Latvia's Foreign Affairs Minister has expressed unhappiness at US attempts to extradite the alleged co-creator of the Gozi data-stealing Trojan, citing the disproportionate severity of sentence he might receive if found guilty.
In January, the US Department of Justice (DOJ) publically indicted Deniss Calovskis, along with alleged accomplices Mihai Ionut Paunescu and Nikita Kuzmin, for their roles in using Gozi to infect 1 million PC, including 40,000 based in the US, stealing tens of millions of dollars.
Russian national and non-programmer Kuzmin was said to have come up with the idea for the malware while Latvian Calovskis customised it to attack bank websites; Romanian Paunescu was said to have organised the ‘bulletproof’ (i.e criminal) hosting servers.
Now, in a website statement, Latvian Minister of Foreign Affairs Edgars Rinkevics has expressed his unhappiness that Calovskis, arrested in December 2012, could face a 60-year stretch under US laws.
"In my view, such a penalty is disproportionate to the amount, and so far no-one has been able to conclusively dispel my fears that it might be otherwise," he said in a statement translated from Latvian by the BBC.
He also question whether the crimes Calovskis was accused of had actually taken place on US soil and suggested that if found guilty he should be able to serve his sentence in Latvia.
In Internet malware terms, Gozi is ancient history. The three men are said to have started the project in 2005 as part of a pioneering example of banking malware, which these days is a mainstream threat category. Gozi was first spotted by security vendors in late 2006 or early 2007 when its appearance caused some alarm.
Once up and running, the creators are alleged to have leased the software at $50,000 (plus a cut of profits) a time to more experienced Internet criminals who used to for campaigns against specific banks.
The main vector was booby-trapped PDFs and keylogging, exfiltrating the stolen credentials back to servers.
The DOJ position remains that Internet cybercriminals should no longer be able to feel they are beyond the reach of global law.
“Cyber criminals believe that their online anonymity and their distance from New York render them safe from prosecution. Nothing could be further from the truth, as today’s charges demonstrate,” said Southern District of New York attorney, Preet Bharara in last January’s indictment presentation.
As to the severity of US sentencing guidelines, the DOJ would doubtless also argue that in the absence of effective international prosecution of cybercriminals, US law should act as a worldwide deterrent.