Threat Management, Malware

Gozi malware creator cuts deal, gets time served and $7M fine


The man behind the creation of Gozi banking malware was sentenced on May 2 to time served, 37 months, and a $7 million fine for his role in creating and distributing the malicious software that infected more than one million computers inflicting millions of dollars in losses.

Nikita Kuzmin, a Russian citizen, was sentenced by United States District Judge for the Southern District of New York Kimba M. Wood to time served and ordered to pay forfeiture and restitution totaling $6.93 million. Kuzmin pleaded guilty in May 2011 pursuant to a cooperation agreement.

Bharara pointed out to Woods that Kuzmin provided “substantial assistance” to the government, but the details of this are under seal.

Kuzmin's Gozi venture began in 2007, according to a letter from United States Attorney Preet Bharara to Woods, when Gozi popped up on the radar of network security experts. A server was eventually identified to contain data stolen by Gozi to include 10,000 bank account records belonging to 5,200 people along with records and login information for accounts at more than 300 companies worldwide.

However, Kuzmin was not happy just stealing money from the accounts. Bharara wrote that he came up with the new and ingenious idea to rent out the malware to other cybercriminals, helping found the cybercrime as a service crime model. Prosecutors said he charged $500 per week payable in WebMoney, a popular digital currency at the time. Overall, it is estimated 1 million computers were infected.

“Once Kuzmin's customers succeeded in infecting victims' computers with Gozi, the malware caused victim s' bank account information to be sent to a server that Kuzmin controlled where, as long as the criminals had paid their weekly rental fee, Kuzmin gave them access to it,” Bharara wrote.

This was dubbed 76 Service, named after Kuzmin's online identity “76.” The 76 Service was shut down around 2009 because Kuzmin told prosecutors it was starting to attract notice by infosec experts. At this point he began to sell the Gozi source code for $50,000, although he did received a cut of the profits from some of his customers.

Kuzmin estimated selling and renting Gozi netted him about $250,000.

In the course of coming clean concerning Gozi, Kuzmin also admitted to being involved in other cybercrimes, including selling stolen ICQ numbers associated AOL Messenger, making about $20,000. Next he sold database logs containing financial account data, user names and passwords. This enabled him to steal about $50,000 from more than 100 different bank accounts worldwide.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.