CYBERSECURITYOperator of “Bulletproof Hosting” Service Which Distributed Destructive Malware Sentenced to Three Years in Prison

Damian Williams, the United States Attorney for the Southern District of New York, announced that Mihai Ionut Paunescu, aka “Virus,” was sentenced to three years in prison today (Monday, 12 June) in Manhattan federal court for conspiracy to commit computer intrusion in connection with running a “bulletproof hosting” service that enabled cybercriminals to distribute the Gozi Virus, the Zeus Trojan, the SpyEye Trojan, and the BlackEnergy malware, all of which were designed to steal confidential financial information. Paunescu also enabled other cybercrimes, such as initiating and executing distributed denial of service (DDoS) attacks and transmitting spam.

Paunescu previously pled guilty before U.S. Magistrate Judge Valerie Figueredo on February 24, 2023.  He was sentenced today by U.S. District Judge Lorna G. Schofield.

U.S. Attorney Damian Williams said: “Paunescu ran a ‘bulletproof’ hosting service that enabled cyber criminals throughout the world to spread malware that stole confidential financial information, crashed websites, and caused other harm.  By allowing cybercriminals to acquire online infrastructure for their unlawful activity without revealing their true identities, Paunescu’s bulletproof hosting service shielded his criminal customers from both law enforcement and cybersecurity professionals, while enriching himself.  Paunescu now faces prison time and will be required to forfeit his ill-gotten gains.”

In imposing today’s sentence, Judge Schofield said that Paunescu facilitated the distribution of “some of the most serious malware circulating at the time” and “made considerable money from it.”

As alleged in the Complaint, the Indictment, other documents in this case, and statements made in court:

The Gozi Virus is malicious computer code or “malware” that stole personal bank account information, including usernames and passwords, from the users of affected computers.  The Gozi Virus infected over one million victim computers worldwide, among them at least 40,000 computers in the United States, including computers belonging to the National Aeronautics and Space Administration (NASA), as well as computers in Germany, Great Britain, Poland, France, Finland, Italy, Turkey, and elsewhere.  The Gozi Virus caused tens of millions of dollars in losses to the individuals, businesses, and government entities whose computers were infected.  Once installed, the Gozi Virus – which was intentionally designed to be undetectable by anti-virus software – collected data from the infected computer in order to capture personal bank account information, including usernames and passwords.  That data was then transmitted to various computer servers controlled by the cyber criminals who used the Gozi Virus.  These cyber criminals then used the personal bank account information to transfer funds out of the victims’ bank accounts and ultimately into their own personal possession.

Similar to the Gozi Virus, the Zeus Trojan and the SpyEye Trojan were designed to steal confidential financial information from victims’ computers.  BlackEnergy was initially designed to launch World Wide Web-based DDoS attacks and later upgraded to include the ability to steal account access credentials.

“Bulletproof hosting” services helped cyber criminals distribute the Gozi Virus with little fear of detection by law enforcement.  Bulletproof hosts provided cyber criminals using the Gozi Virus with the critical online infrastructure they needed, such as Internet Protocol (IP) addresses and computer servers, in a manner designed to enable them to preserve their anonymity.

Paunescu operated a “bulletproof hosting” service that helped cyber criminals to distribute some of the world’s most harmful malware, including the Gozi Virus, the Zeus Trojan, the SpyEye Trojan, and BlackEnergy, as well to as commit other cybercrimes, such as transmitting spam, which is an often used means of distributing malware. Paunescu rented servers and IP addresses from legitimate Internet service providers and then, in, turn rented those resources to cybercriminals; provided servers that cyber criminals used as command-and-control servers to conduct DDoS attacks; monitored the IP addresses that he controlled to determine if they appeared on a special list of suspicious or untrustworthy IP addresses; and relocated his customers’ data to different networks and IP addresses, including networks and IP addresses in other countries, to avoid being blocked as a result of private security or law enforcement scrutiny.

In imposing the sentence, Judge Schofield gave Paunescu credit for the approximately one year and two months that the defendant was held in Romanian and Colombian custody prior to his extradition to the United States.  In addition to his prison sentence, Paunescu, 39, of Bucharest, Romania, was ordered to forfeit $3,510,000 and pay restitution in the amount of $18,945.