Skip to content
Naked Security Naked Security

Gozi banking malware “IT chief” finally jailed after more than 10 years

Gozi threesome from way back in the late 2000s and early 2010s now all charged, convicted and sentenced. The DOJ got there in the end...

Yesterday, we wrote about cybercrime charges that were finally unsealed for a massive cryptocurrency heist that was allegedly conducted over a three-year period starting back in 2011.

Today’s long-term cybercrime justice story concerns the last member of the so-called Gozi Troika, three men who were originally charged in January 2013 for malware-related crimes that apparently kicked off way back in the late 2000s:

https://nakedsecurity.sophos.com/2013/01/24/bank-raiding-malware-crimes-three-men-charged-in-new-york/

Those charges were publicised at that time under a dramatic US Department of Justice (DOJ) headline:

Three Alleged International Cyber Criminals Responsible For Creating And Distributing Virus That Infected Over One Million Computers And Caused Tens Of Millions Of Dollars In Losses Charged In Manhattan Federal Court

The three criminals on the charge sheet (back then, they were only suspects, but all three have subsequently been convicted in court) were:

  • Mihai Ionut Paunescu of Romania, then 28. He ran what are known as “bulletproof hosts” for the enterprise, providing servers for the gang that were supposed to keep ahead of any disruption efforts by law enforcement or mainstream ISPs. So-called bulletproofers shift their services around online to sidestep takedown attempts, blocklisting, and other crime-fighting measures.
  • Deniss Čalovskis of Latvia, then 27. He was the Gozi group’s web expert, coding up bogus HTML content that the malware could inject into legitimate web pages in order to trick victims and steal their account information.
  • Nikita Kuzmin of Russia, then 25. He was effectively the COO, hiring coders to work on the Gozi malware, and running what is now known as a Crimeware-as-a-Service (CaaS) business based around it.

A long and winding road

The arrests and convictions of this trio make a fascinating and twisty tale.

Kuzmin was the first to get busted, back in 2013.

He spent 37 months in custody in the US as his court case progressed, before pleading guilty in 2016, receiving a three-year prison sentence, and paying a “fine” of close to $7,000,000, presumably clawed back from his illegal earnings.

At the time, the DOJ used his case as an explainer for the whole CaaS “franchise model” that cybercriminals started adopting from the late 2000s onwards:

In addition to creating Gozi, Kuzmin developed an innovative means of distributing and profiting from it. Unlike many cybercriminals at the time, who profited from malware solely by using it to steal money, Kuzmin rented out Gozi to other criminals, pioneering the model of cybercriminals as service providers for other criminals. For a fee of $500 a week paid in WebMoney, a digital currency widely used by cybercriminals, Kuzmin rented the Gozi “executable”, the file that could be used to infect victims with Gozi malware, to other criminals.

Kuzmin designed Gozi to work with customized “web injects” created by other criminals that could be used to enable the malware to target information from specific banks; for example, criminals who sought to target customers of particular American banks could purchase web injects that caused the malware to search for and steal information associated with those banks. Once Kuzmin’s customers succeeded in infecting victims’ computers with Gozi, the malware caused victims’ bank account information to be sent to a server that Kuzmin controlled where, as long as the criminals had paid their weekly rental fee, Kuzmin gave them access to it.

Next to face a US court was the “web inject” expert Čalovskis, who was arrested in his native Latvia but successfully resisted extradition for two years, arguing that the maximum sentence he faced in the US, openly listed by the DOJ as a whopping 67 years, was unreasonable by Latvian standards:

https://nakedsecurity.sophos.com/2013/08/05/latvia-blocking-extradition-of-gozi-writer-thanks-to-disproportionate-us-sentencing/

But the US and Latvian authorities seem to have reached a middle ground whereby Čalovskis would face a mutually acceptable sentence, supposedly of no more than two years, after which he was sent to face trial:

https://nakedsecurity.sophos.com/2015/09/08/gozi-banking-trojan-co-author-pleads-guilty/

Čalovskis then pleaded guilty, admitted on the record that “I knew what I was doing was against the law”, and received a 21-month sentence, equivalent to the time he’d already been incarcerated in Latvia and the US.

Unfree at last

The longest holdout from justice was Paunescu, who remained free for eight years until he was picked up in June 2021 at Bogotá International Airport in Colombia:

https://nakedsecurity.sophos.com/2021/06/30/colombian-police-arrest-gozi-malware-suspect-after-8-years-at-large/

The Colombians, it seems, then contacted the US diplomatic corps, assuming that the US still considered Paunescu a “person of interest”, and asking whether the US wanted to apply to extradite him from Colombia to stand trial in America.

As you can imagine, the answer from the US was, “Most definitely yes,” and Paunescu ultimately arrived in the US to face the music in July 2022:

https://nakedsecurity.sophos.com/2022/07/20/last-member-of-gozi-malware-troika-arrives-in-us-for-criminal-trial/

Paunescu pleaded guilty in February 2023, and was finally sentenced in a Manhattan federal courtroom yesterday [2023-06-12], well over a decade after his criminal activity and his original indictment:

[Paunescu, also known by the handle] “Virus”, was sentenced to three years in prison today […] for conspiracy to commit computer intrusion in connection with running a “bulletproof hosting” service that enabled cybercriminals to distribute the Gozi Virus, the Zeus Trojan, the SpyEye Trojan, and the BlackEnergy malware, all of which were designed to steal confidential financial information.

Paunescu also enabled other cybercrimes, such as initiating and executing distributed denial of service (DDoS) attacks and transmitting spam.

He’ll be given credit for the 14 months he’s already spent in custody awaiting extradition and trial, so he’s got just under two years still to serve.

He also has to hand over $3,510,000, and pay restitution to the tune of almost $20,000.

It took a long time, but the FBI and the DOJ got all three suspects in the end…


LEARN MORE: BANKING TROJANS AND OTHER MALWARE TYPES

https://nakedsecurity.sophos.com/2019/12/28/7-types-of-virus-a-short-glossary-of-contemporary-cyberbadness/

3 Comments

Well, it’s great that they finally got these people, and put them through the courts and punished them, but the sentences are totally under whelming! And fining them with money known to have been stolen is ridiculous – that money should have been confiscated and used to pay back the victims. I dare say these criminals are already planning and setting up their next scheme.

Reply

Technically, I don’t think they were fines (in the sense that the money you have to pay if you are caught speeding is a fine), which is why I wrote “fine” in quotes… I am not sure what the precise legal word is, but I mean a penalty that’s more like what I think is called a confiscation order in Britain.

In England-and-Wales, which share a common legal system, I think crooks can be given sentences such as “X years in prison and pay back £Y by date Z”, and if the money isn’t forthcoming in time, then N years are added on.

Yes, here it is: https://www.cps.gov.uk/legal-guidance/proceeds-crime

“The court must […] set a default sentence to be served in the event that the defendant does not satisfy the confiscation order within the time allowed for payment. The maximum term that may be set as a default sentence is dependent on the amount ordered to be paid under the confiscation order:
£10,000 or less: 6 months
More then £10,000 but no more than £500,000: 5 years
More than £500,000 but no more than £1 million: 7 years
More than £1 million: 14 years”

Reply

agreed, to many of these scum walk out or jail still wealthy with other peoples money. Maybe another 20 years of jail, or required to live in poverty the rest of their lives. Or other solutions that may sound harsh to people who didn’t lose their life’s savings to these scum.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!