Skip to main content
Press Release

Romanian National Known As “Virus” Extradited For Operating “Bulletproof Hosting” Service That Facilitated The Distribution Of Destructive Malware

For Immediate Release
U.S. Attorney's Office, Southern District of New York

Damian Williams, the United States Attorney for the Southern District of New York, and Michael J. Driscoll, the Assistant Director-in-Charge of the New York Field Office of the Federal Bureau of Investigation (“FBI”), announced today that MIHAI IONUT PAUNESCU, a/k/a “Virus,” a dual Romanian and Latvian national, was extradited from Colombia for allegedly running a “bulletproof hosting” service that enabled cyber criminals to distribute the Gozi Virus, one of the most financially destructive computer viruses in history.  PAUNESCU also allegedly enabled other cybercrimes, such as distributing malware including the “Zeus Trojan” and the “SpyEye Trojan,” initiating and executing distributed denial of service (“DDoS”) attacks, and transmitting spam.  PAUNESCU was initially arrested in Romania in December 2012 and released on bail, and he was arrested again in Colombia last year at the request of the United States.  PAUNESCU was presented yesterday before U.S. Magistrate Judge Gabriel W. Gorenstein and detained.  The case is assigned to U.S. District Judge Lorna G. Schofield.

U.S. Attorney Damian Williams said:  “Mihai Ionut Paunescu is alleged to have run a “bulletproof hosting” service that enabled cyber criminals throughout the world to spread the Gozi Virus and other malware and to commit numerous other cybercrimes.  His hosting service was specifically designed to allow cyber criminals to remain hidden and anonymous from law enforcement.  Even though he was initially arrested in 2012, Paunescu will finally be held accountable inside a U.S. courtroom.  This case demonstrates that we will work with our law enforcement partners here and abroad to pursue cyber criminals who target Americans, no matter how long it takes.”

According to allegations in documents filed in Manhattan federal court[1]:

The Gozi Virus is malicious computer code or “malware” that stole personal bank account information, including usernames and passwords, from the users of affected computers. The Gozi Virus infected over one million victim computers worldwide, among them at least 40,000 computers in the United States, including computers belonging to the National Aeronautics and Space Administration (“NASA”), as well as computers in Germany, Great Britain, Poland, France, Finland, Italy, Turkey and elsewhere, and it caused tens of millions of dollars in losses to the individuals, businesses, and government entities whose computers were infected.  Once installed, the Gozi Virus – which was intentionally designed to be undetectable by anti-virus software – collected data from the infected computer in order to capture personal bank account information, including usernames and passwords.  That data was then transmitted to various computer servers controlled by the cyber criminals who used the Gozi Virus.  These cyber criminals then used the personal bank account information to transfer funds out of the victims’ bank accounts and ultimately into their own personal possession.

“Bulletproof hosting” services helped cyber criminals distribute the Gozi Virus with little fear of detection by law enforcement.  Bulletproof hosts provided cyber criminals using the Gozi Virus with the critical online infrastructure they needed, such as Internet Protocol (“IP”) addresses and computer servers, in a manner designed to enable them to preserve their anonymity.

PAUNESCU operated a “bulletproof hosting” service that helped cyber criminals distribute the Gozi Virus and commit other cybercrimes, such as distributing malware including the “Zeus Trojan” and the “SpyEye Trojan,” initiating and executing DDoS attacks, and transmitting spam.  PAUNESCU rented servers and IP addresses from legitimate Internet service providers and then in turn rented them to cyber criminals; provided servers that cyber criminals used as command-and-control servers to conduct DDoS attacks; monitored the IP addresses that he controlled to determine if they appeared on a special list of suspicious or untrustworthy IP addresses; and relocated his customers’ data to different networks and IP addresses, including networks and IP addresses in other countries, to avoid being blocked as a result of private security or law enforcement scrutiny.

*                *                *

PAUNESCU, 37, of Bucharest, Romania, is charged with one count of conspiracy to commit computer intrusion, which carries a maximum penalty of 10 years in prison; one count of conspiracy to commit bank fraud, which carries a maximum penalty of 30 years in prison; and one count of conspiracy to commit wire fraud, which carries a maximum penalty of 20 years in prison.

The maximum and minimum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.

Mr. Williams praised the investigative work of the FBI.  Mr. Williams also thanked the NASA Office of Inspector General, and the Columbian National Police.  In addition, Mr. Williams thanked the Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS) for its partnership in this matter.  The U.S. Department of Justice’s Office of International Affairs of the Department’s Criminal Division, the Narcotic and Dangerous Drug Section (NDDS) Judicial Attachés in Bogota, Colombia, and the U.S. Marshal Service provided significant assistance in securing the defendant’s extradition from Colombia.

This case is being handled by the Office’s Complex Frauds & Cybercrime Unit.  Assistant United States Attorney Sarah Lai is in charge of the prosecution.

The charges contained in the Indictment are merely accusations and the defendant is presumed innocent unless and until proven guilty.



[1] As the introductory phrase signifies, the entirety of the text of the Indictment constitutes only allegations, and every fact described herein should be treated as an allegation.


Nicholas Biase
(212) 637-2600

Updated July 22, 2022

Press Release Number: 22-228