Skip to content
Naked Security Naked Security

Gozi banking Trojan co-author pleads guilty

Latvian Deniss Calovskis may face as little as 2 years in jail for his role in developing the Gozi banking Trojan that infected over a million computers around the world.

A Latvian programmer pleaded guilty on Friday, 4 September 2015, to writing malware that infected more than a million computers around the world, leading to tens of millions of dollars in losses.

Standing before a Manhattan federal court, Deniss Calovskis, 30, admitted conspiring to commit computer intrusion.

His plea marks the beginning of the end of a story that may have started as far back as 2005.

His arrest and prosecution involved the efforts of numerous agencies from around the world, including:

  • The US Federal Bureau of Investigation (FBI).
  • The Latvian State Police.
  • The Romanian Directorate for Combating Organized Crime.
  • The Romanian Directorate for Investigating Organized Crime and Terrorism.

According to an indictment filed in 2013 by the US Department of Justice, Calovskis is one of three men accused of conspiring to “steal personal information that was used to access bank and other accounts online… using malicious computer code, or malware, known as the “Gozi Virus”.

Following the indictment, Calovskis at first avoided extradition to the US due to the Latvian government’s concerns over the length of the sentence he could face if found guilty.

Latvia’s foreign minister noted at the time that a potential 67 years behind bars was “disproportionate” to the crime he had been accused of.

Nevertheless, he remained in a Latvian cell for 10 months after his initial November 2012 arrest, before eventually being extradited in February this year.

The reason why Latvian authorities eventually handed him over appears to surround a plea agreement in which Calovskis agreed not to submit an appeal should he be sentenced to two years or less of imprisonment – a hint as to what may happen on 14 December 2015 at his sentencing hearing.

As for whether he would be given credit for time already served in Latvia, Calovskis’ lawyer, David Bertan, said the question remained an “open” one.

Calovskis, who went by the online handle of “Miami,” admitted being hired to write the Gozi Trojan which hit computers in the US – including 190 machines associated with NASA – as well as the UK, Germany, France, Finland, Italy, Poland and Turkey.

Speaking about the code he developed – which altered the appearance of banks’ websites, thus tricking victims into giving up personal information – Calovskis told the judge:

I knew what I was doing was against the law.

US attorney Preet Bharara said the case was a “wake-up call to banks and consumers” who need to know that the threat of cybercrime is not going away.

In addition to Calovskis, Russian national Nikita Kuzmin and Romanian citizen Mihai Ionut Paunescu also stand accused of being behind the Gozi Trojan.

According to prosecutors, Kuzmin was the mastermind of the operation, having conceived the idea in 2005.

Accused of renting Gozi out to other cyber criminals intent on stealing from banks, he was arrested in 2010. He secretly submitted a guilty plea in May 2011 as part of a deal with federal prosecutors.

Paunescu, who is alleged to have provided the secure hosting facilities required by the operation, was arrested in Romania in 2012. According to a spokesman for Bharara, his extradition remains pending.

Despite the detention of the major players behind the now ageing Gozi, the threat remains.


  • Make sure you have an anti-virus program installed and active, and that you keep it up to date.
  • Apply security patches promptly for your operating system and your applications.
  • Consider using two-factor authentication if your bank supports it.
  • Check your statements regularly. If you notice something strange, contact your bank immediately.
  • Beware of “fraud investigators” who give you a number to call back, or tell you to visit a special website. Independently verify the contact details by looking at your statements, or by searching directly on your bank’s website.
  • Consider bookmarking your bank’s site so you don’t need to type it in every time. That helps avoid typosquatting, where crooks register easily-entered misspellings of a domain name.
  • Never share your PINs with anyone. Keep them secret. Not even the police or the bank should ever request a PIN, so be on guard for anyone claiming to have an official reason for asking.
  • Don’t click on banking-related links in emails. You could end up at a phishing site – a fake login page set up by crooks.
  • Avoid opening unsolicited or unexpected email attachments, as they may be booby-trapped to try to implant malware on your computer.

💡 Learn more: 8 tips for safer online banking ►

💡 Learn more: How phishing works ►

💡 Learn more: Booby-trapped attachments ►

Image of binary Trojan horse courtesy of

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!