Skip links

Suspected Gozi malware gang ‘CIO’ extradited to US on fraud, hacking charges

A man suspected of providing the IT infrastructure behind the Gozi banking trojan has been extradited to the US to face a string of computer fraud charges.

Mihai Ionut Paunescu, 37, allegedly known as “Virus,” is a dual Romanian and Latvian national. The Feds claim he’s one of the creators of Gozi, which apparently infected more than one million computers worldwide — at least 40,000 of which were in the US and some belonged to NASA — and caused “tens of millions of dollars in losses” to individuals, businesses, and government agencies.

In addition to compromising US computers, the Windows software nasty is said to have infected PCs in Germany, Great Britain, Poland, France, Finland, Italy, Turkey, and other countries. Once on a system, the code can log the victim’s keypresses and inspect the computer’s HTTPS web traffic to steal login credentials, all seemingly to obtain access to the user’s online bank accounts. Its masters used this information to fleece their victims.

According to court documents [PDF], Paunescu allegedly ran a “bulletproof hosting” service using computers in Romania, America, and other locations to help cybercriminals distribute Gozi and other malware including the Zeus Trojan and SpyEye Trojan. For one thing, Gozi was spotted being spread by booby-trapped webpages that would download and run the trojan’s executable when a mark was lured to the site.

Paunescu’s IT infrastructure was also used to launch distributed denial-of-service (DDoS) attacks, and send email spam campaigns, it is claimed.

These cybercrimes started in 2011, according to prosecutors. Paunescu was arrested in Romania in December 2012 at the behest of Uncle Sam. The following year, he and two other European men, Nikita Kuzmin and Deniss Calovskis, were charged by US prosecutors with creating and distributing malware. Kuzmin and Calovskis were taken to the States and pleaded guilty before a Manhattan judge, and sentenced to time served.

Paunescu, however, was out on bail in Romania, and remained at large until last year, when he was collared in Colombia. He was extradited this week to the United States, according to prosecutors.

Security firm Sophos described Paunescu as the alleged CIO of the malware gang. According to his indictment he operated so-called bulletproof server hosts: machines supposedly out of reach, or nearly out of reach, of the long arm of the law, which are attractive to miscreants spreading malware and committing other crimes.

Paunescu allegedly rented the networking equipment for his hosting service from legitimate providers. He then rented the infrastructure to criminals, who used the servers to conduct DDoS attacks and deploy banking trojans such as Gozi, it is claimed. 

We’re told Paunescu also monitored the IP addresses that he controlled to determine if they appeared on lists of suspicious addresses, and, as needed, relocated his customers’ data and systems to other networks, IP addresses, and countries to avoid being blocked as a result of private security firms or law enforcement scrutiny.

Paunescu, of Bucharest, is charged with one count of conspiracy to commit computer intrusion, which carries a maximum penalty of 10 years in prison; one count of conspiracy to commit bank fraud, which carries a maximum penalty of 30 years; and one count of conspiracy to commit wire fraud, which carries a maximum penalty of 20 years. ®