Romanian national known as ‘virus’ extradited for operating ‘bulletproof hosting’ service that facilitated distribution of destructive malware | USAO-SDNY

Damian Williams, United States Attorney for the Southern District of New York, and Michael J. Driscoll, Deputy Director in Charge of the Federal Bureau of Investigation’s (“FBI”) New York Field Office, today announced that MIHAI IONUT PAUNESCU, alias “Virus”, a Romanian and Latvian national, was extradited from Colombia for allegedly operating a “bulletproof hosting” service allowing cybercriminals to distribute the Gozi virus, one of the most common computer viruses. financially destructive. in history. PAUNESCU also allegedly enabled other cyber crimes, such as the distribution of malware, including the “Zeus Trojan” and the “SpyEye Trojan”, the launching and execution of distributed denial of service attacks (” DDoS”) and the transmission of spam. PAUNESCU was first arrested in Romania in December 2012 and released on bail, and he was arrested again in Colombia last year at the request of the United States. PAUNESCU was presented yesterday before the American investigating judge Gabriel W. Gorenstein and detained. The case is assigned to U.S. District Judge Lorna G. Schofield.

US Attorney Damian Williams said, “Mihai Ionut Paunescu allegedly ran a ‘bulletproof hosting’ service that allowed cybercriminals around the world to spread the Gozi virus and other malware and commit many other cyber crimes. Its hosting service has been specially designed to allow cybercriminals to remain hidden and anonymous from law enforcement agencies. Even though he was originally arrested in 2012, Paunescu will eventually be held accountable in a US courtroom. This case demonstrates that we will work with our law enforcement partners at home and abroad to prosecute cybercriminals who target Americans, no matter how long it takes.

According to allegations in documents filed in Manhattan federal court[1]:

The Gozi virus is malicious computer code or “malicious software” that steals personal bank account information, including usernames and passwords, from users of affected computers. The Gozi virus has infected more than one million victim computers worldwide, including at least 40,000 computers in the United States, including computers belonging to the National Aeronautics and Space Administration (“NASA”), as well as computers in Germany, Britain, Poland, France, Finland, Italy, Turkey and elsewhere, and this has caused tens of millions of dollars in losses to individuals, businesses and government entities whose computers have been infected. Once installed, the Gozi virus – which was intentionally designed to be undetectable by anti-virus software – collected data from the infected computer to capture personal bank account information, including usernames and passwords. Passwords. This data was then transmitted to various computer servers controlled by the cyber criminals who used the Gozi virus. These cybercriminals then used the personal bank account information to transfer funds out of the victims’ bank accounts and ultimately into their own personal possession.

“Bulletproof Hosting” services have helped cybercriminals spread the Gozi virus without fear of detection by law enforcement. Bulletproof hosts provided cybercriminals using the Gozi virus with the essential online infrastructure they needed, such as Internet Protocol (“IP”) addresses and computer servers, in a way designed for their to preserve their anonymity.

PAUNESCU operated a “bulletproof hosting” service that helped cybercriminals distribute Gozi virus and commit other cybercrimes, such as distributing malware, including “Trojan Zeus” and “Trojan Horse”. SpyEye Trojan”, the launching and execution of DDoS attacks and the transmission of spam. PAUNESCU rented servers and IP addresses from legitimate internet service providers, then rented them in turn to cybercriminals; provided servers that cybercriminals used as command and control servers to carry out DDoS attacks; monitored the IP addresses it controlled to determine whether they were on a special list of suspicious or untrusted IP addresses; and has moved its customers’ data to different networks and IP addresses, including networks and IP addresses in other countries, to avoid being blocked as a result of private security checks or law enforcement agencies. order.

* * *

PAUNESCU, 37, from Bucharest, Romania, is charged with one count of conspiracy to commit computer intrusion, which carries a maximum sentence of 10 years in prison; one count of conspiracy to commit bank fraud, which carries a maximum sentence of 30 years in prison; and one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison.

Potential maximum and minimum sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.

Mr Williams praised the FBI’s investigative work. Mr. Williams also thanked the NASA Inspector General’s Office and the Colombian National Police. In addition, Mr. Williams thanked the Computer Crime and Intellectual Property Section (“CCIPS”) of the Department of Justice for its partnership in this case. The United States Department of Justice’s Office of International Affairs of the Department’s Criminal Division and the United States Marshals Service provided significant assistance in securing the extradition of the accused from Colombia.

This case is handled by the Office’s Complex Fraud and Cybercrime Unit. Assistant United States Attorney Sarah Lai is in charge of the prosecution.

The counts in the indictment are charges only and the accused is presumed innocent until proven guilty.


[1] As the introductory sentence indicates, the entire text of the Indictment is allegation only, and each fact described herein is to be treated as an allegation.

Comments are closed.