Gibraltar: Thursday, 14 May 2026 – 11:30 CET
In Collaboration with: R3DataRecovery.com
EXCLUSIVE: The Free USB Scam: Twenty Years After “Passwords for Chocolate”, Have We Learned Nothing?
Back in 2004, one of the most talked-about social engineering stories in the UK emerged from London’s Liverpool Street station. In an Infosec Europe survey that became notorious in cybersecurity circles, passers-by were reportedly offered a bar of chocolate in exchange for their work password. An astonishing 71% were said to be willing to hand it over.
More than twenty years on, that story still resonates — not because it was funny, but because it revealed something uncomfortable and enduring about human behaviour. Faced with something small, tempting and seemingly harmless, many people will still make poor security decisions.
And that, it seems, has not changed.
The old story came back into focus during a recent debrief with threat hunter and ethical hacker @Anilluminatus, who described an ongoing investigation into the dark-web sale of wholesale, pre-loaded USB flash drives allegedly designed for physical drop attacks. These are not random devices. They are reportedly sold as ready-made attack kits, complete with payloads, promotional material, deployment statistics and even estimated return on investment.
The bait is simple. Someone finds a shiny new USB flash drive, still in its plastic packaging, looking for all the world like it has just been dropped by accident. The natural impulse is to pick it up and plug it in. Perhaps to identify the owner. Perhaps to inspect its contents. Perhaps simply out of curiosity.
That single moment of curiosity may be all an attacker needs.
According to material described in the investigation, the devices are being sold in batches of 10 at around $60 each. More worryingly, the vendor reportedly claims an “open rate” of 81%. If that figure is accurate, it would exceed the participation rate in the old password-for-chocolate survey — a grimly ironic sign that social engineering may be getting more effective, not less.
A straw poll across professional and personal networks produces a similar concern. Ask people what they would do if they found a sealed USB drive on the ground and many instinctively say they would plug it into a device to see what was on it. Ask the same question about children or teenagers at home and the answer becomes even more unsettling. In an age of hybrid work, shared devices and home-office overlap, that risk no longer sits neatly outside the business perimeter.
This is what makes USB baiting so effective. It does not rely on advanced technical trickery at the point of contact. It relies on trust, curiosity and the mistaken belief that a physical object is less threatening than a suspicious email. For many users, cyber risk still feels digital-only. A flash drive found in a station, car park or office reception does not trigger the same defensive instincts as a phishing link.
For SMEs, that gap can be especially dangerous. Many smaller organisations lack strict device control policies, advanced endpoint protection, or the internal security maturity to spot and contain USB-borne compromise quickly. A single unknown device inserted into a company laptop could be enough to trigger malware execution, credential theft, remote access installation or the early stages of ransomware deployment.
The lesson here is not simply that users need more training. It is that awareness alone is not enough. Attackers understand human behaviour exceptionally well, and they are packaging their tactics accordingly. A sealed flash drive looks safe. A “lost” item feels harmless. A moment of curiosity feels trivial. None of those assumptions hold up under attack.
SMEs should treat unknown USB devices as they would any unsolicited attachment or suspicious link: untrusted by default. Where possible, organisations should restrict USB mass storage access, ensure endpoint tools are configured to detect removable media threats, and give staff a simple, memorable rule — if you find a device, do not plug it in; report it.
The technology has changed since 2004, but the core problem remains remarkably familiar. Back then, it was passwords for chocolate. Today, it may be malware by USB. Either way, the underlying attack strategy is the same: exploit low-friction human decisions for high-value gain.
After twenty years of cybersecurity awareness campaigns, that should give all of us pause.
