The USB Drop That Changed Pen Testing: Steve Stasiukonis's Credit Union Experiment, Revisited

Twenty years ago, a handful of booby-trapped thumb drives in a parking lot became one of the most-cited social-engineering case studies in security history. Here's what actually happened.

ThreatVectr Newsdesk· 3 min read
Close-up overhead view of several plain black USB thumb drives scattered across weathered asphalt in a parking lot, shallow depth of field, natural overcast day
Share

Key points

  • Pen tester Steve Stasiukonis conducted a USB drop attack against an unnamed credit union approximately two decades ago.
  • Stasiukonis seeded rigged thumb drives across the credit union's parking lot, then monitored which employees plugged them in.
  • The engagement produced measurable, documented results that circulated widely across the security community.
  • Dark Reading recently revisited the test in episode 18 of its Dark Reading Confidential podcast.

A parking lot. A handful of thumb drives. A pen tester watching from a distance.

That was the entire apparatus of what became arguably the most-repeated anecdote in social-engineering history. Steve Stasiukonis, a penetration tester, scattered USB drives loaded with tracking payloads across a credit union's parking lot. Curious employees found them. Some plugged them in. The results were not flattering to the institution.

The test required no phishing kit, no zero-day, no elaborate pretext. It exploited something far simpler: the human instinct to pick up something that looks useful and see what's on it.

What does this tell defenders about physical attack surfaces today?

The honest answer is: everything the test revealed still applies.

USB-based attacks have grown more sophisticated since Stasiukonis ran his engagement — O.MG cables, firmware-injecting devices, and HID-spoofing hardware have expanded the threat surface considerably — but the core vulnerability is unchanged. People pick things up. People plug things in. Endpoint controls that block unauthorized removable media remain one of the few technical countermeasures that actually address the problem at its root, and adoption remains inconsistent even inside regulated industries like financial services.

The credit union sector falls under National Credit Union Administration oversight in the United States, with data-security obligations that have tightened substantially since the early 2000s. Whether the specific institution Stasiukonis tested ever filed a breach notification is not part of the public record; the engagement predates most modern notification frameworks.

What entered the public record was the methodology itself. The test circulated through security conference talks and trade coverage, eventually hardening into standard red-team doctrine. Drop attacks now appear explicitly in frameworks like MITRE ATT&CK under initial-access techniques.

For defenders revisiting this history, the checklist is short but non-negotiable: disable AutoRun and AutoPlay at the group-policy level, enforce application allowlisting so unknown executables cannot run from removable media, and include USB-drop scenarios in employee awareness training — not as a gotcha exercise, but as a demonstration of exactly how little friction an attacker needs.

Statistics on USB-drop success rates vary by study, but reported plug-in rates in controlled experiments have ranged from 45 percent to nearly 98 percent depending on context and drive placement. Neither end of that range is acceptable.

© 2026 Threat Vectr