Adam July 31, 2013 7:27 AM

Of course it could all be an elaborate double bluff. Security researcher warns police that he may be on receiving end of harassment by criminals, starts up lucrative heroin operation, uses aforementioned harassment warning as a get out of jail card when he is caught. Just joking 🙂

Brett July 31, 2013 7:31 AM

Bruce, has anything like this happened to you?

I guess if you are on the right track and have the bad guys looking over their shoulders they might come after you.

H4x July 31, 2013 8:07 AM

Blackhats have done stuff like this to each other for years. When their not breaking into each other’s facebook and changing the status to” I’m going to shoot up my school today” or swatting each other they set each other up with drugs. I recall a guy in Ukraine once using his rivals real life credit card to order illegal porn on obvious federal sting sites too.

The worst was a crew I knew in the 90s that boxed their rivals phone to call in death threats to the whitehouse switchboard and the target was screwed when they raided his place and found the cellhackers bible and other illegal information at the time.

They go after Krebs because he exposes their so called private fraud forums which in turn heats up business with too much attention. Krebs is lucky the excited DEA or state police didn’t arrest him. Would’ve taken a huge amount of lawyer fees they don’t care if somebody is setting you up.

Clive Robinson July 31, 2013 8:36 AM

We have an expression about “There’s no flys on” somebody, usually implying they are smart or street wise.

It seems fairly apt this time to say “There’s no fly on Brian”.

But let’s be honest Brian got lucky, due to the fact he saw the plan because as is the failing with many petty criminals “fly” could not keep his mouth shut and had to boast about what he was planing to do in what was in effect a place that was insecure.

As I’ve noted befor well over 80% of criminals that get investigated by the police (in the UK) do so because the can not stop their “gums from flaping”, which gets overheard by others who then “grass them up” (so definatly “no honour amongst theives”).

Other estimates on “criminal stupidity” indicate that of convicted criminals nearly all are convicted by their own actions in terms of flapping their gums, having direct physical evidence of their crimes in their posetion or leaving known forensic evidence that links back to them (finger prints, hair, blood, cloaths etc) at the crime scene.

Bruce Schneier July 31, 2013 8:40 AM

“Bruce, has anything like this happened to you?”

Nothing even remotely like that has ever happened to me.

Glyndwr Michael July 31, 2013 9:38 AM

“Nothing even remotely like that has ever happened to me.”

Well you’ve probably pissed off the TSA, but the worst they could do is show up in the middle of the night and try to grope you (if they don’t fall asleep on the job first).

McFly July 31, 2013 9:51 AM

So if Krebs now blogs that the results have come back saying it was baking powder, should Fly believe him? Whose legs get broken?

jb July 31, 2013 11:17 AM

What they should have done is combined the attacks: Mail the heroin to an accomplice who would (badly) hide it on Krebs’s property, then call the SWAT team reporting Krebs for dealing drugs.

Nick P July 31, 2013 11:27 AM

A friend and I were watching the excellent documentary Killing Pablo last night. This reminds me of that situations a little in how Krebs puts the pressure on the online crooks to the point that they try to terrorize him with all kinds of crooked tactics. Of course, there’s no similarity between the two cases in the level of risk and violence: Pablo regularly murdered cops/judges, bombed airplanes, etc.

People like Krebs are lucky our current line of criminals are cowards that hide behind monitors and think a “sick” response is SWATing a house. Very lucky.

H4x July 31, 2013 11:30 AM

For a proper setup they should have sent trafficking amounts from netherlands and then tipped off customs. Controlled delivery would happen and if Krebs signed or opened it regardless of him warning the local police they still would’ve arrested him. If you time this for Friday delivery he spends all weekend in jail waiting for a judge, or longer and requires a lot of legal money wrangling for the over excited feds to drop the case.

I hope in the future he doesn’t accept any suspicious packages regardless of warning the police they tend to not know what each hand is doing and by the time they figure out what happened you’ve already done months of time in a pretrial prison. Luckily these Russian jokers don’t know what they are doing.

coke July 31, 2013 11:50 AM

I have a P O Box at a major (at least, in my city) postal facility. They put things that aren’t addressed to me in the box frequently. I have told them, and I see the note, that says, I only want to see mail that is address to me, but it’s like the note isn’t even there. So, if Brian receives something at his residence, I think he could easily prove he didn’t order or accept it. Plus, most of the major shippers simply leave all packages at the door, whether you are there or not. Just because its delivered to you doesn’t mean you have any knowledge of it. Since he alerted the local authorities before the swatting incident, I think he’ll be fine.

h4x July 31, 2013 12:00 PM

Dozens have people have been convicted for trafficking merely by signing for the shipment or opening it. You should read SR forums more often (:

Of course he would be fine….eventually but not after spending time in lockup, a notoriously violent place. Since all drug trafffickers are denied bail he would have to wait to talk to the district attorney who is so backlogged he could sit for months in prison. That’s the point of this scheme they know he won’t be convicted but if they did it correctly he’d be in jail right now. Customs would call state police to raid his house and ask questions later.

tl;dr dont open packages or sign for them if you didn’t order them

NobodySpecial July 31, 2013 12:24 PM

There was a similar case discussed here years ago.
An old couple were being raided by police swat teams almost daily because a bug in the dispatch system put their address in the report if the entered address was incorrect.

In the end the only solution was for police and dispatchers to remember their address and ignore all calls to it. There was a concern about what happened if these people actually needed help – but it would also be a fantastic opportunity for them to become master criminals

Dieter July 31, 2013 12:33 PM

Flyguy in Russia just added trafficking in drugs to his rap sheet should the feds ever get him because he flapped his gums too much. If he has any sense of self preservation he’ll never leave Russia to go on vacation to Turkey/Dubai or another country that looks the other way when extraordinary rendition to the US goes down. US agents will literally kidnap him there and haul him back to DC.

Krebs should be concerned they might one day up the game and start planting “weaponized pornography” which is illegal images used as a weapon. They could come hidden on a USB drive, or phony informants might start passing him it hidden inside harmless looking intel then report him to the state police. They would most definitely target him if he goes overseas too and announces on his blog he’s going to Hong Kong or somewhere for a security conference. Trafficking narcotics there is a death sentence and unlikely the Chinese police would believe any story about being set up by Russian hackers who had it dropped off at his hotel waiting for him. He should travel first, then report about it.

Brian crebsky July 31, 2013 12:49 PM

What the hell . We all know that Brian Crebs use heroin as a recreational drug and to relief the stress . Shame

Daniel July 31, 2013 1:01 PM

@Clive & Nick P.

I disagree. The lesson I draw from Brian’s activities is not that he is “lucky” in some degree or another. The lesson I draw is that human intelligence still matters. Infiltrating networks, building connections, creating a fake personality, i.e. good old fashioned “leg work.” This unnerves the spies and the crooks far more than than something like the FBI’s “stingray” or the NSA’s scoop-it-all-up mentality.

If Brian was lucky it was because he spent years laying the groundwork to be lucky.

Bryan July 31, 2013 1:11 PM

This level of miscreance should not be ignored by the authorities.

What could they do? They can amplify trace DNA inside the envelopes, compare it to DNA databases, and likely find a match or at least a family name of the sender. Also, all U.S. mail is photographed in transit, and in addition to the Chicago origin, they can often tell what post office the mail came from. Correlating these, they can likely find the sender.

There might be more indirect payoff for the Feds… they can turn the sender into a snitch and/or unravel her network of fellow miscreants.

Bata July 31, 2013 2:44 PM

What everybody seems to be missing in this story is that some random criminal has Brian Krebs’ home address. That is a big Operation Security no-no on Krebs’ part. If I were him, I’d really spend some time making it harder for anyone to actually find me. This should serve as a wake-up call. As others have pointed out, next time he might not be this lucky.

Jack July 31, 2013 2:56 PM

Looks like the Russian was telling Brian he was aware he was on the forum and watching him all along.

Brian is too wound up for that sort of business he is involving himself in, that is a magnet for teenage pranksters.

It does appear very clear they were not intending Brian to be arrested for heroin (as the title seemed to imply).

Figureitout July 31, 2013 3:00 PM

What everybody seems to be missing in this story
–Also, why did he just cut open a baggie w/ a white substance he has no clue of? Using a mask and gloves may not prevent spores infecting the entire house.

kingsnake July 31, 2013 4:17 PM

Glyndwr Michael: The TSA would fall asleep after the groping. (And a cigarette …)

Nick P July 31, 2013 4:44 PM

@ Daniel

Did you even read my post? The luck claim referred specifically to the fact that Krebs’ opponents don’t go to great lengths to harm him or his family. This is especially easy when his address is known and habits are predictable. Many people putting pressure on other types of criminal or in other locales have it worse. In my area, quite a few people who caused problems with organized crime have been beat down in their own houses or murdered on the street.

As for his job, I’ve commended Krebs skill in infiltrating, exposing and disrupting online crooks plenty times in the past. On his blog too. He’s a terrific investigator. All of that leads to the risk I referred to. That crooks haven’t done so much is luck. Im also glad these crooks are wimps: means Krebs can keep stomping a mud hole in their operations.

Public Record July 31, 2013 5:00 PM


Not everyone has the option of being anonymous. There are numerous places where your home address is public information if, for example, you register to vote. My home address is published in the voter roles on a website. You can even search by partial names. Crawl the listings and you could have names and addresses for half of the town.

Dieter July 31, 2013 7:00 PM

Speaking of Bruce and the TSA, I’m surprised they haven’t singled him out for harassment and junk grabbing everytime he gets on a plane. Moxie Marlinspike was given the 3rd degree and rubber glove treatment for travelling with textsecure on his phone, and refused to decrypt his texts which really, really angered customs agents. I’m pretty sure he’s on a list now and anytime he travels he enjoys the government jackboot. TSA will probably claim Bruce has explosives in his beard and shave him at the gate.

MikeR August 1, 2013 8:51 AM

I read this post with a growing sense of incredulity … do people really use Bitcoins to buy-and-sell drugs using the Internet?! (As though, like, “no one else in the world but ‘us folks’ knows what’s going on here?)

I felt the same way when I learned that a hacker group named itself “Anonymous.” Sure, the face-mask is a cool-looking trademark, but absolutely nothing about the Internet is, by any stretch of the imagination at all, “Anonymous.”

Nick P August 1, 2013 10:38 AM

@ MikeR

“I felt the same way when I learned that a hacker group named itself “Anonymous.” Sure, the face-mask is a cool-looking trademark, but absolutely nothing about the Internet is, by any stretch of the imagination at all, “Anonymous.””

Sure it is. Authorities still don’t know who most of those people are. And case studies on particular cybercriminals show that the feds had to do a decent amount of highly targeted work to catch even less paranoid types. So, the right tech and OPSEC on the Internet is anonymous enough in practice.

G van Grijnen August 1, 2013 3:02 PM

You don’t have to be a security writer to get this sort of harassment.

You could even be a victim if you don’t write annoying articles, but simply if you are a niece of someone bitterly hated.

This is what happened in the Netherlands.

A 24 year old female student in Amsterdam, named Laury got in trouble after a fake twitter account with her name pasted to it started to insult muslims.

The responses were predictable.

“I will cut your throat, if I find out who you are”.

Three hurrays for the internet.

J August 3, 2013 3:38 PM

What Krebs did was careless and reckless. He has children living in his home? A wife? And he identified two people who helped him by full name in his post. He obviously is more concerned by the thrill of his escapades than the safety of others. Then he accepts the package (perhaps it was dropped without signature), opens it, finds the heroine and then opens the heroin package?!?! Bit of a nitwit, if you ask me. He has bigger problems lying ahead for him, is my guess.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.