The three accused are Nikita Kuzmin (Russian), Deniss Calovskis (Latvian) and Mihai Ionut Paunescu (Romanian). Kuzmin is considered both the ringleader and mastermind behind the Gozi malware. Court papers say that in 2005 he developed the technical specification for a virus to steal personal bank account information. He then subcontracted the coding to “a sophisticated computer programmer to write the virus’s ‘source code'."
Gozi became one of the earliest and most successful man-in-the-browser trojans, infecting, say the papers, “at a minimum, over 100,000 computers around the world, including at least 25,000 computers in the United States, and has caused, at a minimum, tens of millions of dollars in losses.” Elsewhere, the indictment makes clear that the government will be seeking forfeiture of $50 million dollars in reparations.
Calovskis, aka 'Miami', is accused of providing code tweaks to Gozi to customize the web injects for specific clients. The web injects define how the falsified web page will appear on the user’s browser, allowing the attacker to request specific or additional information that is sent by the malware to the command and control servers.
Those C&C servers may well have been provided by, or at least shielded by, Paunescu’s bullet-proof hosting service.
The whole operation, from conception to fruition, together with the FBI’s investigation, can be found in the Department of Justice published documents. “They make fascinating reading,” comments Paul Ducklin of Sophos, “weaving together the activities of the accused troika into a long-running story that could apply to almost any successful online enterprise – but for the fact that the business described is unashamedly devious and criminal."