
Hacker Who Sent Me Heroin Faces Charges in U.S - yitchelle
http://krebsonsecurity.com/2015/10/hacker-who-sent-me-heroin-faces-charges-in-u-s/
======
icehawk219
One thing I'm curious about with stuff like this is how some of the
information gets given to the authorities and how it's allowed to be used in
court. I imagine I can't just walk into my local police station, file a
report, and go "so I have this illegal copy of a database that let me
illegally access someones email account that contained illegally acquired
information ...". Wouldn't that be inadmissible in court even if the police
did accept it and act upon it? And doesn't it expose me to potential legal
problems as well?

~~~
klodolph
This is a common misconception. The fourth amendment only limits the actions
of the state, and case law establishes how evidence is excluded from trials.
So, if I break into my neighbor's house and find child porn on his computer,
that evidence is admissible in court. But if the police break into my
neighbor's house without a warrant and search his computer, it isn't
admissible, because it's a fourth amendment violation. But if they have a
warrant to search the computer, it is admissible. If the judge who issued the
warrant made a mistake and shouldn't have issued the warrant, the evidence is
still admissible. This last situation also surprises people.

~~~
x5n1
Surprising that a judge doesn't make a mistake all the freaking time. The
legal system is a religion, it has little basis in reason.

~~~
tptacek
Think in terms of branches of government. The executive branch investigates
crimes, and the judicial adjudicates them. The exclusionary rule is designed
to punish the executive branch for abusing the Fourth Amendment. But if it's
the judge that's mistaken, it's the judicial, not the executive, at fault, and
the incentive behind the exclusionary principle ceases to exist.

(If it helps: the US's exclusionary rule is significantly stronger and more
consistent than those of European countries, particularly the UK.)

~~~
ta0n0n0
Doesn't the fact that a judge's career depends on promotion by the executive
branch create such an incentive?

~~~
klodolph
It's more complicated than that... in order for the judge to abuse the system
this way, the police would have to be acting in good faith, but still bring a
groundless request to the judge, who would have to figure out that the warrant
was groundless but decide to issue it anyway. That's a pretty unlikely
scenario.

Here's a comic about the 4th amendment:
[http://lawcomic.net/guide/?p=1604](http://lawcomic.net/guide/?p=1604)

------
gtrubetskoy
'(“cc” is a reference to credit cards)' \- CC (and MUXACC1) is not a reference
to credit cards, it's a reference to the Tsetse Fly
[https://en.wikipedia.org/wiki/Tsetse_fly](https://en.wikipedia.org/wiki/Tsetse_fly)
which spreads Sleeping Sickness -
[https://en.wikipedia.org/wiki/African_trypanosomiasis](https://en.wikipedia.org/wiki/African_trypanosomiasis)
\- for whatever reason it's part of the Russian folklore used as a metaphor
for something particularly nasty.

Edit: (thanks rnovak!) apparently "cc" in thecc[dot]bz _is_ credit cards,
though the CC in MUXACC1 is definitely a reference to Tsetse.

~~~
rnovak
Uh, he's referring to thecc[dot]bz which is a carding forum, which literally
refers to credit cards (and is _extremely common_ [1][2]). That excerpt is
also nowhere near the MUXACC1 reference.

[1] [http://www.acronymfinder.com/Credit-
Card-(CC).html](http://www.acronymfinder.com/Credit-Card-\(CC\).html)

[2]
[https://books.google.com/books?id=lGC2AgAAQBAJ&pg=PT48&lpg=P...](https://books.google.com/books?id=lGC2AgAAQBAJ&pg=PT48&lpg=PT48&dq=cc+abbreviation+credit+card&source=bl&ots=P4wmfyHr6o&sig=mIBAEuNy4EoEW0VCdx9RR4fG9vc&hl=en&sa=X&ved=0CEMQ6AEwBjgKahUKEwiD3o_H5cfIAhUW0WMKHaz2ClI#v=onepage&q=cc%20abbreviation%20credit%20card&f=false)

------
mmanfrin

      Payment information contained in those emails — including 
      shipping and other account information — put the happy 
      couple and their young son in Naples, Italy.
    

I am not at all surprised they found him in Naples. That city is a festering
breeding ground for scammers, fraudsters, mafiosi, Camorra, and every kind and
type of unscrupulous person. I have never hated a city I've visited so much as
Naples.

~~~
balls187
Season world traveler, and the only place I have been scammed was Naples. The
waiter pulled the "show you the receipt then take it away."

I think I was out an extra 40 euro before I realized what happened.

Edit to explain the scam:

The waiter brings you the bill, and the price looks "reasonable" at first
(maybe because humans are bad at money estimation). The waiter takes the bill
away before you can inspect each charge and inquire. You pay and leave before
realizing you were overcharged, and only as an afterthought do you realize.

~~~
jstanley
Is the scam that they've added extra charges to the bill, and therefore don't
want to give you time to read it?

------
pavel_lishin
That's the problem when you're being hunted; you can't slip up even once. The
people chasing you can make all the mistakes they want; you have to make zero.

------
imperialdrive
I've had to decide to face down evil before... I went forward and it landed
people in prison. I know I did the 'right' thing, but I didn't sleep well
until moving away and wiping my online identity. I salute your work and wish
you the best.

------
hackuser
This statement has very serious implications:

    
    
        According to a trusted source in the security community, that
        email account was somehow compromised in 2013. The source said
        the account was full of emailed reports from a keylogging
        device ...
    

If I understand "security community" to mean law enforcement or intelligence
agencies, that means they are sharing data from surveillance of private
individuals with journalists.

This suggests that assurances about the security of that data and the
integrity of their processes are not reliable. Who else is given this data?
You may like Krebs and think it's justified, but who decides whose private
data is ok to leak? What about your private data?

~~~
jcrawfordor
I'm not sure that I agree with your policework there. The "security community"
here almost certainly refers to a private security researcher or firm. I can't
see why it would have been a government source.

In general direct information sharing is one of the most important things in
information security, but the government has its hands tied in this area in a
way that private companies do not.

------
steven2012
OP seems a bit naive, but I can't believe it given everything he's written. Of
course the Fly won't send threats over mail, he knows everything he writes is
being watched. I would be worried, however, that he somehow gets word to
someone to exact his revenge, since he really has nothing to lose at this
point.

~~~
Nadya
I agree with you entirely.

Implied death threat (to him) sent to his wife from someone whom he has now
gotten imprisoned who knows where he lives and confirmed it by sending a
card... he seems awfully calm about all this and perhaps half-jokingly states
he'll visit Fly in prison to meet him in person.

I'd be getting placed under a witness protection program (is this even
applicable?) and relocate. Move somewhere that _doesn 't_ have risk of being
burned down if Fly manages to contact anyone.

Anyone deep enough in the criminal scene has connections to people that can
make bad things happen to other people for the right price. This isn't
something I'd be posting about on a blog as if it's some sort of crime
detective story... his life and his wife's life could potentially be in
danger.

~~~
rubbingalcohol
I doubt it, this isn't a drug cartel kingpin or mafia don we're talking about.
He's just a troll.

~~~
Nadya
Even low hanging fruits have connections. I think all the hush-hush on black
markets creates as much danger as it creates safety in making such discussion
taboo. The idea that only kingpins or the mafia have connections to hitmen is
something that exists only in Hollywood media.

I guess thinking about it further, the 'good' news is that if the criminal was
successful at what he did and had a couple grand to hire a hitman - he
wouldn't have needed to crowdfund the heroin. So you're right in that it's
more likely a small time, not-black-market-rich troll rather than someone more
dangerous.

~~~
kbenson
Let's not forget that getting someone in trouble and/or threatening harm/death
are not the same thing as actually causing physical harm, and that is not the
same as actually causing death. Just because someone is part of the underworld
doesn't mean they have no qualms about ordering someone's death, and the only
thing holding them back is the money.

~~~
Nadya
Revenge is one of the most powerful motivators for murder and can turn
otherwise good people into hot-blooded killers [0-5].

Few people would kill indiscriminately, but if you give them a powerful enough
motivation? They'll have no qualms taking a life. This guy has had his life
ruined, I doubt his marriage will survive this, and he'll be spending a good
portion of his life in prison in a foreign country. Furthermore, he gets to be
humiliated not once - not twice - but _thrice_ by Krebs. That's a lot of
motivation to get back at a guy and it would be foolish to not even entertain
the _thought_ that he may seek revenge.

I could link to _hundreds_ if not _thousands_ of stories about revenge
killings. Hell - it's such an old motivator it's featured in many parts of
Greek and Roman mythology.

E:

Ignoring that the reason the Witness Protection Program even exists is to
protect peoples' lives after they ruin a criminal's life.

[0] Possibly NSFW ; no gore but someone dies:
[https://www.youtube.com/watch?v=_PUE8fYxjq8](https://www.youtube.com/watch?v=_PUE8fYxjq8)

[1] [http://www.theguardian.com/uk-news/2015/aug/12/ex-ira-
gunman...](http://www.theguardian.com/uk-news/2015/aug/12/ex-ira-gunman-shot-
dead-in-apparent-revenge-killing)

[2] [http://www.dailymail.co.uk/news/article-3009762/Man-gets-
lif...](http://www.dailymail.co.uk/news/article-3009762/Man-gets-life-without-
parole-revenge-killing-girl-2.html)

[3] [http://www.nydailynews.com/news/crime/texas-dad-accused-
murd...](http://www.nydailynews.com/news/crime/texas-dad-accused-murdering-
drunk-driver-killed-sons-found-not-guilty-article-1.1919158)

[4] [http://www.dailypilot.com/news/tn-dpt-me-0711-van-
sentencing...](http://www.dailypilot.com/news/tn-dpt-me-0711-van-
sentencing-20150710,0,4320715.story)

[5] [http://indianexpress.com/article/india/india-
others/nearly-4...](http://indianexpress.com/article/india/india-
others/nearly-40-yrs-after-murder-revenge-killing-in-up/)

~~~
kbenson
I'm not saying criminals don't kill people. I'm simply making a point about
assuming all criminals are the same. There are plenty of white-collar
criminals that have and will cause the death of innocent people and there are
plenty of violent criminals that won't purposefully cross the line to killing
a person.

If for no other reason, we should be wary about stereotyping criminals because
what is considered criminal is sometimes quite arbitrary and can change quite
fast. How many years ago was it a felony in some states to possess more than
token amounts of marijuana, or to take part in sodomy?

~~~
Nadya
What I think is dangerous is _confirming that he got the Xmas card_. Depending
how that was sent, he has confirmed that he hasn't relocated his home and that
puts him in danger. If Fly wanted revenge, he wouldn't want to hire a hit on
the wrong house, now would he? Confirming his family is still in that house
makes it a target for a hit or arson if Fly seeks revenge.

Even if Fly was not already a criminal - merely a troll - there are now seeds
of revenge planted. He doesn't need to have been a criminal or done any
criminal actions for him to want to seek revenge. People who are seeking
revenge can be dangerous - to deny that is to ignore millenniums of history
proving otherwise. While it has been pointed out this wasn't Krebs first and
likely won't be his last - and that he's likely accustomed to such things. The
danger is still there.

I am not trying to argue "because he is criminal, he will try to kill" I am
saying "because he may seek revenge, he may try to kill". This has nothing to
do with his criminality - and my bringing up his criminal behavior was more
trying to shed light on "anyone can hire a hitman. they just need money and
enough motivation to want someone dead." because it's a commonly held belief
that only the rich and powerful (kingpins, political leaders, etc.) have
connections or can hire hitmen.

The motivation aspect is covered by "revenge" and "need enough money" can be
covered by "criminal activity".

Anyways, I'm done here. I hope he stays safe and I hope his confirming he got
the Xmas card doesn't bring him or his wife/family(?) into harm.

~~~
kbenson
I was responding specifically to:

> I guess thinking about it further, the 'good' news is that if the criminal
> was successful at what he did and had a couple grand to hire a hitman - he
> wouldn't have needed to crowdfund the heroin. So you're right in that it's
> more likely a small time, not-black-market-rich troll rather than someone
> more dangerous.

There's a couple ways to interpret that. One is that he didn't have money
because he crowdsourced his scheme, which I think is fallacious on a few
levels (e.g. maybe he crowdsourced it because it was a community rep thing,
and he wanted to be seen organizing it). The other is that he only sent the
heroin because he didn't have the money to hire the killer _which he would
have if he had the money_ , which is how I read it. Perhaps you meant the
former. but my replies were meant to address the latter. I don't disagree with
any of your replies, but they are non-sequiturs to mine, likely because we are
arguing separate things.

------
tonyarkles
A really interesting thing that isn't mentioned in the article, and I don't
know that I've got all the facts right: is he being extradited to the U.S. for
these crimes, while having never set foot in the country? Does that freak
anyone else out?

------
mring33621
"I say to you againe, doe not call up Any that you can not put downe"

~~~
thaumasiotes
This sounds like advice never to begin farming.

~~~
wglb
As a farm boy who grew up on a wheat farm, at the end of the season after
harvesting the wheat that we had "brought up" in the spring or the previous
winter, we would plow the remainder under, bringing it down again.

~~~
thaumasiotes
There are people who will tell you that agriculture was just a giant mistake
on the part of some enterprising hunter-gatherers, since it locked all of
humanity in to agriculture forever.

------
rufugee
_so I began looking through databases of hacked carding and cybercrime forums_

Where does one acquire these databases? Genuinely curious...

~~~
comrh
Read through Kreb's archive, he has screenshots and more info. If I remember
correctly one was on the clearnet but required some sort of verification
before you got access.

~~~
data_spy
I've been a fan of Krebs for a while. He get's a lot of access and information
from other hackers (that were pissed at another hacker) or security analysts.
Gotta give him props though, he taught himself a lot, including learning
Russian

~~~
comrh
I think one of his best features is his follow through too. Real good
journalistic nose for following a lead.

------
fjordames
Not to simplistically vilify an entire city but Naples is a horrible, horrible
place.

------
pierrec
It's interesting to see the moral ambiguity in this, in the comments and in
the article itself. Perhaps the comment with the rarest insight of empathy is
the one by Matthew B.:

" _The people who conduct this type of crime often think of it as justified.
After all, Americans are rich aren’t they? How could it hurt them to lose some
money? We are poor, if they won’t share, we’ll just take it. We will make them
share!

They think of it as a game. A lucrative game in which they get to win over and
over again. Even those of them who may be kind to their friends and even
generous with those they love, don’t really see their victims as people. Not
being a member of their group makes the rest of us not quite human.

This type of tribal thinking isn’t as uncommon as you might want to believe.
I’ve seen it here in the US over and over during my lifetime. Most people who
suffer from it don’t consider themselves evil. They just consider the rest of
us their lawful prey.

We tend to feel otherwise. Thanks for the great work Brian._"

What I find a bit crass is the sensationalistic complete disclosure of
identity employed - going all the way to the classical mugshot. All of this
will certainly not help for Fly's later reinsertion, say, when he decides to
get a job in IT. And I'm not playing devil's advocate here, it just seems to
me that the author is pushing aside his inner moral voice in order to write a
more viral article. Justice is taking care of prosecuting the criminal, but
let's push him further down if it can attract some pageviews. I suppose I'm
simply being bitter about journalism, though.

~~~
tptacek
You are complaining that Krebs doxxed a credit card scammer who tried to frame
him for dealing heroin?

~~~
pierrec
Framing someone for dealing heroin is criminal and morally terrible. The guy's
certainly paying and going to prison for it, and for his other crimes. This is
justice doing its job.

The question that I'm trying to ask is whether public shaming, especially to
such a large audience, is really a civilized response. The consequences are
also devastating, and reduce the possibilities of getting a second chance at
life, something that I strongly believe in.

~~~
CPLX
> whether public shaming, especially to such a large audience, is really a
> civilized response.

This concept is also often referred to by it's more common name: "journalism"

~~~
neckro23
I've been pondering this distinction lately. We recognize that doxxing, etc.
are Definitely Bad Things but that's exactly what journalists have always
done.

It's a matter of degree and intent, of course, but there's an awfully blurry
line in-between.

~~~
CPLX
The difference between "doxxing" and "journalism" can indeed get blurry every
once and awhile[0], but it's usually not that hard to figure out.

Journalism is newsworthy and has the intention of informing people in the
public interest, doxxing is typically not newsworthy or in the public interest
and has the intention of harassment or intimidation.

[0] [http://nymag.com/thecut/2015/07/gawker-slammed-for-story-
out...](http://nymag.com/thecut/2015/07/gawker-slammed-for-story-outing-conde-
nast-exec.html)

