One of three men indicted in the US earlier this year in connection with the Gozi banking trojan remains in his native Latvia, after courts there twice blocked US requests for extradition.
The Latvian foreign minister has added his weight to the battle to resist the extradition, arguing that the potential 67 year prison sentence cited in the indictment is “disproportionate” to the crime the man is accused of.
27-year-old Deniss Čalovskis is named in the January 2013 indictment, along with Russian Nikita Kuzmin, already held in the US, and Romanian national Mihai Ionut Paunescu, also currently fighting extradition.
The trio are charged with running a crime syndicate using the Gozi malware in a campaign compared to a “modern-day bank robbery ring”, which may have infected over 1 million PCs worldwide, with as many as 40,000 in the US hit by the malware.
Gozi used HTML injection to doctor banking web pages and harvest login data, which was then used to siphon off funds. The botnet of compromised systems could be hired out and attacks tuned to target specific banks or user groups. Čalovskis is thought to have been the technical expert creating the HTML injection code.
All three men are accused of a range of conspiracy charges in the US, with the potential sentences ranging from 60 years for suspected Romanian hosting organiser Paunescu, through Čalovskis’ 67 years to a massive 95 years for alleged chief arranger Kuzmin, should he be found guilty and receive the maximum sentence for all charges.
These numbers are of course the maximum possible sentences, actual jail terms are extremely unlikely to come anywhere close to these figures. However, the exorbitant numbers have been enough to delay and possibly prevent extradition.
Prison sentences in the US are extremely high, as are all figures connected to the US’ sprawling corrections industry.
Over two million people are behind bars in the USA and close to 3% of the population is either locked up, on parole or on probation. The turnover of the prison system runs into many billions of dollars and the long-standing use of cheap prison labour has added billions to the output of several major US companies.
The sharp increase in prison population over the last 30 years or so has been fed by ever-stricter sentencing, heavily influenced by the “war on drugs” and the “three strikes” rule, to the extent that sentencing structures are now well out of line with the rest of the civilized world.
Cybercrime is a global problem that requires worldwide co-operation and collaboration by diverse justice and law enforcement agencies.
With the bad guys operating in cross-national and even inter-continental teams, coordinated global scoops are needed to round up crooks detected by complex international, inter-agency investigations.
Once the perps are all safely in custody they need to be brought to book under somebody’s jurisdiction. In most cases this involves an extradition process.
As most countries’ extradition rules prevent the deportation of citizens to countries where they might face penalties that local judges would find insane, the US risks upsetting the delicate balance required to ensure these worldwide prosecutions can be effectively completed.
I have no problem with tough sentences for cybercriminals, but they should remain within the bounds of sanity.
Threatening crazily hefty punishments may seem like a way to create a strong deterrent against new starters joining the malware underworld. They will fail to provide that deterrent, though, if they are seen to be no more than empty threats which cannot be enforced.