The self-confessed creator of the infamous Gozi trojan was sentenced to time served and ordered to pay $6.9m in restitution by a New York court on Monday.
Nikita Kuzmin, a 28-year-old Russian citizen, pleaded guilty to computer hacking and fraud charges in May 2011.
He was released after 37 months served on remand, as part of a plea bargaining agreement that involved his co-operation on other (unspecified) investigations.
The Gozi banking trojan first surfaced in 2007 and “infected over one million computers globally and caused tens of millions of dollars in losses” since, according to a US Department of Justice statement that accompanied Kuzmin’s sentencing.
Kuzmin is credited with pioneering the now commonplace tactic of renting out malware and associated infrastructures to other, less technically skilled crooks. This malware-as-a-service offer was marketed through underground cybercrime markets.
Deniss Calovskis, AKA “Miami,” a Latvian national who wrote web injects1 for the Gozi trojan, was released after serving 21 months for his role in the malware-based scam earlier this year.
Mihai Ionut Paunescu, a Romanian national who is alleged to have operated a “bulletproof hosting” service used to distribute Gozi and other malware, faces US extradition proceedings following his arrest in Romania in November 2012. ®
1Web injects allow malware such as Gozi to target information from specific banks, essentially by presenting victims with dialogue boxes on compromised machines that mimic the look and feel of what their real bank serves to clients. Info coaxed out of marks is sent to crooks and gives them the login details and other information needed to loot compromised bank accounts.