A Romanian national who went by the online name “Virus” has been sentenced to three years in prison by a Manhattan federal court for running a bulletproof hosting service.
Mihai Ionut Paunescu was facilitating the distribution of the Gozi (Ursnif), Zeus, SpyEye, and BlackEnergy malware via his service, which was hosted on computers in Romaina, the United States and other locations around the world.
The Romanian national was previously held in custody in Colombia and Romania before he was eventually extradited to the U.S., with the police forces of the two countries providing significant assistance to the FBI in unearthing his cybercriminal activities.
The indictment, posted by the Southern District of New York details the various criminal activities the criminal was charged under, including:
- Providing cybercriminals with IP addresses and servrs in a manner designed to enable them to preserve their anonymity and evade detection by law enforcement
- Facilitated the distribution of banking trojans including the Gozi virus, the Zeus trojan, and the Spyeye trojan amongst others
- Provided a service which allowed cyber criminals the ability to launch DDoS attacks using BlackEnergy malware
- Enabled cyber criminals the ability to send spam emails
What is bullet proof hosting?
Bulletproof hosting is the term given to services provided by individuals and web hosting companies typically located in countries with lenient or non-enforced internet laws that follow relaxed policies regarding their clients’ illicit content and activities.
These types of services are known to ignore takedown requests from law enforcement and copyright holders.
Operators of bullet proof hosting services use various techniques to prevent the services from being blocked or taken offline by law enforcement.
Such techniques include:
- Purchasing vast amounts of IP addresses to bounce traffic through to avoid any singular IP address being black-listed.
- Providing Command & Control (C2) servers to others to use as proxies to avoid true identities being leaked
- Providing access to compromised victim machines to others to use for illegal activities
Global impact
Paunescu’s service which allowed for the distribution of the Ursnif (Gozi) malware was the most notable cybercrime activity he is charged with, as the malware infected over a million devices worldwide.
The Ursnif malware started life as a banking trojan. but was later modified to become an initial access operation allowing cybercriminals the ability to get a foothold into any organisation network and use it to further their illegal activities.
It is estimated that Ursnif has caused tens of millions of USD in damages to individuals, businesses, and government entities across the globe, including thhose in the United States, Germany, UK, France, Italy, Finland, and Turkey.
Sentencing
In addition to his three-year jail sentence, Paunescu was ordered to forfeit USD$3.5 million and pay restitution of USD $18,945.
After his release from prison, the Romanian will then enter a supervision period of a further three years.