The people who dislike cybersecurity blogger Brian Krebs aren’t subtle. In early January, Krebs got a bag of poop in the mail. That was better than the time last summer when he received 13 packets of heroin. Both were way, way better than the day last March when a SWAT team descended on his doorstep, lured by a fake report of a hostage situation. “Having multiple automatic weapons pointed at your head is not my idea of a great time,” Krebs deadpans. “The kind of work I do, I paint a big target on my head.”
Krebs’s talent for exposing the weaknesses in online security has earned him respect in the IT business and loathing among cybercriminals. His track record of scoops, including the Dec. 18 revelation that hackers stole tens of millions of customers’ financial data from Target (TGT), has helped him become the rare blogger who supports himself on the strength of his reputation for hard-nosed reporting. (Target didn’t respond to a request for comment.) Krebs often posts step-by-step details—without outing his sources—of how he’s uncovered which hackers breached whose corporate defenses. “That’s something people really want,” says Andy Ellis, chief security officer at Akamai Technologies (AKAM). “Everything he writes is some of our best open-source intelligence.”
Krebs, 41, started covering cybersecurity as a reporter for the Washington Post, where he’d worked his way up from the circulation department after college. In 2005 he launched the Post’s Security Fix blog and began to infiltrate the online forums and chat rooms where criminals often operate. “Some of these communities, you don’t just say, ‘Hey, what’s up, guys?’ ” Krebs says. He learned hacker slang, listened to hundreds of hours of Russian language lessons, and persuaded industry sources to share their tricks.
In 2009, when the Post merged its online and print newsrooms, Krebs lost his job. After the initial shock wore off, he started his own blog, krebsonsecurity.com. “I really wanted to continue doing what I was doing and didn’t see any reason to stop,” he says. He was the first to report on the existence of the Stuxnet virus, broke the news of a hack at Adobe Systems (ADBE), and uncovered how the credit bureau Experian (EXPN:LN) was tricked into selling consumer data to identity thieves. In a statement on Adobe’s website, the company’s chief security officer, Brad Arkin, thanked Krebs for his help.
On a typical day, Krebs runs on his treadmill, downs a smoothie, then by 9 a.m. heads to what he half-jokingly calls his command center, the U-shaped desk that fills most of a guest bedroom. On his desk sits a laptop and four monitors. One streams images from home security cameras, which he upgraded after the SWAT incident. A 12-gauge shotgun, another recent addition, leans in the corner.
“No intelligence agency could get as much as Brian Krebs does,” says Lance James, the head of intelligence at Deloitte. “Everybody wants to share with him.” When two Russian spammers who processed payments for fraudulent online pharmacies hacked each other, each sent the other’s accounting files to Krebs. (He’s turning that story into a book due out later this year from Sourcebooks.) Hackers also plant Krebs’s name in code on their malware. One hosted a malware network at f**kbriankrebs.com.
In mid-December, Krebs started to hear talk of a big data breach. A source at a large bank pointed him to websites selling stolen information from credit cards it had issued, all of which had been recently used at Target. He corroborated the tip and broke news of the attack, then identified a Ukrainian man he’d determined was selling the stolen data. In an online chat that Krebs later posted, the man offered him $10,000 to back off. Krebs declined and ran the story.
Although he misses the perks of tech support, the blogger says he now makes more money than he did at the Post. Security businesses such as Authentify and IBM’s (IBM) Trusteer division advertise on his site, which attracted about 800,000 unique visitors in December. Since he broke the Target story, about 100 readers have donated anywhere from a few dollars to several hundred via PayPal (EBAY) or Bitcoin. Krebs also gives a dozen paid speeches per year and takes the occasional data-mining project, usually for financial companies, though he wouldn’t say for which or how much.
One recent afternoon, Krebs said that even though stories about the National Security Agency have dominated coverage lately, he wants to stay focused on fraud. Midsentence, his computer jingled with an incoming call. “I’ve got to take this,” he said, throwing on a set of headphones. “Oh, that is a higher-end clientele,” he told the caller as he typed. Soon he showed a visiting reporter out, saying he needed to hop on the tip. A few hours later, he broke the news that along with Target, Neiman Marcus had been hacked, too.