Three Charged for Cybervirus That Targeted Bank Accounts

Three men were charged by the U.S. with distributing a virus that infected more than 1 million computers worldwide, allowing thieves to steal data and millions of dollars from online accounts.

Prosecutors in the office of U.S. Attorney Preet Bharara in Manhattan today unsealed accusations that Nikita Kuzmin, 25, Deniss Calovskis, 27, and Mihai Ionut Paunescu, 28, created and used “one of the most financially destructive computer viruses in history.” Named Gozi, it’s a so-called Trojan virus.

“Banking Trojans are to cyber criminals what safe-cracking or acetylene torches are to traditional bank burglars -- but far more effective and less detectable,” George Venizelos, head of the FBI’s New York office, said today in a statement. “The investigation put an end to the Gozi virus.”

The cases are the latest brought by Bharara’s office targeting computer hacking and fraud. Last March he charged members of hacker groups Anonymous and LulzSec with conspiring to attack computers and websites of victims including the U.S. Senate and the governments of Tunisia, Yemen and Algeria.

Guilty Plea

Kuzmin, who was arrested in 2010, pleaded guilty in May 2011 and agreed to cooperate with the government, Bharara said today in a press conference. Bharara said Kuzmin’s cooperation was key to the investigation, which began 2 1/2 years ago and is continuing.

Calovskis, a citizen of Latvia, was arrested there in November, according to the statement. Paunescu, a Romanian known as “Virus,” was arrested in Romania last month. Prosecutors are seeking to have Calovskis and Paunescu extradited to the U.S., Bharara said.

The Gozi virus infected 40,000 computers in the U.S., including more than 160 belonging to the National Aeronautics and Space Administration, prosecutors said. Gozi also infected computers in Germany, the U.K., Poland, France, Finland, Italy and Turkey, according to the U.S.

Skill Sets

“It just demonstrates how sophisticated these rings are getting,” said Marcus Asner, a former chief of the Major Crimes and Computer Hacking-Intellectual Property unit in the Manhattan U.S. Attorney’s Office now with the law firm Arnold & Porter LLP. “This is not just a lone teenager in his basement. These are people with different skill sets who are trading with one another to be able to attack financial institutions.”

Kuzmin began designing Gozi in 2005 to steal bank account information belonging to individuals and businesses and hired a co-conspirator to write the virus’s source code, prosecutors said in a criminal information filed under seal in 2011.

Kuzmin rented the virus to criminals through what he called “76 Service” from 2006 to 2008, the U.S. said. He then sold the source code to co-conspirators in 2009 and 2010, for at least $50,000 a sale, plus a share of the buyers’ illegal profits, prosecutors said. The alleged co-conspirators weren’t named in court filings.

Toxic E-Mail

The virus was sent to computers in spam e-mails with benign-looking pdf files that, if opened, secretly installed the virus. The virus then collected data to determine user names, passwords and other security information, which criminals used to steal from the victims’ online bank accounts, Bharara said.

Paunescu, who was charged with three counts of conspiracy in a sealed indictment this year, operated a so-called bulletproof hosting service using computers in the U.S. and Romania, prosecutors said.

The service provided Internet protocol addresses and servers that allowed computer criminals to evade detection by law enforcement, according to the U.S.

Criminal Connections

Paunescu’s service aided in the distribution of Gozi and other malicious software used to target banks, including the Zeus Trojan and the SpyEye Trojan, according to the indictment. His service also helped criminals send spam e-mails and execute distributed denial of service attacks, according to the indictment.

In May, Paunescu or his co-conspirators obtained the login for an EBay Inc. account from one of the infected NASA computers, according to the indictment.

A 2012 indictment unsealed today charges Calovskis, also known as Miami, with five counts of conspiracy. Prosecutors said he developed “Web injects,” which changed the appearance of banking websites that were viewed on infected computers, making the Gozi virus more dangerous. The Web injects fooled victims into providing personal information that was used by others to steal from bank accounts, prosecutors said.

Seven Charged

In a 2011 case, the U.S. charged one Russian and six Estonians in a computer intrusion scheme that used malicious software to manipulate online advertising, divert users to rogue servers and infect more than 4 million computers. Victims included at least 500,000 U.S. individuals, businesses and government agencies, including NASA, prosecutors said at the time.

The cases are U.S. v. Kuzmin, 11-cr-387; U.S. v. Calovskis, 12-cr-487; and U.S. v. Paunescu, 13-cr-41, U.S. District Court, Southern District of New York (Manhattan).

To contact the reporters on this story: Bob Van Voris in Manhattan at rvanvoris@bloomberg.net; Patricia Hurtado in New York at pathurtado@bloomberg.net.

To contact the editor responsible for this story: Michael Hytha at mhytha@bloomberg.net.

Bloomberg reserves the right to remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.