Last member of Gozi malware troika arrives in US for criminal trial

As the English translation of the Baroque-era German rendering of the Ancient Greek philosophical saying goes:

Though the mills of God grind slowly, yet they grind exceeding small/Though with patience he stands waiting, with exactness grinds he all.

Today, this saying is usually applied in respect of the judicial process, noting that although justice sometimes doesn’t get done quickly, it may nevertheless get done, and done meticulously, in the end.

That’s certainly the case for a troika of cybercriminals alleged to have been behind the infamous Gozi “banking Trojan” malware, which first appeared in the late 2000s.

The jargon term banking Trojan refers to malicious software that is specifically programmed to recognise, monitor and manipulate your interactions with online banking sites, with the ultimate aim of ripping off your account and stealing your funds.

Typical banking Trojan tricks include: logging your keystrokes to uncover passwords and other secret data as you type it in; scanning local files and databases hunting for private data such as account numbers, account history, passwords and PINs; and manipulating web data right inside your browser to skim off secret information even as you access genuine banking sites.

Way back in 2013, three men from Europe were formally charged with Gozi-related cybercrimes in a US federal court in New York:

• NIKITA KUZMIN, then 25, from Moscow, Russia.
• DENNIS ČALOVSKIS, then 27, from Riga, Latvia.
• MIHAI IONUT PAUNESCU, then 28, from Bucharest, Romania.

The three mouseketeers

Kuzmin, as we explained at the time, was effectively the COO of the group, hiring coders to create malware for the gang, and managing a bunch of cybercrime affiliates to deploy the malware and fleece victims – an operating model known as crimeware-as-a-service that is now used almost universally by ransomware gangs.

Čalovskis was a senior programmer, reponsible for creating the fake web content that could be injected into victims’ browsers as they surfed the internet in order to trick them into revealing secret data to the crimeware gang instead of to their bank or financial insititution.

And Paunescu was, in effect, the CIO; the IT chieftain who operated a series of what are known in the jargon as bulletproof hosts, a slew of servers and other IT infrastructure carefully hidden away from identification and takedown by law enforcement (or, for that matter, by rival cybercrooks).

Čalovskis was soon arrested in Latvia, but wasn’t immediately deported to the US to stand trial because the Latvian authorities agreed with his legal team that he might face 67 years in prison, which it deemed unreasonably severe. (The US routinely lists maximum penalties in its press releases, even though such long sentences are rarely handed out.)

Ultimately, the two countries and the accused seem to have reached an agreement whereby Čalovskis would receive a prison sentence of at most two years, in return for pleading guilty and waiving the right to appeal.

He was sent to the US, locked up while his legal case ground its way through the courts, and ultimately sentenced to “time served” of 21 months and then kicked out of the US.

Time served means that the judge treats the time spent in custody awaiting trial as sufficient punishment for the crime itself, so that the guilty party is essentially deemed to have completed their official imprisonment at the conclusion of the trial.

Kumin, too, ended up convicted-but-immediately-set-free-for-deportation in 2016, after just over three years locked up in the US while on trial.

But Paunsescu, it seems, was spared extradition by a Romanian court, and remained free until late last year, when he travelled to Colombia and was arrested at Bogotá International Airport by the Colombian authorities.

The Colombians, it seems, then contacted the US diplomatic corps, assuming that the US still considered Paunescu a “person of interest”, and asking whether the US wanted to apply to extradite him from Colombia to stand trial in America.

The US, as you can imagine, was indeed interested in doing just that.

Suspect number 3 touches down in the US

Finally, more than nine years after we wrote about that first indictment in New York, Paunescu has reached the US.

As spokesperson Damian Williams explained in the US Department of Justice’s press release about Paunsecu’s inauspicious arrival in America::

Mihai Ionut Paunescu is alleged to have run a “bulletproof hosting” service that enabled cybercriminals throughout the world to spread the Gozi virus and other malware and to commit numerous other cybercrimes. His hosting service was specifically designed to allow cybercriminals to remain hidden and anonymous from law enforcement. Even though he was initially arrested in 2012, Paunescu will finally be held accountable inside a US courtroom. This case demonstrates that we will work with our law enforcement partners here and abroad to pursue cybercriminals who target Americans, no matter how long it takes.

As the DoJ notes, Paunescu’s criminal nickname (the handle he was known by in the cyberunderworld ) was Virus.

As well as disseminating the Gozi malware, the DoJ also alleges that “the Virus” also distributed other data-stealing malware, including the notorious Zeus and SpyEye strains.

Paunescu faces one charge of conspiracy to commit computer intrusion (10 year maximum sentence), one charge of conspiracy to commit bank fraud (to to 30 years); and one charge of conspiracy to commit wire fraud (up to 20 years).

Although his fellow conspirators are already out of US prison, Paunescu’s stay there is only just starting.

---

---