How the Story of a USB Penetration Test Went Viral

CYBERATTACKS & DATA BREACHES CYBERSECURITY CAREERS CYBERSECURITY OPERATIONS PHYSICAL SECURITY INDUSTRY TRENDS Since 2006, Dark Reading has been at the forefront of covering cybersecurity, providing deep insights and analysis beyond the headlines. All those major news events? We were there. Shifts in technology trends? We wrote about them. Enjoy this special anniversary coverage celebrating where we've been and what's next. How the Story of a USB Penetration Test Went Viral Two decades ago Dark Reading posted its first blockbuster — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author Steve Stasiukonis, Dark Reading senior editor Becky Bracken, and Dark Reading's editor-in-chief Kelly Jackson Higgins. Dark Reading Editorial Team May 5, 2026 Dark Reading's Becky Bracken: Hello everyone and welcome back to Dark Reading Confidential. It's a podcast from the editors of Dark Reading, bringing you real world stories straight from the cyber trenches. I'm your host, Becky Bracken. I am joined today by Dark Reading's editor-in-chief, Kelly Jackson Higgins, for a special episode and a look back at a big moment in Dark Reading's 20-year history. Hello, Kelly. Thank you for coming on today. Dark Reading's Kelly Jackson Higgins: Hi Becky, I'm so excited to be here, thank you. DR's Becky Bracken: Okay, so we also wanna give a big welcome to a long time friend of Dark Reading, penetration tester Steve Stasiukonis, who back in 2006, led a blockbuster pen test at a credit union and the subsequent write up made quite a splash, yes Kelly? DR's Kelly Jackson Higgins: My gosh, yes. So literally a few days after we launched on May 1, Tim Wilson, the late Tim Wilson, who was our editor-in-chief ... I need to ask you Steve, how you guys met ... somehow recruited Steve to write a column about his work that he does. We were trying to get more voices of practitioners in the field. Steve's piece, which was called "Social Engineering, the USB Way," went viral. Related:RMM Tools Fuel Stealthy Phishing Campaign And back then it was all about Slashdot picking you up, not Reddit, and that's who picked it up. And we watched our traffic, which we would be excited if we got back in those days, like we were brand new. So we were like, if we get a thousand page views today.... And we watched everything just continue to go crazy. And we realized it was Slashdot. And to this day, that piece kind of became an urban legend. People talk about it in passing. And I'm like, hey, that was from the column on our site. So it became sort of a historical marker in the whole social engineering space.  So remind me if that's the case: Tim recruited you, Steve, to write about this. Tell me, how did you guys end up meeting? I was never clear on how the assignment went out. LOADING...   Steve Stasiukonis: There was a mutual relationship with a gentleman that was at Syracuse University, I think, either communication school or IT school. And he called me up and he was like, listen, he goes, "You got any like cool stuff going on that we could write about?" And I was like, I think so. I got this job where they asked us to break into this credit union. And I said, they want us to use USB drives. And he goes, "Well, that's going to be interesting." So I was like, let me just see how it goes. And then if it works out, you know, I'll throw something together for you. And that's kind of how it happened. And then he hooked me up with Tim (Wilson). That's that's kind of where how things transpired. Related:BlueNoroff Uses Fake Zoom Calls to Turn Victims Into Attack Lures DR's Kelly Jackson Higgins: That's right, I forgot about that. So let's go back 20 years ago. So today, people are like, USB sticks, what are you talking about? Tell me about sort of what the landscape there was with people using USB sticks and how this whole pen test engagement with the credit union came about. What were they looking for and what made you take that kind of approach, and what you guys did? Steve Stasiukonis: Well, they wanted something better than a phish. We were joking about like, you know, back then USB sticks, remember drives like that when they first came out? They were expensive. It was like buying a part for the space shuttle. So they were like, you know, can you guys get some of those? And I was like, as a matter of fact, we got a boatload of them because we get them at trade shows and we, you know, we put them in a drawer, you know, and ultimately we said to the credit union, we can throw an agent on there or a Trojan. And if you're okay with it, we'll figure out a way to salt your parking lot or get them into the building. And they were like, okay. And they were absolutely fine with it because they were curious if people would actually plug them in. And that's how the whole thing started. And really, that's kind of where it began. Related:Glasswing Secured the Code. The Rest of Your Stack Is Still on You DR's Kelly Jackson Higgins: Well, I remember that you had a really high rate of success of people actually like falling for it. Talk a little bit about kind of what you did and then how you could tell that you were getting pickup, like how you were able to sort of remotely see what was happening with the USB sticks that the people were actually taking and putting in their machines. Steve Stasiukonis: So it was interesting. So we didn't know what to expect. That prior day, my partner (at Secure Network Technologies) at the time, Bob Clary, he passed two years ago, he wrote up an exploit that would go on those things. And then what we did is we actually went to the parking lot of the building prior, the prior day before we were going to put them down. And we started to watch where people would like walk into the back door. We didn't want to get the customers of the institution. That wasn't the intent. Doesn't get us anything anyway. (We watched) where the smokers go, we would look where you know people that work there would walk into. We actually stayed away from the front door. We looked for where the people would park that would work there, and then the next day we got there, like dark early, and we started to salt in the parking lot where these people would park their cars and then where they would walk in. And if they're like, you know, burning a butt in the smokers area, you know we threw some down there and it was like it was amazing because it was common. You'd see people: we waited across the street, we'd watch them, and they'd see a thumb drive and it was like "jackpot!" They were like, the suspense on, like they'd look at it as they're walking into the building like, I can't wait to plug this thing in. And that's exactly what happened. And they would: they went in the building and I think before they got their coffee, they went to their machine and they plugged them in and they were curious. And then the success rate, I don't even know Kelly what the number was, but it was stupid crazy, right? DR's Becky Bracken: I was looking at the old column recently. I believe it was 15 out of 20. Steve Stasiukonis: Yeah, yeah. I know that some people that picked them up, they ran them twice.  So back then it was like you found something that was gold and that's where this accessory came in. DR's Kelly Jackson Higgins: Ridiculous. Steve Stasiukonis: But I think it stemmed from good concern because people were like, hey, don't plug those things in if you don't know where they're from. And really, that one test sparked probably, I want to say hundreds, maybe into the thousands of tests since then with thumb drives. It was a lot. DR's Kelly Jackson Higgins: I can't remember what that test did: Was there a particular lure where they thought there was something on the [USB], or they were just curious? It was an unmarked USB stick, or did they see some sort of a label on it? Steve Stasiukonis: My partner Bob Clary, he put a bunch of pictures from Italy [on them]. He just got back from a trip. So he threw those all in there, and they were going through and he's by the Leaning Tower of Pisa. He's hanging out in some boat with a guy, gondola, or whatever. And clearly then as they started to move through, they clicked on something they shouldn't have and then it phoned back and he was like, another good one here. So, I mean, it wasn't much of anything. It wasn't anything super intriguing, but perhaps they liked Italy. I don't know what happened, but that's... why the success rate was so high. You'd think they would have talked about it, but they didn't, you know? DR's Kelly Jackson Higgins: So what did the client think of this? Like what was their game or action plan after they got this data back from you, that some of their employees were willingly sticking these unknown USB sticks into their computers? Steve Stasiukonis: They knew it was bad. They knew that there was an issue and they said, you know, we perhaps should have a policy in place and we got to train people. Back then, you know, they didn't understand the concern, either. They were like, well, how bad can it be? And it was like, I guess it could be pretty bad if somebody had an intention of actually getting into your network. And then it kind of stemmed from there. So ultimately they were like, well, they were disappointed in their people. And they were disappointed in the fact that things didn't go their way. But I think it created a lot of awareness. That's what came out of it, you know? DR's Kelly Jackson Higgins: So what is kind of the equivalent to the USB stick today when you go into pen test engagements? Obviously, physical devices are more restricted now in enterprises. What is the next-gen USB stick that you would use in your engagements? Steve Stasiukonis: It's really a great question and it's really interesting.  So on the social engineering front, now to get a device on the inside, you know, a thumb drive is probably not going to be the way to do it. So a lot of our physical security work that we do to get past the data set, get into the data center, get into the network ... Now we bring complete field system. We bring a Mac mini. Well, it was Mac mini and now there's small field nooks that go out and they got all of our tools on it. They remote back to our team that we have here (company headquarters). But now it's if you can get into the building and plug in ... unless you somehow got stopped, you've got somebody on the inside of your network and we've done it all. I mean, you know, it's not just tailgating and it's not just, you know, trying to, like get through a door, you know, it's using people. And if you're kind and you're polite and you do something to gain, you know, somebody's trust, they let you in. And we've done hundreds of those and it's really interesting ... a lot of the pen test world and lot of the guys in this space all want to pick a lock and get through a door. I don't think you need to do that.  You call ahead. You tell them that you're there because you're going to be working on something. You know, HVAC, or we did copy repair guys. I don't know why people hate the copier. For some reason that is the most ... It's like, of all office equipment, everybody hates the printer, the copy of the fax because it doesn't print, collate, whatever reason. You tell them you're there to service it and they let you in. And then we plug our whole field system and it goes in. Yeah, it's really interesting. I remember going there [to a client site] one day. I remember we got into the building, we were dumping thumb drives in cubicles. And we were like walking around and we were there to fix a copier. And I worked with Bob at the time and I said, listen, just get in a cubicle, plug in with your machine. I'll dump some thumb drives. And then a guy came over and he's like, hey, that copier hasn't worked properly since we bought it and I want a new one.  So I downloaded the manual and while Bob was working, I actually fixed the copier and I'll never forget. I was like, Bob, we got to get out of here, man. This guy's breathing down my neck. He wants this machine to staple. I don't know if I fixed it. And he goes, well, I'm done. I got DA, Domain Administrator. So we're done with the network, right? And finally, I'm packing my stuff up and we're looking to leave like a phantom. And the guy yells over, "hey, stop!" And I thought, that's the part where we get detained and, you know, I'm in the back of a police car. And he goes, no, he goes, "please," he goes, "I want to say thank you." He says, "we've had guys trying to fix that copier for weeks." And he goes, "I want to say that you've done a great job." And he bought a cake from Panera Bread and he goes, "I'd like you to have this cake as a thank you and I didn't want to be mean to you."  You know thousands of thumb drives and like stuff like that's happened; it's just amazing, you know. Learned a lot about copiers that day it was good. DR's Becky Bracken: It's just, you know, what strikes me so much about these stories that you're telling, especially in the, I'm sorry, we have to say it, in today's AI world. All of these things you're talking about are so human. Of course, there's the Office Space (the movie), you know, scene of them beating up on the fax machine. Like, people hating their copiers, that's so human. People being curious about what is on these sticks. I don't know if they thought it would be naked pictures or what. But it's, not, I mean, the technical know-how. Obviously not just anybody can go in and fix the stapler on the copy machine, either, but these are such human quirks and foibles that you're engaging with even before the tech. I wonder if you could say a little bit about that, sort of juxtaposed with where we are today, where an AI agent is just supposed to be able to do everything for us. Steve Stasiukonis: Well, it's interesting you say that because I think my big scare with AI, and I've seen it right now at work, using people to do this, to social-engineer them, having a good story and, Becky, learning about those individuals or the place you're going to attack or go into. It was a lot of work. It's open source. And for years, we'd spend two weeks looking at the building and the people and understanding the profile, learning the leadership. So if you see them in a hallway, can address them, look them in the eye and get that validation. I'll tell you what's frightening. And I've been talking about this and I could write about it. I actually did like four presentations: So we broke into two major organizations, big financial organizations, and we leverage the intelligence gathering from AI. And what it was was, there's so much intel in the large language models that have been leaked into those things that we used to have to travel to a city across the country, do reconnaissance, watch for people, make notes. Now we just study it using AI and then we interrogate it, do a little jailbreaking, and it gets us the intelligence we need.  And we just broke into a facility and ... I can't tell you who it is, obviously, but but we showed up, we knew that there was a construction project happening in the front of the building. They were putting a segment of fiber in the street. So we got out of the airplane, we had our uniforms on as the utility company, and then we got into the parking lot of the building as the utility company, and then we shut the construction project down. And the guy from the construction project goes, did we hit anything? I said, not yet. But we learned about that from AI. And then we learned about the building we had to get into from all the stuff that was leaked. So AI gave us a pile of stuff to understand their environment. And then once we were in the parking lot, the security people approached us. They said, what's going on? We said, "We think they're going to hit a power line. We don't want your building to go dark." And they said, "What do you need?" And I said, "We'd like to use your bathroom." And at that point, now we have access to the building and there's two of us working. So at some point, you know, two guys go in, one guy comes out, one guy stays in, the other guy hangs out. And, you know, at some point we realized that this was all attainable as a result of just the intelligence we gathered from AI. And like I said, it wasn't the company that hired us. It was everybody else around them. The marketing company, the assessor's office, the people that give the permits out, everybody else around them. And we studied it and learned it and then we knew what to do. Then we're on the inside [and] we plug in and hang out. And I think we ordered food from Uber Eats and I think I gave the receptionist a bag of Chick-fil-A. And at that point, she gave me a card access key to go anywhere. You would be amazed at what people will do for Chick-fil-A. DR's Becky Bracken: I appreciate that. I would do a lot for it too. But again, so human, so great. Steve Stasiukonis: Yeah ... it's interesting, you know, once again kindness, becoming, you know, friendly and offering a gift like a bag of chicken, I mean, gets you everything you need. So very interesting. DR's Kelly Jackson Higgins: I know we talked about this years ago, Steve, but I think about even more so now, physical security and the dangers of your job seemingly even more complicated by heightened physical security in lot of organizations. How do you sort of ensure that you and your team are secure in these, like physically secure, when you go in. and with the companies? What are some of the precautions that you take? Steve Stasiukonis: You know, the companies all understand that we're not there to be, you know, this isn't Mission Impossible. I'm not going to put any of my people in harm's way. I'm not there to discredit or hurt anybody at the company side. But the important thing is we learn from it. And that's what I've always done. And a lot of the times I go on the jobs because frankly, I want to make sure that my people are safe as well. But I will tell you, you know, that is probably one of my biggest concerns is safety. Because I don't want somebody going through something, whether it's going to be traumatic for them, you know, whether it's physical or it's mental. I just don't want it to happen. I tell them, "you know what, at the end of the day, when losers draw, we get paid. Just do as much as you can do to show value." And that's kind of what I stress, you know. DR's Becky Bracken: Well, Steve, what about the person who got shipped in the container? How was their mental health? Tell me more about that, have to know more. Steve Stasiukonis: That was an interesting. Listen, Becky, he signed up for that, okay? So that was the other thing. So there's no complaining there, okay? Not that he signed a waiver, but you know, we said, "Listen, you're pretty much the only guy that could fit in the box." So we did it. But yeah, that was an interesting job. I mean, that place was like rock-hard security. They had a lot of guards, they had a lot of cameras, you know, but they were getting a lot of content that was coming in from the Middle East as a result of looking for a certain bad guy. And they were concerned that they were listed in a threat from another defense contractor. So they said, we'd like to see if you could validate our security and see if it's any good. Here's an example, prior to AI, two weeks onsite watching, learning, know, going to gyms, bars, restaurants, understanding these people, this place was really hard to get into. And what we did is we posed as a very well-known delivery company that's going to get you something there absolutely overnight. And we decked out a truck, we had the uniforms, we had the computer, we had everything. And what we did is we bought a box that they would receive every day from the military. And then I had a company put life support in it. We put magician's locks on the inside, a digital periscope, and then we put a man in there. And then we delivered him as a delivery shipment that came in from the Middle East. And they welcomed us, they put us right in. And then another delivery guy from the same company showed up. And at that point, we thought we were done. I thought at that point, we're all going to go to jail and hang out for a night. But the delivery guy goes, Hey, he goes, "I heard of you guys,"  and at that point we're moving a guy right into the building and that was kind of how it happened. So I don't think anybody's ever shifted human malware into a building; that's probably a first for Dark Reading, isn't it? DR's Becky Bracken: But it's an incredible story and an incredible job you have that you've been doing over all these decades. Steve  Stasiukonis: That was a cool job. I mean, there was like multiple plays. I have to say that was probably my "Ocean's Eleven" moment right there without question. DR's Kelly Jackson Higgins: I'm picturing a robot for your next one, like a robot hacker. Steve Stasiukonis: Robot would be nice. It's kind of an expensive purchase ... I saw one of those dogs, $11,000, that's lot of money for a dog. But....  DR's Kelly Jackson Higgins: So Steve, I know you also do other types of engagements. Like you do ransomware incident response too, right? Can you tell us a little about some of the things you're doing there ... the interesting things you come across there? Steve Stasiukonis: Early on, you know, Kelly, we did it out of necessity. It wasn't like we had a business plan. Bitcoin came about, you know, a customer calls us up, said they're locked up, and they're like, well, I say, "Why are you calling me?" And they were, because you're a cyber company. When we started ... there wasn't a lot of cyber business out there. It was slim. So yeah, so we started dabbling our world in IR (incident response) and it was really interesting. One of the benefits that came out of it as we saw things that the threat actors were doing, [so] we became better pen testers because now we're looking like, wow, that's how they did it. We became better at understanding how an adversary works. And I don't think you can learn anything like that from a school or a conference until you actually see how a bad guy does it. And at that point we said, "Let's just keep doing it." It helps us on both fronts. And we've seen a lot of crazy stuff. I've seen a lot of companies get locked up, you know, and we've paid negotiated ransoms. And early on, I remember having to, you know, tell the customer, "We've got to give these guys like 100 G's ($100,000)." And they're like, "Well, I'll go to the bank." And I was like, "It's not going to work that way."  And we drove, Clary and I, we said, "Listen, we're going to have to go down to New York City." There was an exchange down there we found. A hole in the wall. This is how early this is. This is God's honest truth. Clary goes to me, he goes, "Where is this?" I said, "It's kind of in the Bronx, I think." And he goes, "You're going to drive there yourself?" I was like, "yeah." He goes, "They're gonna kill you. Don't do that." By the way, we have $100,000 in cash in the car. We drove down there. And he goes, "Where is it?" I told him, it's this address and we drive down there and yeah, there's the address, there's the green door, there's yellow police tape on the door. The whole yellow police tape on the door was probably the most concerning part. He goes, "We gotta go in there with this money and get our exchange done." So we went in there, brought our money, young lady sits us down, counts out the cash and then she picks up all the cash and she just walks out to another room. And he goes, "Where'd she go?" And I said, "She's probably down the street with all of our money." She came back in, she goes, "Yeah, you're done. Check your wallet. You should be good to go."  And I'll never forget driving back home to Syracuse, stopping off at a Burger King on the thruway, and then using their Wi-Fi to pay the threat actor. And that was our first ransom. So yeah, crazy. What's that? Yeah, I'll never forget it. I was like, wow, if this is going to continue to happen, we got to figure out some better way. DR's Kelly Jackson Higgins: I am really picturing that right now. I am picturing that right now sitting there with your Whopper Jr. Steve Stasiukonis: But we've done some other things in exchanging cash for crypto. And frankly, I don't think this is the forum to [discuss] it because I don't want to incriminate myself. And I really mean that. yeah, I mean, it was a real struggle in the beginning. But like I said, it helped us on both fronts. Learned a lot. DR's Becky Bracken: Steve, this has been such a cool conversation and reminiscing over one of the coolest columns in Dark Reading's history. Now, I just wanted to ask one more question for my own curiosity. I understand you are also a purveyor of cyber-themed hot sauces. Can you tell us a little bit about that? Steve Stasiukonis: So yeah, listen, not exactly a side hustle, Becky. So we actually, we have to order stickers now for field systems because we send, we bought, I'd say maybe a fleet of 100, I don't know. But these things are floating around the country. And frankly, I had to order these stickers to put on the field systems and the sticker vendor actually produces a white-labeled hot sauce. And I was like, you know what we're gonna try to do? Getting a field system back is like trying to give a six-year-old a bath. It's almost impossible. So I was gonna start putting hot sauce in with the field systems as a reminder to send our box back. I don't think it's working. I don't know. We'll find out. DR's Becky Bracken: I was going to ask, yeah, what's the response been? Steve Stasiukonis: I've tried everything. I got a kid over here, he's like calling, it's like dialing for dollars every day, asking "Would you give our computer back?" So it's incredibly difficult. Any other pen test company that deals with field systems knows the misery. DR's Becky Bracken: Thank you again so much for taking the time to be with us today and for being such a big part of Dark Reading's now 20-year history. We appreciate it so much. Steve  Stasiukonis: Anything. Anything for Kelly Jackson Higgins, obviously.  DR's Becky Bracken: Kelly, we'll give you the last word here. DR's Kelly Jackson Higgins: Gosh, I'm so glad that Tim Wilson met you all those years ago because just the information and insights you brought us over the years were amazing and it was just really fun to watch the evolution of the industry through your eyes also. So thank you so much for joining us today, Steve. It was great to talk to you. Steve Stasiukonis: Anytime, hopefully in 20 more years, I'll be 80. So probably won't be me talking to you, but I think we got a lot to see what's going to happen with AI hitting the streets here. So it'll be very interesting. So actually, I had a question for you guys with AI coming, what's going to happen to the world of cyber? What's your thoughts? DR's Kelly Jackson Higgins: Hahaha. You want to take that, Becky? We don't have the answers, do we? We're still questioning that every day. DR's Becky Bracken: I think there's a lot of good ideas out there. I mean, it's early days. That's kind of the exciting part, right? Steve Stasiukonis: I don't know, I'm really worried. I mean, the stuff Mythos did and what I've read about and what I've seen it can do, and threat actors are using dark AI. I think there's a lot of work that we're gonna have to do at our end. And I think Dark Reading is gonna have to publish a lot of stuff to keep a lot of people safe. That's what I think. DR's Becky Bracken: I was going to say the cyber sector has never shied away from reinventing itself when necessary, and Dark Reading will definitely be there every step of the way. Steve Stasiukonis: Hopefully I'll be around to have another conversation with you guys, alright? Sounds good. DR's Becky Bracken: All right, well, it's a date. Kelly Jackson Higgins, Steve Stasiukonis, thank you so much. This has been Dark Reading Confidential. It's a podcast from the editors of Dark Reading, bringing you real-world stories straight from the cyber trenches. We will see you next time. Thanks for joining.   Click here for all of our DR20 content, which will be rolling out across the month of May. Keep checking back for new items! About the Author Dark Reading Editorial Team The Dark Reading Editorial Team consists of Kelly Jackson Higgins, Fahmida Y Rashid, Tara Seals, Rob Wright, Becky Bracken, Alex Culafi, Arielle Waldman, and Kristina Beek. Among us, we have over 99 years of experience covering cybersecurity. That's pretty striking considering the industry hasn't even been around that long.   Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 CYBERATTACKS & DATA BREACHES Researcher Says Patched Commvault Bug Still Exploitable by Jai Vijayan, Contributing Writer MAY 06, 2025