Gozi Creator Sentenced for Bank Attacks

Fraud

DOJ Requests Lighter Sentence for 'Substantial Assistance' Gozi Creator Sentenced for Bank Attacks

Because of his "substantial assistance" to federal prosecutors and law enforcement, the mastermind behind the Gozi banking Trojan will not serve additional prison time, but must pay nearly $7 million for forfeiture and restitution, according to the U.S. Attorney's Office for the Southern District of New York.

See Also: Proactive Malware Hunting

On May 2, Nikita Kuzmin was sentenced by a Manhattan federal court only to time served, and ordered to pay $6.9 million, at the request of the Department of Justice, to cover a portion of the funds he stole from consumers, businesses and banks throughout the world.

Kuzmin, who was indicted and arrested in 2010, in May 2011 pleaded guilty to various computer intrusion and fraud charges for the role he played in stealing tens of thousands of bank account details and other information from victims throughout the world between 2007 and 2010.

Cybersecurity attorney Chris Pierson, general counsel and CISO at invoicing and payments provider Viewpost, says lighter sentencing in exchange for cooperation is common in cybercrime cases. In fact, government cooperation has led to lighter sentences in other notable cybercrime and criminal arrests, such as the 2005 takedown of the carding group Shadowcrew and the 2010 sentencing of notorious TJX hacker Albert Gonzalez.

Still, given the severity of global financial losses linked to Gozi, Kuzmin must have provided a great deal of worthwhile information for authorities to recommend his jail time be reduced, he adds.

"Based on the sentence of time served, it is more likely than not that the level of cooperation in this case and other ongoing investigations was instrumental to further arrests, information, or other turned informants," Pierson says.

The DOJ's Request for Leniency

In an April 28 letter to Judge Kimba M. Wood, the DOJ notes that because Kuzmin provided "substantial assistance" in the investigation and prosecution of others, and shared previously unknown details about criminal schemes linked to Gozi and other attacks with which he was involved, he fulfilled the obligations of his "cooperation agreement" and should be credited for time served.

As a result, Kuzmin's jail time was limited to the 37 months he already served.

"Kuzmin admitted that he engaged in uncharged criminal conduct, most of which predated his development of Gozi," the DOJ's letter notes. "The government would not have known about this conduct but for his admissions."

The DOJ also points out: "Kuzmin provided substantial assistance to the government, as set forth in a separate letter, which the government has submitted and respectfully requests to file under seal."

Even though Kuzmin's punishment is light, relative to the damage he caused, and that Gozi continues to cause, his assistance was worth rewarding, says John Buzzard, director of product management for security firm Rippleshot Fraud Analytics. "To me it's bittersweet to reward a criminal for being honest after the fact; but that's sadly the only way to get traction on the cases, especially any criminal case where an expert informant is required," Buzzard says.

Crimeware-as-a-Service Pioneer

One issue that prosecutors note in their sentencing-recommendation letter to Judge Wood is that Kuzmin's creation and distribution of Gozi not only enabled Gozi infections to become widespread, but also made the malware impossible to contain.

"The seriousness of Kuzmin's crime, and the need for general deterrence, are heightened in this case by the difficulty of eradicating Gozi and other types of destructive malware once they are disseminated," the government notes. "Kuzmin's offense is particularly significant for another reason, namely, that in perpetrating this crime, Kuzmin developed the model of cybercrime-as-a-service," which enabled other criminals to use Gozi for a fee.

Kuzmin's so-called 76 Service pioneered the crimeware-as-a-service model (see Crimeware-as-a-Service Threatens Banks).

"Unlike many cybercriminals at the time, who profited from malware solely by using it to steal money, Kuzmin rented out Gozi to other criminals," the U.S. Attorney's Office notes. "For a fee of $500 a week paid in WebMoney, a digital currency widely used by cybercriminals, Kuzmin rented the Gozi 'executable,' the file that could be used to infect victims with Gozi malware, to other criminals. Kuzmin designed Gozi to work with customized 'web injects' created by other criminals that could be used to enable the malware to target information from specific banks."

In the government's letter to Judge Wood, it notes that Kuzmin's innovation - to lease out Gozi - has been copied by other cybercriminals, fueling the spread of Gozi variants such as Vawtrak and other banking malware strains. "In renting the malware to others, Kuzmin made it widely accessible to criminals, in other words, to criminals who do not or need not have sophisticated computer science skills like Kuzmin and his Gozi co-creators," prosecutors state (see How Do We Catch Cybercrime Kingpins?).

At Least $7 Million in Losses

While authorities had been unable to determine the exact amount of money that has been stolen from bank accounts via Gozi, they now say that two small banks in the United States and one in Europe have collectively reported nearly $7 million in Gozi-related losses. As a result, the global losses due to Gozi are likely to be much higher.

What's more, authorities now say that during their investigation into Gozi, security experts identified a server that contained stolen data, including 10,000 account records belonging to more 5,200 personal computers. "The records included login information for accounts at over 300 companies, including leading global banks and financial services firms," the U.S. Attorney's Office points out. "In the course of the investigation, Gozi was found to have infected over 1 million computers across the United States, Germany, Great Britain, Poland, France, Finland, Italy, Turkey and other countries. U.S. victims include individuals, companies and others, including the National Aeronautics and Space Administration. Gozi caused at least tens of millions of dollars in losses to victims."