Colombian authorities on Wednesday said they have arrested a Romanian hacker who is wanted in the U.S. for distributing a virus that infected more than a million computers from 2007 to 2012.
Mihai Ionut Paunescu (aka “Virus”), the individual in question, was detained at the El Dorado airport in Bogotá, the Office of the Attorney General of Colombia said.
Paunescu was previously charged by the U.S. Department of Justice (DoJ) in January 2013 for operating a bulletproof hosting service that “enabled cyber criminals to distribute the Gozi Virus, the Zeus Trojan and other notorious malware, and conduct other sophisticated cyber crimes.” He was arrested in Romania in December 2012 but managed to avoid extradition to the U.S.
“Through this service, Paunescu, like other bulletproof hosts, knowingly provided critical online infrastructure to cyber criminals that allowed them to commit online criminal activity with little fear of detection by law enforcement,” the DoJ said in an unsealed indictment.
Gozi (aka ISFB, Snifula, or Ursnif), a Windows-based banking trojan, had its roots dating as far back as 2005 prior to its deployment in real-world attacks in 2007. At least 40,000 computers in the U.S., including those belonging to the National Aeronautics and Space Administration (NASA), are said to have been infected with the virus.
Germany, Great Britain, Poland, France, Finland, Italy, and Turkey are the other countries where Gozi infections were reported.
In May 2016, Gozi’s primary developer, a Russian citizen named Nikita Kuzmin, was sentenced to 37 months in prison and fined $7 million over charges of computer intrusion and fraud for causing “tens of millions of dollars in losses” to individuals, businesses, and government entities. The malware was rented out to other criminal operators in exchange for $500 a week.
Separately, Deniss Calovskis, a Latvian national who developed “web injects” so as to enable Gozi to surreptitiously gather information entered by users on banking websites, landed a 21-month prison term in January 2016 for his co-conspiratorial role in the fraudulent scheme.
Despite these law enforcement efforts, Gozi, however, continues to be an ever-evolving malware that has since morphed from a simple banking trojan into a modular malware content delivery platform, with cybersecurity firm Check Point uncovering “modern derivatives” that were actively used in malicious campaigns as of August 2020.