Gozi, Part 2: Thief-in-Law

In 2010, Nikita Kuzmin returned to the malware scene with Gozi 2.0, an improved version of the successful banking Trojan. How did Gozi 2.0 fair against Zeus & the new generation of Trojans, and what can we learn from Nikita's story about how one becomes a malicious hacker in the first place?

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 12 million downloads as of Oct. 2018.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Gozi, Part 2: Thief-in-Law

At an age when most of us were graduating high school, going through our rebellious phases, deciding what we want to do with our futures, Nikita Kuzmin was a prime target of the American and Russian governments, making hundreds of thousands of dollars off the criminal underground. His friends were some of the most respected hackers of their time. He’d built 76Service, the most sophisticated malware business to date, and, now in his 20s, was working on a new 76Service so good that it’d make the first irrelevant.

Gozi 2.0

To fund his second project, he sold the first Gozi trojan’s source code for $50,000 plus a share in future profits, to a fellow HangUp team member well-known to the hacker underground in Russia. His name is NSD, and he will make a comeback later in our story.

Between 2007 and 2010, Nikita worked on modernizing his malware, mostly by contracting hackers-for-hire. Three years on, little meaningful progress had been made. So, just as he did in 2006 for the first Gozi, he recruited some help.

If you visit the Wikipedia page for Deniss Calovskis, you might find it confusing. It claims he is the creator of the Gozi virus, which he is not. But even more confusing are the apparent contradictions in his life. He’s a criminal, and a founder of social nonprofits; a malware author, but also a certified data protection officer. That’s like being a cow and a fry cook. Most hackers look pretty bad in pictures–unkempt hair, a t-shirt, you know. Deniss, on the other hand, always looks like he’s ready to give a TED talk.

So who really is this Deniss Calovskis? Is he a cyber criminal fronting as a tech professional? Or a good guy who fell into a bad situation? Over the following half-decade, many important people would disagree on the answer.

In 2010, though, when he first started working for Nikita Kuzmin, Deniss was a relatively ordinary hacker in his early 20s. Working as a freelance programmer in his hometown of Riga, Latvia, he’d been short on cash ever since his father contracted cancer.

In online forums, he went by the moniker “Miami”. Prematurely balding, skin whiter than Latvian snow, you’d have to say the name didn’t really match the face. But what he lacked in melatonin, he made up for in coding skills.

Calovskis’ job was to modernize Gozi, by upgrading its form-grabbing feature into an HTML web-injecting feature. In the four years since 2006, banking trojans had advanced past Gozi. In addition to simply reading off and extracting data from forms, the best banking trojans could perform man-in-the-middle hacks, actively modifying web sessions on their host computers. You can think of it like this: bank trojans, in the early-to-mid 2000s, were like somebody who peeks over your shoulder while you visit an ATM. By the end of the decade, banking trojans could build their own ATMs. You’d walk up, not realizing anything was wrong, even as you handed criminals your highest-sensitivity information.

That’s what Nikita wanted for his newer, better Gozi. On September 20th of 2010, he sent Deniss his source code as a RAR file. A few weeks later, the upgraded program was ready for action. Gozi version two featured keylogging, screen capturing, it monitored network traffic, grabbed login credentials stored in browsers, and hid itself from plain view by using a rootkit component.

Most importantly, Deniss’ web inject was a success. Whenever an infected computer user visited an online banking site, just as login forms were loading up, the program would insert its own form onto the webpage. These forms would look just about indistinguishable from the bank’s website, except they would ask for even more, and more sensitive, information than you’d otherwise have to enter in order to view your account. So the malware didn’t have to rely on bank forms asking for that information. Like a criminal who builds an exact replica of an ATM, Gozi was well-masked–its victim might not realize that anything was wrong as they gave up their name, birthday, social security number and whatever other data a hacker could have wanted. The only clue that something was wrong, in fact, was all the data these forms asked for. A savvy computer user might ask: why do I need my credit card number, driver’s license, and mother’s maiden name, just to get into my bank account? But most of us are not so cautious, especially when the webpage doesn’t look at all out of the ordinary.

Bullet Proof Hosting

The program was now ready, and it needed a platform. Kuzmin brought on another partner to handle everything server-side, a role once occupied by his former partner Exoric. That new partner was Mihai Ionut Paunescu. Mihai was in his late 20s–tall, darker white complexion, crew-cut black hair, living in Bucharest, Romania with his girlfriend. Online, he was known as “Virus” (a bit on-the-nose, if you ask me).

Unlike Deniss Calovskis, Mihai was not a complicated figure. There’s no questioning what his motives were, or what kind of guy he was. He was a criminal. Though, ironically, his father was a lawyer.

Mihai was good at what he did, but not particularly careful about it. His online footprint could’ve been discovered without much more than a Google search. And he was cocky. In one instance, authorities uncovered a text message exchange between he and a client. The client wasn’t being responsive. “Answer me, damn it, I’m Virus!” he wrote.

Mihai’s trade was bulletproof hosting. Bulletproof hosts provide a platform to the kinds of internet users whose content would otherwise be flagged by reputable internet service providers. They’re cesspools of violent material, illegal pornography, and, especially, malware. Aside from allowing cybercriminals a platform to thrive, bulletproof hosts provide a level of anonymity that protects clients from being traced by law enforcement. Mihai was particularly adept at covering up criminal activity. If an IP address associated with a given client was being flagged or investigated by authorities, he would move the client to a new network, and a new IP address, based in a new country with less-strict cybercrime enforcement.

Like Nikita, Mihai approached cybercrime like a businessman. He purchased his servers from legitimate providers, and usually sold them at a markup of around three times their original cost. He called his service “Powerhouse”, hosting around 130 servers at a time, renting them out for 100, 500, sometimes over 1,000 euros per month. Half of Powerhouse’s renters were websites which hosted malware. Leaked data obtained by Brian Krebs revealed that its biggest client was “TowPow”–a major distributor of spam and fake herbal supplements advertising. Other clients used Powerhouse to launch DDoS attacks, or drop stolen bank and credit card information, obtained with trojans like Zeus and, soon, Gozi.
I chatted with Miahi over Facebook Messenger. For reasons you’ll soon understand, he didn’t want to speak openly about Gozi, but claims he never talked to Nitika or Deniss: they way he seems it, Gozi was just one more customer of his.

A Much Bigger Problem

Hosted by Powerhouse, Gozi and 76Service were re-launched in the Fall of 2010. This second time around, the service didn’t sell quite as well. The price of a typical 76Service subscription was the same: two thousand dollars. But the market was different now. Zeus was now by far the world’s biggest banking trojan. In 2009 alone, Zeus had infected approximately three and a half million machines worldwide, far more than Gozi ever came close to.

Gozi was no longer the hot new item. In one text conversation intercepted by the FBI, Nikita pleaded with a client, quote: “Why do you need Zeus, take my trojan. Mine is much cooler, it doesn’t get burned by proactives and works with win7 and vista.” End quote.

This, however, paled in comparison to a much bigger problem he had. No matter whether Gozi Two was a success or not, Nikita, Deniss and Mihai were screwed from the start.

The FBI–which, if you remember, were tracking Gozi ever since Don Jackson’s investigation in 2006–were already after the mastermind Russian hacker behind their infamous banking trojan. In May 2010 they’d received a legal warrant to tap the boys’ phones, intercept their online communications, and start taking 76Service servers offline.

The main target of their surveillance had no idea it was happening. While selling 76Service, Nikita was talking openly to people online about the kind of stuff that helped his pursuers track him down. He told one person about the make and model of his car, and often publicized updates on where he happened to be at any given time. He gave his bank information to a client for a money transfer, and to another, his email address, which was tied to a social media account where he posted pictures of himself and his friends.

It’s easy to forget, in all the criminal masterminding, that Nikita was only just a 22 year-old at this point. But, reading what he openly shared online, we’re reminded of it. He wrote to one hacker about how hard he worked to get his girlfriend into a Russian magazine equivalent of Playboy. Other times, he reminisced about his plans to travel the world.

On November 19th, 2010, for example, Kuzmin sent an instant message to another hacker. “I think I will go to Thailand and then I will go somewhere else and get lost,” he said. Three days later, he was in Bangkok.

As fate would have it, five days after that, Nikita flew to San Francisco. Bad idea. He was apprehended by U.S. police upon arrival.

76Service was now out of Nikita’s hands, but Gozi remained at large. With protection from Powerhouse, Gozi 2.0 would infect tens of thousands of predominantly American and European computers over the following half-decade. According to Ars Technica, one New York resident lost $200,000 to a Gozi breach in 2012. That’s a lot of money, right? Well, another two victims lost a combined six million dollars to Gozi hackers. These weren’t companies, mind you, these were individual people who were taken for millions of dollars a piece. All because they opened a nondescript PDF attachment in an email, and then visited their bank’s website some time later.

Another notable Gozi victim was NASA. In 2014, a Chinese hacker sold access to NASA’s internal networks through a Gozi-enabled backdoor. The buyer was a branch of the Anonymous movement, whose members used that access to leak large troves of data. The group also claimed to have momentarily taken control of an unmanned, multi-million-dollar drone as it flew over the ocean.

The Fall of 76Service

In May 2011, Kuzmin pleaded guilty to his crimes and began cooperating with authorities. It’s easy to understand why: if subject to the maximum penalty on all crimes he was charged with, Nikita would have faced a total of 95 years in jail. Ultimately, he was sentenced to 37 months, with a fine of 6.9 million dollars in restitution, for all the money he’d stolen.

Meanwhile, as Kuzmin began talking, the FBI built up their thick file on Gozi and its distributors. They tapped online communications and identified servers. Among their data was a phone number with an area code based in Bucharest. In fact, it was registered to a company called “KLM Internet & Gaming SRL”. That company, in turn, was registered under the name “Mihai Ionut Paunescu”.

According to Ars Technica, the FBI handed over the information to Romania’s Directorate for Combating Organized Crime, which in turn received a warrant to tap the number. Over the course of Spring 2012, as Mihai Paunescu went about his daily life, each of his calls, text messages, and all his web activity was being recorded by police. Even his login information to websites was being siphoned off.

Mihai’s entire business rested on his ability to shield others’ criminal activity from the cops. When he himself was on the line, he failed to realize what was happening, and demonstrated uncharacteristic carelessness. He was far less secret in his business than one might expect of someone in his position. Romanian authorities often watched on live as he visited “adminpanel.ro”–the administrator site from which he oversaw the status of his 130 illegal bulletproof servers. What they discovered was outstanding: all of Mihai’s business, all of his notes, were laid out right there in front of them. They were both highly detailed, and surprisingly unconcealed. Each of his servers had a number, an address, a port, a name associated with its renter, the price he bought it at from a legitimate provider and the price he sold it for. He even wrote little notes about what each server was being used for. For example: “spy/malware”, “facebook spam” or, simply, “illegal”.

All that was needed was for Mihai to confirm himself as the proper owner of that phone he was using to access his illegal black market business. One day, he called the Romanian Commercial Bank to ask how he could withdraw 20,000 dollars from his account (not exactly the kind of thing ordinary people like you and I do every day). When asked for his name, he stated it: “Mihai Ionut Paunescu”. When asked for his ID number, it matched the national record. And that was all the authorities needed.

On November 27th, 2012, Mihai was arrested at his home in Bucharest. He says he was not surprised: someone let him know that the police was on to him, and so he was expecting a knock on the door to come at any moment. When I asked him why he didn’t fled Romania if he knew he was about to be arrested, he says he figured that if he stayed in the country he won’t deported to the US to stand trial there.
He was right. He was arrested for 4 months – but not deported. The criminal case against him is still being processed by the Romanian judiciary system, which is why he was reluctant to talk openly about his ties with 76Service. He says he has a family now, and if he could go back in time – ‘I would change a lot of things.’

A Martyr or A Criminal?

Deniss Calovskis was arrested in Latvia that same month. But his case was quite different. As his story became known to the public, he became a kind of martyr figure in his home country.

Latvian courts ruled that Deniss should be extradited to the United States for his crimes. He appealed the decision twice, and lost both times. But he was not immediately sent to the United States. People in high places took issue with his case, believing that the potential punishment was not equal to the crime. Deniss was facing up to 67 years in an American jail cell, all for writing just one component of a malware bought and sold by much more hardened cyber criminals than he.

In a public statement, Latvia’s Foreign Minister compared Deniss to Gary McKinnon, the autistic, script-kiddie hacker from Britain who could’ve been sentenced to life’s prison had he been extradited to the U.S. Deniss, like Gary, had a groundswell of support from local citizens, who hardly viewed him as the evil mastermind he was portrayed to be in American reports. While awaiting his sentencing, for example, he founded several nonprofit organizations meant to help his local community.

On August 6th of 2013, the country’s cabinet ministry voted seven to five in favor of the extradition, with one abstaining vote. The decision was probably agreed upon in light of a plea agreement Deniss signed with U.S. law enforcement, stating that he wouldn’t contend with any prison term amounting to two years or less. He was shipped overseas in February, 2015. In September, 2015, he pleaded guilty in U.S. court to conspiring to commit computer intrusions. He told the jury that he was working as a freelancer at the time he wrote Gozi’s inject feature, and that he did it as a way to raise money while his father was fighting cancer. “I must say, it was the biggest mistake,” he admitted.

In January of the following year, after 11 months in Latvian prison, and 10 in U.S. prison, a New York District Court judge concluded that Deniss had been punished enough, sentencing him to time served. In explaining her reasoning, she cited Deniss’ relatively minor role in the operation, and the relatively little money he earned from it. She told the court that Deniss’, “unusual individual characteristics will not … cause others to follow in his footsteps by my not giving him a longer sentence”.

Project Blitzkrieg

But that’s not where our story ends. The legacy of Gozi reaches far past what happened to Nikita, or his partners. Long after they all exited the picture, Gozi continued to find success in the wild. The code spread around and, like Haxdoor before it, Gozi became less a single trojan than a template for many hackers to make their own Gozi-like trojans.

For example, there was the Russian crime syndicate, under the title of “Project Blitzkrieg.”

On September 24th, 2012, as Nikita Kuzmin sat in American custody, and police forces in Latvia and Romania prepared to arrest Deniss Caloviskis and Mihai Paunescu, two Russians shot a recruitment video.

You’re listening to Oleg Vsevolodovich Tolstykh, otherwise known as “vorVzakone.” He’s standing with a business partner.

Remember when Nikita Kuzmin sold off Gozi’s source code for 50,000 dollars, to fund his second project? A friend–an even more notorious Russian hacker of the time–was his buyer. He went by the name NSD.

In the power vacuum left by the arrests of Nikita and his co-conspirators, Oleg Tolstykh began Project Blitzkrieg. He, NSD and their co-conspirators, the NeverQuest Crew, had their own, advanced version of the second Gozi program, and a new idea for how to monetize it: a “freemium” model.

Say you’re a hacker, and you’d like to join a criminal syndicate. Well, here was your chance. You could apply to join Project Blitzkrieg, simply by demonstrating capability and loyalty in an online interview. From there, you would receive a builder kit, a manual, and training. A 400 dollar “educational” fee could be waived if you possessed your own server, bots and accounts. Once you’ve passed your training, you were a part of the team.

For four years, NeverQuest Crew prepared this scheme. They improved on the Gozi source code, adding a feature that would allow a hacker to access a victim’s bank account, by cloning just about every component of the infected computer’s identification. Then they announced their scheme to the world, writing:

After we have 100 active members of the system, each one will be given a large number of accounts and loads with no upfront payment (i.e. you don’t have to invest money, but rather learn to use the Trojan and wait for large number of accounts from us). The goal – together, en-masse and simultaneously process large amount of the given material before anti-fraud measures are increased.

It’s kind of genius, right? Either that, or stupid. The plot became known to security experts around the world, who could only wait to see what would happen.

It turned out, in the end, that Project Blitzkrieg wasn’t a blitzkrieg so much as a slow drip. NeverQuest used Gozi to hack many individual bank accounts over 2012 and 2013, but none of such a grand scale as was promised. Using Gozi, they cracked 1,600 StubHub accounts, stealing 1.6 million dollars worth of concert tickets with the intent to resell. Seven members of the group–from New York, London, Toronto and Spain–were arrested. No Russian was taken into custody, and by all accounts, both vorVkazone and NSD remain free men to this day.

How Do You Become A Hacker?

Which brings us to a larger point. What connects Nikita Kuzmin, the main character of this story, with Oleg Tolstykh, a successor of his enterprise, is not just the code that they shared. It’s how people like them end up the way they are.

Consider this: why did Oleg feel comfortable showing up on camera, promoting a criminal enterprise? The answer is, actually, right in his name. If you translate “vorVkazone” into English, it means “thief in law.” Thief in law is a Soviet term, referring to a class of criminals that operate outside the purview of the law.

Nikita and Oleg are thieves in law. If Nikita never traveled to California, he’d have remained a free man, and a multi-millionaire, to this day. Russian authorities almost certainly would not have arrested him, just as they hadn’t arrested any Russian members of NeverQuest Crew.

Don Jackson once described Nikita’s, quote, “enthusiasm for the idea that Internet fraud, especially against Western targets, was a legitimate profession with better pay and perks than working for local computer and software retail outlets, university labs, and ISPs.” End quote. The statement seemed ridiculous at the beginning of our Part 1 episode. But Nikita was right all along. Cyber fraud is a legitimate profession, with better pay and perks than ordinary tech jobs, in Russia. In Russia it is no crime to do what either of these men have done.

We opened the first part of this two-part episode with a question: how does somebody end up becoming a hacker? It’s a complex question, without a single answer. One way to become a hacker, for example, is to be like Deniss Calovskis: skilled, but in financial debt–in a situation where carefully considering the consequences of your actions falls short of meeting your immediate needs. Or, you could be like Mihai Paunescu: talented, but completely narcissistic and amoral.

Or you could be a Nikita Kuzmin. He could’ve grown up to be a successful tech entrepreneur, security professional or anything else he set his mind to. But he was born into a particular world, around certain kinds of people and, at a young and impressionable age, turned towards the criminal underground. Why did he do this? For the same reason Oleg and NSD did: because it was the rational choice. Young boys like them stood a better chance of owning Toyotas, nice clothes, and big houses in nice neighborhoods if they used their talents maliciously, against the right targets. The Russian state benefits from nurturing and protecting thieves in law, who cause havoc against their Western adversaries but can’t reasonably be tied to the government.

Gozi is a malicious trojan that caused hundreds of millions of dollars in losses for individuals and businesses across the Western world.

But the story of Gozi is how a generation of cybercriminals was born out of a system that encourages young men to go rogue, and use their promise and talent towards attacking the West.

Most importantly, the lesson of Gozi is that the difference between a talented hacker and a talented cyber security expert might not be as innate as you’d think.