It can be hard to lead a double life, especially when one of those lives involves a criminal enterprise. Whether that's being a digital drug dealer, a hacker-for-hire, or an internet scammer, making sure that your online personality doesn't reveal your real identity can be half the work.
But underneath all of the layers of encryption and technical wizardry, cybercriminals can all too easily forget the most basic point: keeping your personal and professional life entirely separate. If this fundamental rule isn't followed, it doesn't matter how many proxies or saturated connections you're hiding behind, it could get you caught. Ross Ulbricht, the alleged owner of the first Silk Road website, was tracked down, in part, because he used his real name and email address in places. This helped investigators to break through the Dread Pirate Roberts pseudonym.
The idea of separating your identities is called 'compartmentation,' which is, according to security expert 'the grugq,' “the separation of information, including people and activities, into discreet [sic] cells.” In practical terms, this could be using email accounts that have no association with one another for your different identities, or not linking illegal behaviour (say, making a phone call to organise a drug deal) with the place where you sleep (a location where law enforcement are likely to be able to find you).
In order for a double life to be effective, “these cells must have no interaction,” the grugq notes. Lots of different people can benefit from such an approach: undercover police officers hiding their true identity; investigative journalists who don't want to expose a source by keeping all communications with them on a separate email account and device; and of course cyber-criminals, who rely on pseudonymity to operate.
The grugq gives an example of successful compartmentation as that of 'Yardbird,' a child pornography ring leader who escaped capture while another pedophile was arrested after a 15-month undercover operation. In short, one reason he evaded law enforcement was because his group separated the file sharing and communication parts of their operation. “The group […] had an incredibly effective set of security practices,” he wrote on his blog.
A more recent example provides a case study for exactly what cyber-criminals shouldn't do.
A lot of people hate Brian Krebs. Through his computer security blog, he has exposed tactics used by criminal email spammers, credit card copiers, and ATM scammers. Some people hate him so much that they have SWATed his house—sending a highly armed police force to his house in response to a fake distress call—and attempted to screw up his finances by opening tens of thousands of dollars of credit.
Now one of those pranksters has been caught, according to the most recent post on Krebs's blog. Last year, 'Flycracker' (also known as Fly and Muxacc) tried to send a package of heroin to Krebs' house, and then conveniently time it with a police visit, likely ending in Krebs's arrest.
Krebs reports, however, that Fly was recently arrested in Italy on suspicion of dealing stolen credit card accounts. In his report, he also reveals how he and some of his security colleagues traced back Fly's identity—though it's unclear what role, if any, their work actually had in the actual arrest.
“I have thought about personal safety, but it's not impossible to find me. At least, I'm confident there's not a single picture of me online—not even a hint of my address.”
In an interview with VICE last year, Fly explained his motivation as a counter to Krebs's “popularisation of carding.” By writing about the forum that Fly and his fellow carders use, he said, Krebs was “attracting new people to carding, which we are against. If you look at the states, after his post about [the] drugs [delivery] the number of people who want to register on the forum grew several orders of magnitude.”
When asked if he was confident that he hadn't accidentally exposed his identity, Fly replied, “I have thought about personal safety, but it's not impossible to find me. At least, I'm confident there's not a single picture of me online—not even a hint of my address.”
Fly stated that Ilya Sachkov, founder of global security company Group-IB, had said that “they can catch anyone”—a claim he doubted.
Turns out the company may indeed have had a role in pinning down Fly. In Krebs's write-up of the investigation on his blog, he credits Group-IB with linking the pseudonym Flycracker with an email address: email@example.com, with .it indicating an Italian web service.
Here the trail gets a little hazy. Krebs refers to “a trusted source in the security community”, who claimed that firstname.lastname@example.org was “somehow compromised,” and its inbox was full of messages from another address, email@example.com. 'Mazafaka' is a forum where Fly was an administrator.
It is not clear what exactly “compromised” in this sense means. Regardless, the source got access, and those messages from 777flyck777 contained key-logging reports; the text that is captured when a device or piece of software is installed on a computer to monitor everything that is being typed.
Those reports included someone logging into Gmail with her real name. That person turned out to be Fly's wife, and Fly had presumably been using a key-logger to spy on her and have the results sent to the Mazafaka email address.
Amongst those reports was also Fly's real name, Sergei Vovnenko, a Russian born Ukrainian, according to his social media accounts. Other information such as payment details linked the couple and their child to Naples, Italy.
Recently, Fly had been quiet on the various forums he frequents, and admins had started to delete his posts and accounts—standard practice if your colleague has disappeared unexpectedly. Turns out he had been arrested in a joint operation by Italian and US law enforcement agencies, according to a government source that spoke to Krebs.
One of Fly's mistakes—perhaps a crucial one—was mixing his personal life (spying on his wife) with his "professional" one (being an administrator on a carding forum). The reason he left a digital trail was because two email accounts, which from first glance could be from completely different people, were linked.
Even if the Mazafaka email address had been broken into by someone, Fly could have avoided the connection to his other account by not forwarding the keylogging reports that linked him to the real world. Or, in other words, if he had deployed strict compartmentation and really separated his two lives.
Fly's slip-up may come round to haunt him, but criminals will continue to make this basic mistake. A word of advice to any would-be carders or hackers out there: keep everything, especially your troubled marriage, away from work.