Romanian man extradited to US over Gozi virus hacking charges

A man in handcuffs standing in front of computer equipment in a darkened room
(Image credit: Shutterstock)

A dual Romanian and Latvian national has been extradited to the US from Colombia for allegedly running a “bulletproofing hosting” service that enabled cyber criminals to distribute the Gozi virus.

Mihai Ionut Paunescu, 37 years old and also known as Virus, also allegedly enabled other cyber crimes, such as distributing malware like Zeus Trojan and SpyEye Trojan, initiating and executing distributed denial of service (DDoS) attacks, and transmitting spam, said federal attorneys yesterday.

The Gozi virus, first discovered in 2007, is malware that stole personal bank account information, including usernames and passwords, from users of affected computers, according to allegations in documents filed in Manhattan federal court. The virus infected over one million computers worldwide, including around 40,000 in the US, some of which belonged to NASA.

It caused tens of millions of dollars in losses to individuals, businesses, and governments whose computers were infected. Once installed, Gozi would collect data from the infected computer to capture personal bank account information which was then transmitted to various computer servers controlled by criminals who used the virus. They would then use the personal information to transfer funds out of victims’ bank accounts and into their possession.

“Bulletproof hosting” services helped cyber criminals to distribute the Gozi Virus with little fear of detection by law enforcement, said federal attorneys. Bulletproof hosts provided cyber criminals with critical online infrastructure they needed, including IP addresses and computer servers, in a manner designed to enable them to preserve their anonymity.

Paunescu allegedly rented servers and IP addresses from legitimate internet service providers and then rented these to cyber criminals. He also provided servers which were used as command-and-control servers to conduct DDoS attacks and monitored IP addresses he controlled to determine if they appeared on a special list of suspicious or untrustworthy IP addresses. Lastly, Paunescu also relocated his customers’ data to different networks and IP addresses to avoid being blocked as a result of private security or law enforcement scrutiny.

“Mihai Ionut Paunescu is alleged to have run a “bulletproof hosting” service that enabled cyber criminals throughout the world to spread the Gozi virus and other malware and to commit numerous other cybercrimes,” said US attorney Damian Williams. “His hosting service was specifically designed to allow cyber criminals to remain hidden and anonymous from law enforcement. Even though he was initially arrested in 2012, Paunescu will finally be held accountable inside a U.S. courtroom. This case demonstrates that we will work with our law enforcement partners here and abroad to pursue cyber criminals who target Americans, no matter how long it takes.”


An analysis of the European cyber threat landscape

Human risk review 2022


Paunescu was initially arrested in Romania in December 2012 before being released on bail and was then arrested again in Colombia last year at the request of the US government.

He is being charged with one count of conspiracy to commit computer intrusion, which carries a maximum penalty of 10 years in prison, as well as one count of conspiracy to commit bank fraud, which carries a maximum penalty of 30 years in prison. He is also charged with one count of conspiracy to commit wire fraud, which carries a maximum penalty of 20 years in prison.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.