Romanian Man Gets Three Years in Prison for ‘Bulletproof Hosting’ that Enabled Gozi Virus Distribution

A Romanian man has been sentenced to three years in prison for offering “bulletproof hosting” services that enabled multi-million-dollar cybercrime campaigns.

39-year-old Mihai Ionut Paunescu, also known as “Virus,” a dual Romanian and Latvian national, was extradited last year from Colombia for allegedly running a “bulletproof hosting” service that enabled cyber criminals to distribute malware and commit various other cyber offenses, including Distributed Denial of Service (DDoS) attacks.

The term “bulletproof hosting” describes a technical infrastructure provided by an Internet hosting service that is resilient to complaints of illicit activities, serving anything from online gambling, hate speech, and illegal pornography to command-and-control-servers for cybercrime.

“Paunescu operated a ‘bulletproof hosting’ service that helped cyber criminals to distribute some of the world’s most harmful malware, including the Gozi Virus, the Zeus Trojan, the SpyEye Trojan, and BlackEnergy, as well to as commit other cybercrimes, such as transmitting spam, which is an often used means of distributing malware,” the US Department of Justice (DOJ) said.

Gozi is one of the best-known banking Trojans. Discovered in 2007, it is designed to pilfer sensitive information from target computers, including banking credentials and passwords.

Zeus is similar in that it’s also used to steal banking information, either via man-in-the-browser keystroke logging or form grabbing.

SpyEye also uses keystroke logging and form grabbing to steal user credentials.

BlackEnergy is an HTTP-based toolkit used to generate bots to carry out DDoS attacks.

Paunescu secured servers and IP addresses from legitimate ISPs and then rented those resources to cybercriminals who used them as command-and-control servers to conduct DDoS attacks.

According to the DOJ, Paunescu “monitored the IP addresses that he controlled to determine if they appeared on a special list of suspicious or untrustworthy IP addresses; and relocated his customers’ data to different networks and IP addresses, including networks and IP addresses in other countries, to avoid being blocked as a result of private security or law enforcement scrutiny.”

The prosecution said Paunescu’s “bulletproof hosting” services helped cybercriminals distribute the Gozi Virus with little fear of detection by police.

Gozi is known to have infected more than a million computers worldwide, among them at least 40,000 in the United States, including computers belonging to NASA, as well as computers in Germany, the UK, Poland, France, Finland, Italy, Turkey, and other countries.

Paunescu pled guilty this year to all charges and was sentenced this week in a Manhattan federal court to three years in prison, plus three years under supervision. In addition to his prison sentence, Paunescu was ordered to forfeit $3,510,000 and pay $18,945 in restitution.