A computer virus that spread to more than a million computers worldwide, including some at Nasa, and produced at least US$50 million (NZ$59 million) in illegal profits or losses to victims should be a "wake-up call" for banks and consumers unaware of the threat posed by internet criminals, a prosecutor has said.
US Attorney Preet Bharara and George Venizelos, head of the New York FBI office, warned of the growing threat to financial and international security as they announced that a 2 ½-year probe had resulted in three arrests, two of them overseas, and the seizure of vast amounts of computer-related evidence that will take months or years to fully analyse.
They said the Gozi virus had infected 40,000 computers in the United States since 2005, including 190 at the National Aeronautics and Space Administration, along with computers in Germany, Great Britain, Poland, France, Finland, Italy, Turkey and elsewhere.
"This case should serve as a wake-up call to banks and consumers alike because cybercrime remains one of the greatest threats we face, and it is not going away anytime soon," Bharara said. "It threatens individuals, businesses and governments alike."
He told a news conference that cybercriminals "believe that their online anonymity and their distance from New York render them safe from prosecution, but nothing could be further from the truth."
Venizelos said law enforcement had seized 51 computer servers in Romania, along with laptops, desktops and external hard drives, accumulating more than 250 terabytes of information.
"That vast pile of data is almost certain to aid criminal investigation at FBI offices around the country as well as law enforcement agencies around the world," he said. "It is more than standard boilerplate to say that this investigation is very much ongoing."
So far, the investigation has produced three arrests, including that of Nikita Kuzmin, a 25-year-old Russian who pleaded guilty to computer intrusion and fraud charges in Manhattan in May 2011, admitting his role in creating the virus. The plea by the Moscow resident was followed by the arrest in November of a co-conspirator in Latvia and another in Romania last month. Extradition proceedings are under way against both on various criminal charges, including conspiracy.
The Nasa breach occurred from December 14, 2007, to August 9, 2012, with the most damage occurring between May and August last year, according to documents filed in US District Court in Manhattan. The infected computers sent data without user authorization, including login credentials for an eBay account and a NASA email account, details of visited websites and the contents of Google chat messages.
Mihai Ionut Paunescu, 28, who was arrested in Romania, set up online infrastructure that allowed others to distribute destructive viruses and malicious software, including ones dubbed Zeus Trojan, SpyEye and BlackEnergy, according to a criminal complaint filed against him. The document said Paunescu, a Romanian national residing in Bucharest, was also known as "Virus".
The Gozi virus was designed in 2005 and distributed beginning in 2007, when it was secretly installed onto each victim's computer in a manner that left it virtually undetectable by antivirus software.
Deniss Calovskis, 27, was arrested in Riga, Latvia, where he is a citizen and resident, on charges including bank fraud conspiracy.
Extradition proceedings had begun to bring them to New York for trial.
Charges against Kuzmin carry a maximum penalty of 95 years in prison while charges against Calovskis carry up to 67 years and charges against Paunescu have a maximum penalty of 60 years.
Authorities say Kuzmin began designing the Gozi virus in 2005 to steal personal bank account information of individuals and businesses in a widespread way. They said he hired a programmer to write the software and began renting it to others for a weekly fee, advertising it on Internet forums devoted to cybercrime and other criminal activities.
Beginning in 2009, Kuzmin offered the code to others for US$50,000 plus a guaranteed share of future profits, court documents said.
Authorities said Calovskis had training and expertise in computer programming when he was hired by a co-conspirator to upgrade the virus with new code that would deceive victims into divulging additional personal information, such as a mother's maiden name.
Federal authorities sought at least US$50 million from Calovskis, an amount they said was obtained through the conspiracy.