Romanian national Mihai Ionut Paunescu, aka “Virus,” was sentenced to three years in prison by a Manhattan federal court for running a bulletproof hosting service and facilitating the distribution of the Gozi (Ursnif), Zeus, SpyEye, and BlackEnergy malware.
Bulletproof hosting services are web hosting companies in countries with lenient or non-enforced internet laws that follow relaxed policies regarding their clients’ illicit content and activities. These types of services are also known to ignore takedown requests from law enforcement and copyright holders.
The Department of Justice says Paunescu’s service facilitated the distribution of several info-stealing and banking malware families, including Gozi (Ursnif), Zeus, SpyEye, and BlackEnergy, and also the launching of DDoS (distributed denial of service) attacks and distribution of spam messages worldwide.
The Romanian was previously held in custody in Colombia and Romania before he was extradited to the U.S., with the police forces of the two countries providing significant assistance to the FBI in unearthing the man’s cybercriminal activities.
“Paunescu ran a ‘bulletproof’ hosting service that enabled cyber criminals throughout the world to spread malware that stole confidential financial information, crashed websites, and caused other harm,” commented U.S. Attorney Damian Williams.
“By allowing cybercriminals to acquire online infrastructure for their unlawful activity without revealing their true identities, Paunescu’s bulletproof hosting service shielded his criminal customers from both law enforcement and cybersecurity professionals while enriching himself. Paunescu now faces prison time and will be required to forfeit his ill-gotten gains.”
Unsealed court documents describe Paunescu’s activities in detail, claiming that he not only provided hosting to cybercriminals but rented IP addresses for customers from legitimate ISPs, C2 infrastructure for botnet operations, proxies to hide malicious traffic, and more.
Additionally, Paunescu reportedly monitored IP address spam lists, and if those under his control were included, he activated bypassing mechanisms to evade blocking.
The indictment shares further information about the defendant’s knowledge regarding the illegal nature of his clients’ operations.
According to the U.S. Department of Justice, Paunesco managed a database that kept track of rented servers, with many using names clearly related to malware.
At various times from at least in or about May 2012 through in or about November 2012, PAUNESCU maintained a database which described certain servers that he controlled or leased as being used for “spyeye 100%SBL,” “zeus 100%SBL,” 100%sbl, phising [sic],” “100%SBL malware,” and “fake av [antivirus] 100%SBL,” reads the DoJ indictment obtained by BleepingComputer.
The distribution of Ursnif (Gozi) was the most notable cybercrime activity backed by Paunescu’s hosting service, with the malware infecting over a million computers worldwide.
Ursnif started as a banking trojan that later switched to initial access operations, and it is estimated that it has caused tens of millions of USD in damages to individuals, businesses, and government entities in the United States, Germany, the UK, France, Italy, Finland, Turkey, and elsewhere.
The U.S. Department of Justice announcement highlights Ursnif’s impact on the country, mentioning that it infected at least 40,000 systems, including some computers belonging to NASA.
In addition to the three-year imprisonment sentence, Paunescu was also ordered to forfeit $3.5 million and pay restitution of $18,945.
After his release from prison, the Romanian will enter a supervision period of another three years.