A Ukrainian man who tried to frame me for heroin possession has pleaded guilty to multiple cybercrime charges in U.S. federal court, including credit card theft and hacking into more than 13,000 computers.
Sergei “Fly” Vovnenko, in an undated photo. In a letter to this author following his arrest, Vovnenko said he forgave me for “doxing” him — printing his real name and image — on my site.
Sergey Vovnenko, 29, entered a guilty plea in Newark, New Jersey to charges of aggravated identity theft and conspiracy to commit wire fraud. Prosecutors said Vovnenko operated a network of more than 13,000 hacked computers, using them to harvest credit card numbers and other sensitive information.
When I first became acquainted with Vovnenko in 2013, I knew him only by his many hacker names, including “Fly” and “Flycracker,” among others. At the time, Fly was the administrator of the fraud forum “thecc[dot]bz,” an exclusive and closely guarded Russian language board dedicated to financial fraud and identity theft.
After I secretly gained access to his forum, I learned he’d hatched a plot to have heroin sent to my home and to have one of his forum lackeys call the police when the drugs arrived.
I explained this whole ordeal in great detail last fall, when Vovnenko initially was extradited from Italy to face charges here in the United States. In short, the antics didn’t end when I foiled his plot to get me arrested for drug possession, and those antics likely contributed to his arrest and to this guilty plea.
The aggravated ID theft charge to which Vovnenko pleaded guilty carries a mandatory two-year sentence. The other charges he copped to will lengthen his sentence and include fines. His sentencing is currently slated for May 2, 2016. The indictment against Vovnenko is here (PDF). A copy of his plea agreement is at this link (PDF).
Dang! Don’t tee off some maniac that would do you harm. I like your site and the info you share. Don’t want it to disappear.
2 years, I can only hope the rest of the plea deal isn’t to good. Will he be released in this country?
AFTER the restitution of whatever financial gain the court determines he has to give back, there’s a quarter million dollar fine in there.
Reading the documents, I can’t see why he would agree to the plea deal, they look to me like he’s giving up quite a lot for no real assurances on the part of the government. The first count has a maximum of 20 years and the document essentially says, well, we’ll recommend, but the judge can do as he pleases.
Nice to finally get the sob. Do we know how he managed to hack into so many machines?
Well, it generally takes two to tango to take over a machine. Just open an unsolicited email (among other stupid things) and find out.
Glad he got caught but two years is not near enough for ID theft and hacking 13,000 computers. That could be considered just the cost of doing business. I don’t know what the traditional sentence is for the heroin stunt he tried to pull on you but he should at least get the sentence that he was trying to subject you to.
Of course the penalties for heroin possession would be much, much more severe than stealing someone else’s identity and ruining their life! This is the US where any sort of “drug” possession is the ultimate evil and must be eradicated at the most severe cost.
If you think drug penalties are severe here, I suggest you research drug penalties outside the US.
Yeah, maybe start your journey in South East Asia (Indonesia, Singapore, Malaysia, Thailand).
Or maybe just go to Portugal.
People are full of surprises aren’t they.
Something is always better than nothing. I don’t like lazy prosecutors or our lazy legal system. There was no need for a plea agreement that soft. They had a mountain of solid evidence.
IMHO they softened the deal too much. Keep up the awesome work Brian.
The 2 years is just the guaranteed minimum. He still pleaded to the conspiracy charges, and I’m confident that will tack on another 2-3 years.
Here is an actual photo of the Fly.
http://mugshots.com/US-Counties/New-Jersey/Essex-County-NJ/Sergey-Vovnenko.121169838.html
Hi krebs, what happened to the other web security’s links you use to have on the right side of your site?
I used to come here to reader your stuff as wells as go to visit other security sites from here.
I miss them.
Yes Brian, I miss them too.
There’s a blogroll with links if you page down a ways. Is that what you mean?
only 2 years? Soon he will be back then, good luck catching him again next time…
only 2 years?!! He will be back soon, good luck catching him again next time…
That’s only for one count. The other one carries a maximum of 20 years. It also specifies that the max two years charge cannot be concurrent. See the plea agreement Brian linked to for the details.
Any idea what malware he was using to “hack into 13,000 computers”? Assuming bots but curious which versions/families?
Brian,
You are an awesome journalist!
You and your family have persisted through accusations of drug possession, swatting, and heaven knows what else. I very much appreciate your sacrifice as it means shining a bright light on the dark side.
Thank you, Brian!
Troy.
#
He creates his own drama for page views.
Then why are you here?
Troy put it very well! May you and yours be always be kept safe from the evil-doers! Your intelligence and persistence are awesome tools you use for the good of the rest of us.
Hi Brian,
Your experience with this fraudster and the associated plot leaves me with many questions, most of them with uncomfortable answers. So, I’m wondering, and to you extent you are allowed to comment…had you not know in advance of the Heroin plot and I assume you forewarned law enforcement, would it have been likely that you’d have been arrested, jailed, house searched, assumed guilty, etc.? In other words, this story could have played entirely differently had you not infiltrated the fraud forum, etc. Does knowing this make you shy away from further involvement in this area or make you double your effort knowing that the bell cannot be un-rung? (BTW, this story is worth of a novel or feature length movie. Is that in the future?)
Keep tabs on that bastick. He’s a crazy Russian after all.
Ukrainian ≠ Russian
Not if Putin has anything to say about it.
Putin has nothing to with this. Vovnenko is not a Russian last name.
Let us hope the miscreant isn’t placed somewhere “overcrowded” and gets early release.
A thought – KOS could make a presence on the dark web and bring a little light to that realm. Or, would that cut down on too many readers? Or be an even bigger target? YNK!
Jonathan @NC3mobi
Glad this all happened without adverse consequences to you, Brian. You could easily have been less fortunate.
I’ll be interested to know what kind of prison he’s put in. I didn’t see any charges in the indictment about heroin. A drug-dealing charge might have landed him in a maximum security facility. To put him in a Club Fed or equivalent would send the message that the US still thinks ID theft isn’t all that serious.
So they agreement provides for a Sentence Guideline of 22 on one of the charges, and a term of 2 years consecutive incarceration on another count/charge. I suspect a “Sentence Guideline of 22” may not be equatable to 22 years of incarceration, because ‘years’ was always referenced in one of the charges and ‘guideline’ (and NOT years) was always referenced in discussion of the other charge. Is the guideline mentioned a reference on some form or graph which denotes a different number or range of years (minimum/maximum) or does it specifically refer to a year number?
From the plea agreement (pages 9 & 10) :
“…12. In accordance with the above, the parties agree that the total Guidelines offense level applicable to SERGEY VOVNENKO is 22 plus 2 years’ consecutive
imprisonment on Count Three of the Indictment (the “agreed total Guidelines offense level”). …”
As I suspected Guideline Numbers do NOT equal years. Here is the graph that shows the # months suggested for particular points:
https://www.federalcharges.com/wp-content/uploads/sites/7/2013/10/sentencing-guidelines-table1.jpg
Will he have access to computers during his incarceration? He has dangerous skills to trade.
Hi Brian – Do you plan to attend his sentencing?
Que up Queen’s “Another One Bites the Dust”, and crank it up!!!
No one fucks with Krebs home boy! Let’s be real. He shoulda seen that coming. Surprised he didn’t get longer.
It’s a shame the Camorra (Gomorrah) didn’t find out he was plying his trade in Bella Napoli without paying them a cut. That would have made his already interesting life much more interesting.
You got the point 😉 I think his worst vacation has been in Poggioreale prison plus I think this guy had no idea how things workout in Naples…and as he suppose to be some kind of “important” person on the internet, in Naples he was less then nothing.
So Brian, are you still thinking of going to see him for a face-to-face interview? I recall you mentioning this a couple of “Flycracker” posts ago?
yes, absolutely. I figured it would be fruitless as long as he was claiming innocence, but now that he’s pleaded guilty it’s more likely he’d talk I think.
I bet he only has to serve 1 year (a felony class sentence). Many who get 20 year sentences are let loose in 10 years especially if it is a non-violent crime (which this is).
He plead guilty to Federal charges. Parole is no longer offered in Federal convictions. So he will serve 80% of his sentence before he can be considered for early release.
Go get ’em, Brian! Good job, as always!
The punk will just go right back to being a worthless menace to society when he gets out of prison. His mother should have aborted him. Good job Brian you got the last laugh on the fool.
He actually thought his little ploy to frame you for buying drugs would actually work? Hello, plausible deniability? Criminals aren’t so smart, are they?
Brian, two things – please move the comment box to the top of the comments list. secondly, do you plan on attending his sentencing? I’ll join you in May if you like and we can grab a beer and chat security?
Evil confusing his brain
People need to be given a second chance at life
Forgive him Brian
Well, okay then! Have you personally been hacked lately? Has your life been ruined? Have you had to spend hours online trying to unwind the nefarious activities of one of these jerks? Then try and forgive him. He deserves all he gets.
I think Brian ha’s forgiven him already but that guy has to spend lots of jail time, lot and lots of it.
Still got my drop, poor guy pleaded guilty and I am still in Moscow. good luck pals