Gozi banking malware “IT chief” finally jailed after more than 10 years

Yesterday, we wrote about cybercrime charges that were finally unsealed for a massive cryptocurrency heist that was allegedly conducted over a three-year period starting back in 2011.

Today’s long-term cybercrime justice story concerns the last member of the so-called Gozi Troika, three men who were originally charged in January 2013 for malware-related crimes that apparently kicked off way back in the late 2000s:

Those charges were publicised at that time under a dramatic US Department of Justice (DOJ) headline:

Three Alleged International Cyber Criminals Responsible For Creating And Distributing Virus That Infected Over One Million Computers And Caused Tens Of Millions Of Dollars In Losses Charged In Manhattan Federal Court

The three criminals on the charge sheet (back then, they were only suspects, but all three have subsequently been convicted in court) were:

  • Mihai Ionut Paunescu of Romania, then 28. He ran what are known as “bulletproof hosts” for the enterprise, providing servers for the gang that were supposed to keep ahead of any disruption efforts by law enforcement or mainstream ISPs. So-called bulletproofers shift their services around online to sidestep takedown attempts, blocklisting, and other crime-fighting measures.
  • Deniss Čalovskis of Latvia, then 27. He was the Gozi group’s web expert, coding up bogus HTML content that the malware could inject into legitimate web pages in order to trick victims and steal their account information.
  • Nikita Kuzmin of Russia, then 25. He was effectively the COO, hiring coders to work on the Gozi malware, and running what is now known as a Crimeware-as-a-Service (CaaS) business based around it.

A long and winding road

The arrests and convictions of this trio make a fascinating and twisty tale.

Kuzmin was the first to get busted, back in 2013.

He spent 37 months in custody in the US as his court case progressed, before pleading guilty in 2016, receiving a three-year prison sentence, and paying a “fine” of close to $7,000,000, presumably clawed back from his illegal earnings.

At the time, the DOJ used his case as an explainer for the whole CaaS “franchise model” that cybercriminals started adopting from the late 2000s onwards:

In addition to creating Gozi, Kuzmin developed an innovative means of distributing and profiting from it. Unlike many cybercriminals at the time, who profited from malware solely by using it to steal money, Kuzmin rented out Gozi to other criminals, pioneering the model of cybercriminals as service providers for other criminals. For a fee of $500 a week paid in WebMoney, a digital currency widely used by cybercriminals, Kuzmin rented the Gozi “executable”, the file that could be used to infect victims with Gozi malware, to other criminals.

Kuzmin designed Gozi to work with customized “web injects” created by other criminals that could be used to enable the malware to target information from specific banks; for example, criminals who sought to target customers of particular American banks could purchase web injects that caused the malware to search for and steal information associated with those banks. Once Kuzmin’s customers succeeded in infecting victims’ computers with Gozi, the malware caused victims’ bank account information to be sent to a server that Kuzmin controlled where, as long as the criminals had paid their weekly rental fee, Kuzmin gave them access to it.

Next to face a US court was the “web inject” expert Čalovskis, who was arrested in his native Latvia but successfully resisted extradition for two years, arguing that the maximum sentence he faced in the US, openly listed by the DOJ as a whopping 67 years, was unreasonable by Latvian standards:

But the US and Latvian authorities seem to have reached a middle ground whereby Čalovskis would face a mutually acceptable sentence, supposedly of no more than two years, after which he was sent to face trial:

Čalovskis then pleaded guilty, admitted on the record that “I knew what I was doing was against the law”, and received a 21-month sentence, equivalent to the time he’d already been incarcerated in Latvia and the US.

Unfree at last

The longest holdout from justice was Paunescu, who remained free for eight years until he was picked up in June 2021 at Bogotá International Airport in Colombia:

The Colombians, it seems, then contacted the US diplomatic corps, assuming that the US still considered Paunescu a “person of interest”, and asking whether the US wanted to apply to extradite him from Colombia to stand trial in America.

As you can imagine, the answer from the US was, “Most definitely yes,” and Paunescu ultimately arrived in the US to face the music in July 2022:

Paunescu pleaded guilty in February 2023, and was finally sentenced in a Manhattan federal courtroom yesterday [2023-06-12], well over a decade after his criminal activity and his original indictment:

[Paunescu, also known by the handle] “Virus”, was sentenced to three years in prison today […] for conspiracy to commit computer intrusion in connection with running a “bulletproof hosting” service that enabled cybercriminals to distribute the Gozi Virus, the Zeus Trojan, the SpyEye Trojan, and the BlackEnergy malware, all of which were designed to steal confidential financial information.

Paunescu also enabled other cybercrimes, such as initiating and executing distributed denial of service (DDoS) attacks and transmitting spam.

He’ll be given credit for the 14 months he’s already spent in custody awaiting extradition and trial, so he’s got just under two years still to serve.

He also has to hand over $3,510,000, and pay restitution to the tune of almost $20,000.

It took a long time, but the FBI and the DOJ got all three suspects in the end…


LEARN MORE: BANKING TROJANS AND OTHER MALWARE TYPES


go top