Colombia police collar suspected Gozi Trojan distributor

The alleged hacker is wanted in the United States.

Law enforcement in Colombia has arrested an alleged cybercriminal who apparently acted as a distributor for the Gozi Trojan. 

As reported by the Associated Press, Mihai Ionut Paunescu, also known as "Virus," was one of three major suspects considered to be responsible for the spread of the virus that impacted over a million PCs between 2007 and 2012. 

He was recently arrested at Bogotá El Dorado international airport and faces extradition to the United States on charges of running a bulletproof hosting service. 

Paunescu was arrested in his home country in 2012, but the Romanian national was previously able to avoid extradition. 

Bulletproof hosting is commonly used by cybercriminals for backend infrastructure in the distribution of spam, malware, exploit kits, and to host stolen data. These murky online services are known for turning a blind eye to the activities of their customers.

Paunescu faces allegations of computer intrusion and financial fraud at the Southern District Court of New York, according to Colombian state officials (translated). 

First discovered in 2007, the Gozi banking Trojan was spread through weaponized .PDF documents attached to emails. Once downloaded, the malware would lurk in the background and harvest bank account information and account details, which were then sent to the Trojan's command-and-control (C2) server for operators to use in accessing accounts and conducting fraudulent transactions. 

Threat actors were able to 'rent' out the malware and its underlying infrastructure for $500 a week in what was an early form of today's Malware-as-a-Service (MaaS) criminal setups.

Gozi's source code was leaked in 2010, leading to the creation of variants still in active use today

In 2016, the Russian creator of Gozi, Nikita "76" Kuzmin, was sentenced in US court to 37 months behind bars and was ordered to pay close to $7 million in restitution after pleading guilty to various computer intrusion and fraud charges. 

Another participant in the criminal ring, Latvian Deniss "Miami" Calovskis, was also sentenced in the same year. He served 21 months for writing web injects and contributing to Gozi's code. 

The FBI estimates that the malware caused victims losses amounting to tens of millions of dollars. NASA was one of the most high-profile victims. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0