said there can’t affect us in the analog world.

    Sure, sure………we humans (cough, cough) can rise above and be better. It’s in our nature to be better (just look to the messages left here on Krebs to exemplify how good & wholesome our collective nature is). We are all saints in the eyes of any possible-existing God.

    Come on, Lucy, please hold the darn football one more time so that I (Charlie Brown) can try kick it…..

    • “raising my local taxes to accomplish this change”

      Raising taxes to lower cyber-crime? Come on, be reasonable. What would raising the taxes go to and how would that remotely address cyber-crime? This is the very same argument of raising taxes to lower murders. If bad people have easy access to guns, knives, and other weapons, murders will never go away. If bad people have easy access to the internet, cyber-crime will never go away.

      • Widely missed the point of what I wrote: people need, when digital online harassment-abuse-threats (HTAs) enter the analog world, somewhere to turn for help if it becomes serious (and Brain’s situation qualified as “serious”).

        That ‘somewhere’ needs a modicum of structure and competence. For any endeavor in life, except religion (well, no, it comes there too), neither “structure” nor ‘competence’ come without monetary backing.

        So, yes, even though I am a lifelong Libertarian Conservative, in this case raise my local—key word being LOCAL—taxes to develop the structures, procedures and the trained people needed. The systems. Systems that can help people enduring DTAs that have entered the real, physical world.

        Only as these “LOCAL” systems are built across States can they then begin networking across the USA, and eventually the world. Why? Again, to deal with HTAs that have entered a person’s non-digital life. And please spare us the Orwellian arguments.

        Only then, imho, can we move forward with the overall Nets existing today and especially with the new ones that are yet to built in the future.

        People don’t live & exist in the physical, analog world inside a vacuum. They don’t live there without consequences. Certain actions and behaviors have “consequences”. Hence, the “guns” and “murder rates” comment has no meaning or relevance here.

        The “certain actions & behaviors have consequences” understanding then begs the question: why should it be any different for the online digital worlds? Or when the physical and digital worlds intersect? Possibly especially when they ‘intersect’.

        Answer: they don’t. And never should be construed as such.

        That was the point of what I wrote in my original message But, heck, I guess it is wrong to hold such thoughts as these. As an LC, I’ve been told that all my life.

    • One thing that’s important here – In my opinion, you have nothing to worry about unless you too, kick the hornets nest. Brian researches and tell the tales, provides the identities of these heathens and then they have to scurry out of the limelight. Then they are bashed from the criminal side as well as the law and public side. So yes, it is very easy to social engineer people and find out who they are and where they live.
      But in a simple world, these seemingly nightmarish feats are covert and as long as you do not create a stir in public, they are but a mild hiccup for most.

  11. Among my interests are the crime/thriller novels of authors like James Patterson, David Baldacci, Lee Child, and the likes.

    Those novels are entertaining fiction. Your writings are entertaining reality and often far better than the stuff from fiction writers.

    THANKS for your expertise and for writing about it. You help a lot of us protect ourselves from the scumbags.

    And of course, let’s hope the worst of their personal attacks on you are never to happen again.

  12. This was a great article, Brian! I have to say, I got a kick out of the caption under the mail from Fly: “Seasons greetings from my pen pal, Flycracker.” People that threaten families are less than human and deserve whatever punishment that comes their way.

  13. I don’t understand how you can be so forgiving.
    If someone harassed my family like that, I expect I’d do all I could to ensure they never did so again.
    If you or your family would have been killed in a police raid for the drugs, they only would have laughed, and moved on to the next victim without flinching.

    • Mahhn: I don’t understand how you can be so forgiving.
      I know nothing about Brian or his beliefs; however, God is great, his gifts are many, peace is one of them. This is true whether Brian or you believe it or not.

  14. Brian Fiori (AKA The Dean)

    Great article, as always.

    One question you say, “But his job soon interfered with his drug habit, and he was let go.” Now that had me laughing pretty hard. Any chance you meant “his drug habit interfered with his job”? Funnier the way you wrote it, though. So I’m hoping it is correct as is.

  15. Facebooks own Cryptocurrency Libra started his ICO! (Means you can buy some now) Be fast, there are not many left.
    (Link to ICO –> libraico.live)
    (When its Spam just delete it, dont want to bother anyone its just a tip! Libra could be a big thing!)

  16. Thanx for sharing! Your audience love you, and we do not envy you. But your reporting is for the greater good, so keep finding your way through, if you can!

  17. Can you at least bother to link to the original interview? The PDF does not do that either.

    Here it is:
    https://krober.biz/?p=3200#more-3200

  18. This young fellow failed the simple rule of security by compartmentalization.. Is a password manager that hard to use?

  19. Brian Krebs please make an article about the Doordash data Breach!!

  20. Maya Panich f/k/a Maya Dratva “invited all of her cybercriminal friends to ruin” my financial identity, reputation, and that of my family, after framing me one of her crimes (identity theft, credit fraud) and I discovered it was her. Her mistake: the phone number she used to establish a fake email account (using my name) that she used to commit the crime was her own. The authorities have done nothing and she has since hacked my ISP accounts twice, taking them over after all sorts of other menacing acts. In other words, I can relate to you story! Karma has already won because happy people don’t behave this way.

  21. Excellent work Brian, really enjoyed reading! 15 pages interview transcript is with a read. I felt like reading a book.

    Keep up with the good work!

  22. Great article! I love the “I have found that a great many cyber criminals actually have worse operational security than the average Internet user” part.
    Bulgaria’s tax agency was recently hacked, and personal data of 5 million people got stolen.
    A suspect was arrested. Apparently, he left enough traces to be found. One article claimed investigators were able to track him with a Google search as his machine’s name was the same as his moniker on various forums.

  23. This article never explained the motive. What did you do to anger this criminal so that he went to such trouble?

  24. That was absolutely fantastic .Krebs said sorry.Funny.

  25. This is a fantastic example of why I love this website. Incredibly thorough.

    You are a man with a special set of skills, Brian.