Being an online criminal isn't always easy. For one thing, there's all that tedious administrative overhead of deploying command and control servers, finding proxies to mask them, and shifting IP addresses to stay off of private security blacklists. Today's savvy cyber criminal, therefore, often outsources the work to so-called "bulletproof" hosting operations, which rent servers to criminals and take care of all the dirty details needed to keep them online. That was the approach taken by the Russian creator of malware known as Gozi—malicious password-stealing software which the US government today called "one of the most financially destructive computer viruses in history"—to store his stolen data. But as the malware man found out, bulletproof hosts can be taken down with enough effort. Even when they're based in Romania.

Gozi was coded back in 2005 and deployed in 2007. Back then, it largely targeted Europeans. When installed on a computer, the virus waited until the user visited an online banking site and then grabbed account names and passwords—anything that might be needed for a criminal to transfer money out of the user's account. This information was then sent silently to the Gozi command and control servers, from which it was harvested on a regular basis.

By 2010, the malware innovated in two important ways. First, it had gained the capability to do sophisticated Web injection. When an infected computer was pointed at a banking website, the virus wouldn't simply steal account login information; it could be configured to inject additional data requests right into the bank's webpage. This made it almost impossible to tell the requests were not being made by the bank itself. In this way, the malware could be tweaked to ask for Social Security numbers, driver's license information, a mother's maiden name, PIN codes—anything a client wanted.

The second innovation? Gozi expanded to the US and started targeting specific US banks. The collected information was then sold to other criminals, who quickly transferred money out of the targeted bank accounts. On August 13, 2010, for instance, $8,710 went missing from a Bronx resident's account. The amounts could go much higher; in February 2012, another New York resident lost $200,000. And it got even worse. An FBI investigation, revealed today, found two Gozi-infected computers had led to combined losses of $6 million for their two owners. Total losses appear to have reached "tens of millions" of dollars.

So, starting in 2010, the FBI launched an investigation. It didn't take long to find Gozi's creator, a 25-year-old Moscow resident named Nikita Kuzmin. By November 2010, Kuzmin had been arrested during a trip to the US; by May 2011 he pleaded guilty and agreed to forfeit his Gozi earnings, which might reach up to $50 million. Deniss Čalovskis, the 27-year-old Latvian man who allegedly coded the Web injects and customized them for various banks was picked up by Latvian police in November 2012.

But it was the bulletproof host behind Gozi who turned out to be the most interesting catch—and who took longest to reel in.



“Answer me, damn it, I'm Virus”

FBI agents collected an incredible trove of data on the Gozi conspirators. According to court documents, this data cache included wiretaps, seized servers, an interview with a Gozi distributor, and even a host of chat logs lifted from a server used by the criminals behind Gozi. Despite all that, in the end what brought down the bulletproof host was as simple as a cell phone number.

With the number in hand, the FBI worked with the Romanian Police Directorate for Combating Organized Crime (DCCO), since the number was based in Bucharest. The DCCO obtained court permission to tap the phone, then agents listened to calls, watched text messages, and intercepted Web addresses and passwords entered on the handset for three months in the spring of 2012. On April 1, 2012, the phone's user sent a text message saying (according to an FBI translation), "Answer me, damn it, I'm Virus." The next day, a male voice called the phone and addressed its users as "Virus." But who was Virus?

Someone who wasn't too careful with his cell phone, for one thing. The phone was registered to a company called "KLM Internet & Gaming SRL," which was itself registered to a Bucharest man named Mihai Ionut Paunescu. The corporate registration was later changed, and investigators weren't positive who was actually using the phone until they listened in on a call in which the phone's user identified himself to the Romanian Commercial Bank as "Mihai Ionut Paunescu" and provided the correct national ID number corresponding to Paunescu. (The caller was seeking information on the proper procedure to withdraw US$20,000.)

Watching the smartphone's Web browsing history confirmed this phone belonged to the bulletproof host authorities sought. Paunescu regularly visited a site called adminpanel.ro. Romanian police watched as Paunescu entered the username and password to the site. Next they obtained court permission to search it. They did the search—and provided the information to the FBI. The site was essentially a set of status tables covering 130 physical computer servers which Paunescu apparently leased from legitimate hosting operations before reselling to less legitimate cyber criminals of all stripes.

Subtlety was not the order of the day here. Adminpanel.ro's data tables contained notes on what each virtual machine on each server was being used for, and these included things (in English) like "spy/malware," "semi-legal non sbl," "facebook spam 0%sbl," "illegal," and "100%SBLmalware." ("SBL" is an apparent reference to the well-known Spamhaus Block List targeting spammers.)

Keeping these 130 servers up and running for his clients apparently netted Paunescu a good deal of money. He kept meticulous records of how much he paid to lease every server and how much he received for leasing it back out. A typical entry shows that he spent "114EU" (euros) on a server that he resold for "330EU"—not a bad markup.

As for "Virus," it turned out that Paunescu used this as his online nickname.

Last month, Romanian police arrested him, bringing the Gozi story to a close.

Wayward youth

The US government revealed the three arrests today. It unsealed indictments against Kuzim, Čalovskis, and Paunescu which make clear just how young all three men were when the alleged criminal behavior began. Kuzmin got started with Gozi back in 2005, when he was just 18. Čalovskis was allegedly involved since he was 20. Paunescu is only 28 now and has allegedly been in the bulletproof hosting business for years.

Kuzmin pleaded guilty and will be sentenced in the US, where he faces a maximum 95 years in prison. Extradition proceedings are underway for the other two, who could each face a max of 60 years in a US cell.