A Ukrainian hacker who once hatched a plot to have heroin sent to my Virginia home and then alert police when the drugs arrived had his first appearance in a U.S. court today, after being extradited to the United States to face multiple cybercrime charges.
Sergey Vovnenko, a.k.a. “Fly,” “Flycracker” and “MUXACC1” (muxa is transliterated Russian for “муха” which means “fly”), was set to appear in a Newark courtroom today on charges of stealing and selling credit card and banking data, emptying bank accounts, and running a botnet of more than 12,000 hacked computers and servers, among other alleged crimes.
Fly replies to my direct messages telling him I know his real name and where he lives.
I first became acquainted with Fly in 2013, when his Twitter persona (warning: images here may not be safe for work) began sending me taunting tweets laced with epithets and occasional attempts to get me to click dodgy-looking Web links. Fly also took to his Livejournal blog to post copies of my credit report, directions to my home and pictures of my front door.
After consulting with cybercrime researchers at Russian security firm Group-IB, I learned that Fly was the administrator of a closely-guarded but now-defunct cybercrime forum dedicated to financial fraud called thecc[dot]bz (“cc” is a reference to credit cards).
Not long after that, I secretly gained access to his forum. And none too soon: In one lengthy discussion thread on the forum, I found that Fly had solicited donations from fellow fraudsters on the forum to donate Bitcoin currency for a slush fund Fly created for the express purpose of purchasing heroin off of the Silk Road — which was at the time the leading source of illicit drugs on the Dark Web.
Flycracker discussing the purchase of a gram of heroin from Silk Road seller “10toes.”
Fly’s plan was simple: Have the drugs delivered to my home in my name, and then spoof a call from one of my neighbors to the local police informing them that I was a druggie, that I had druggie friends coming in and out of my house all day long, and that I was even having drugs delivered to my home.
The forum members took care to find the most reputable sellers of heroin on the Silk Road. After purchasing a gram of the stuff from the Silk Road’s top smack seller — a drug dealer who used the nickname “Maestro” — Fly posted the USPS tracking link for the package into the discussion thread on his forum.
An ad for heroin on the Silk Road.
At that point, I called the local police and had a cop come out to take an official police report. The officer asked me to contact him again if the drugs actually arrived. Three days later, our local Postal Service carrier hand delivered a thin USPS Express Mail envelope that was postmarked from Chicago. Inside was another blank envelope containing a May 2013 copy of Chicago Confidential, a weekly glossy magazine from the Chicago Tribune.
On the back of the magazine, taped to a full-page ad for jewelry from LesterLampert, were a baker’s dozen individually wrapped packets emblazoned with the same black and gold skull motif that was on Maestro’s Silk Road ad. I immediately contacted the police, who came and dutifully retrieved the drugs, which turned out to be almost pure heroin.
12 packets of what appears to be heroin arrived at my home via the Silk Road on July 29, 2013.
I wrote about the experience of foiling Fly’s plan in a story titled Mail From the (Velvet) Cybercrime Underground. This did not sit well with Fly, who was made to look bad in front of his forum members who’d contributed roughly two Bitcoins to the scheme.
Angry that I’d foiled his plan to have me arrested for drug possession, Fly had a local florist send a gaudy floral arrangement in the shape of a giant cross to my home, complete with a menacing message that addressed my wife and was signed, “Velvet Crabs.”
The floral arrangement that Fly had delivered to my home in Virginia.
After this incident, I became intensely curious about the identity of this Fly individual, so I began looking through databases of hacked carding and cybercrime forums. My first real break came when Group-IB provided a key piece of the puzzle: Group-IB researchers found that on the now-defunct vulnes[dot]com, Fly maintained an account under the nickname Flycracker, and signed up with the email address firstname.lastname@example.org(.it is the country code for Italy).
According to a trusted source in the security community, that email account was somehow compromised in 2013. The source said the account was full of emailed reports from a keylogging device that was tied to another email address — email@example.com (according to Google, firstname.lastname@example.org is the recovery email address for email@example.com).
Those keylog reports contained some valuable information, and indicated that Fly had planted a keylogger on his then-fiancee Irina’s computer. On several occasions, those emails show Fly’s wife typed in her Gmail address, which included her real first and last name — Irina Gumenyuk.
Sergey “Fly” Vovnenko, in an undated photo.
Later, Gumenyuk would change the surname on her various social networking profiles online to Vovnenko. She even mentioned her husband by name several times in emails to friends, identifying him as 28-year-old “Sergei Vovnenko”. Payment information contained in those emails — including shipping and other account information — put the happy couple and their young son in Naples, Italy.
This information later was shared with federal authorities in Italy. In June of last year, I received a call from a U.S. law enforcement source who said plainly that “the Fly has been swatted.” Vovnenko had been arrested and was awaiting extradition proceedings that would send him to face charges in the United States.
In July 2014, I received the first of several letters from Vovnenko, who was at the time sitting in Poggioreale Jail, a place of confinement in Naples that Fly described as “the worst prison in Italy.” I didn’t open the letter immediately; I notified my contacts in U.S. federal law enforcement who had an open case on Vovnenko, and they offered to retrieve the letter and test it for any dangerous substances (hey, the previous time he sent me mail it had heroin inside!).
The envelope was clean. It contained only a hand-written letter. The opening paragraph was a friendly greeting written in English; the rest was penned in Ukrainian script. A professional translation of the letter revealed it to be a deeply personal and — I believe — heartfelt apology from Vovnenko for sending the heroin, for posting my credit report, and for otherwise terrorizing my family. I believe he was perhaps 12-stepping it, because he also used the occasion to say that he forgave me for posting his personal information and photo of him in my blog shortly after his arrest in Italy.
In December 2014, I received another missive from Fly, still awaiting extradition in Poggioreale. It was a postcard with a nice picture of Naples on the front, and simple holiday greetings on the back: “Happy New Year! And Merry Christmas!” the message read. “With Best Regrads [sic], From Fly!”
The postcard Vovnenko sent to me from prison in Naples.
Cybercrooks have done some pretty crazy stuff to me in response to my reporting about them. But I don’t normally get this kind of closure. I look forward to meeting with Fly in person one day soon now that he will be just a short train ride away. And he may be here for some time: If convicted on all charges, Fly faces up to 30 years in U.S. federal prison.
Seasons greetings from my pen pal, Flycracker.
The Justice Department’s press release on Vovnenko’s indictment is here (PDF). The actual indictment can be found at this link (PDF).