In what sounds like an absolute story out of a novel, security researcher, Brian Krebs, has reported that the Ukrainian criminal that plotted to frame him on drug charges has been nabbed in Italy. This entire story goes back to when a cybercriminal known by the name of Fly, Flycracker and Muxacc started to harass Brian Krebs via Twitter. These threats came in the forms of profane and taunting tweets as well as posting pictures of actions figures holding up his severed head and photos of his credit report.
The man known as Fly was a member of multiple Russian/Ukrainian credit card and crime forums and moderated one of the most well known credit card fraud forums online. Without Fly’s knowledge, Brian was able to gain access to Fly’s secret credit card forum and discovered a plot where Fly would purchasse heroin on the Silk Road and then have it shipped to Brian’s home. He would then subsequently call the police posing as a concerned neighbor and have Brian arrested on drug charges.
Thankfully, Brian was able to alert the authorities and even track the package as it moved along towards his house since the Fly had posted the tracking # on his forums. And of course, once Fly had discovered that his plot had been foiled, he had a local florist send a gaudy cross-shaped floral arrangement to Brian’s house. It included a menacing message that directly addressed his wife, signed “Velvet Crabs.”
But it gets so much better, Brian then decided to look for this Fly guy and was able, with the help of Russian computer forensics firm Group-IB. With their help he was able to find a defunct email address which was connected to another email address called firstname.lastname@example.org indicating a possibly location in Italy. And according to a trusted source in the security community, that email had been compromised last year and that source said the account was full of emailed reports from a keylogger. This keylogger was tied to a different email address, email@example.com which is tried to the mazafaka email address via recovery settings.
The keylogs themselves, from the keylogger had valuable information that had indicated that the Fly guy had planted a keylogger on his wife Irina’s computer. And, on many occassions those emails showed Fly’s wife type in her gmail address which included her first and last name, Irina Gumenyuk.
Obviously, with her first and last name they were able to look her up on social media and determine she had changed her name to Vovenko. In fact, she even mentioned her husband by name several times in emails to friends, directly identifying him as Sergei Vovenko. And of course, thanks to payment information contained in those emails they were able to determine their location as Napoli, Italy. Also, according to social media profiles, Brian was able to gather that Vovenko was born in St. Petersburg, Russia but is a Ukrainian citizen.
Then, last week, Mazafaka forum admins removed Fly’s account and postings on the forum, which is typically done when a member is suspected of having been arrested.
According to Brian’s sources, he was able to discover that Vovenko had been arrested by the Italians under a joint US and Italian operation. He is reportedly being held in an Italian jail waiting to be extradiated to the US, although he may have to stand trial in Italy first. This is because he would routinely buy Italian credit card dumps (stolen #’s) and cashed out the stolen cards through high-end Italian stores. And this was possible because of his variety of equipment for embossing and printing credit cards which investigators were able to discover.
Moral of the story? Don’t mess with a good security researcher.