Share story

The U.S. government charged three men with distributing a virus that infected more than 1 million computers worldwide, allowing thieves to steal data and millions of dollars from online accounts.

Prosecutors in the office of U.S. Attorney Preet Bharara in Manhattan on Wednesday unsealed accusations that Nikita Kuzmin, 25, Deniss Calovskis, 27, and Mihai Ionut Paunescu, 28, created and used “one of the most financially destructive computer viruses in history.” Named Gozi, it’s a so-called Trojan virus.

“Banking Trojans are to cyber criminals what safecracking or acetylene torches are to traditional bank burglars — but far more effective and less detectable,” George Venizelos, head of the FBI’s New York office, said Wednesday. “The investigation put an end to the Gozi virus.”

The cases are the latest brought by Bharara’s office targeting computer hacking and fraud. Last March he charged members of hacker groups Anonymous and LulzSec with conspiring to attack computers and websites of victims including the U.S. Senate and the governments of Tunisia, Yemen and Algeria.

Kuzmin, who was arrested in 2010, pleaded guilty in May 2011 and agreed to cooperate with the government, Bharara said Wednesday. Bharara said Kuzmin’s cooperation was key to the investigation, which began 2½ years ago and is continuing.

Calovskis, a citizen of Latvia, was arrested there in November, according to the statement. Paunescu, a Romanian known as “Virus,” was arrested in Romania last month. Prosecutors are seeking to have Calovskis and Paunescu extradited to the United States, Bharara said.

The Gozi virus infected 40,000 computers in the United States, including more than 160 belonging to NASA, prosecutors said. Gozi also infected computers in Germany, the United Kingdom, Poland, France, Finland, Italy and Turkey, according to U.S. officials.

“It just demonstrates how sophisticated these rings are getting,” said Marcus Asner, a former chief of the Major Crimes and Computer Hacking-Intellectual Property unit in the Manhattan U.S. Attorney’s Office now with the law firm Arnold & Porter. “This is not just a lone teenager in his basement. These are people with different skill sets who are trading with one another to be able to attack financial institutions.”

Kuzmin began designing Gozi in 2005 to steal bank-account information belonging to individuals and businesses and hired a co-conspirator to write the virus’s source code, prosecutors said in a criminal information filed under seal in 2011.

Kuzmin rented the virus to criminals through what he called “76 Service” from 2006 to 2008, the prosecutors said. He then sold the source code to co-conspirators in 2009 and 2010, for at least $50,000 a sale, plus a share of the buyers’ illegal profits, prosecutors said. The alleged co-conspirators weren’t named in court filings.

The virus was sent to computers in spam emails with benign-looking pdf files that, if opened, secretly installed the virus. The virus then collected data to determine user names, passwords and other security information, which criminals used to steal from the victims’ online-bank accounts, Bharara said.

Paunescu, who was charged with three counts of conspiracy in a sealed indictment this year, operated a so-called bulletproof hosting service using computers in the United States and Romania, prosecutors said.

The service provided Internet protocol addresses and servers that allowed computer criminals to evade detection by law enforcement, according to prosecutors.

Paunescu’s service aided in the distribution of Gozi and other malicious software used to target banks, including the Zeus Trojan and the SpyEye Trojan, according to the indictment. His service also helped criminals send spam emails and execute distributed denial of service attacks, according to the indictment.

In May, Paunescu or his co-conspirators obtained the login for an eBay account from one of the infected NASA computers, according to the indictment.

A 2012 indictment unsealed Wednesday charges Calovskis, also known as Miami, with five counts of conspiracy. Prosecutors said he developed “Web injects,” which changed the appearance of banking websites that were viewed on infected computers, making the Gozi virus more dangerous. The Web injects fooled victims into providing personal information that was used by others to steal from bank accounts, prosecutors said.

In a 2011 case, the U.S. charged one Russian and six Estonians in a computer-intrusion scheme that used malicious software to manipulate online advertising, divert users to rogue servers and infect more than 4 million computers.

Victims included at least 500,000 U.S. individuals, businesses and government agencies, including NASA, prosecutors said at the time.