Security Experts:

Human Rights Court Approves Extradition of Gozi Malware Suspect to U.S.

The European Court of Human Rights (ECHR) ruled on Thursday that a Latvian man suspected of being involved in the creation of the Gozi banking Trojan would not be exposed to a real risk of ill-treatment if he were to be extradited to the United States.

Deniss Calovskis, 29, was charged by a US court in August 2012 for his alleged role in cybercriminal operations that leveraged the "Gozi Virus," which is said to have infected at least 40,000 computers in the United States and cost victims tens of millions in losses and damage. The Latvian national is also suspected of writing computer code for the malware, particularly Web injects.

The United States Department of Justice requested the man's extradition in November 2012, and the next month Latvian authorities arrested him and placed him in pre-extradition detention. Latvia announced its decision to extradite Calovskis in August 2013, but the man filed an appeal with the ECHR, which asked the government to suspend the extradition during the proceedings.

Calovskis, who was released from jail in October 2013, argued that if he were to be extradited to the United States, he would risk being subjected to torture and given a disproportionate prison sentence. The human rights court said the alleged cybercriminal also complained that he was placed in a cage during his court hearing, that he had insufficient time to prepare for his detention hearing, and that he had been unable to receive legal assistance during his arrest.

According to the ECHR, Latvian authorities have violated the suspect's rights in these last three matters, but the court has approved his extradition.

"The Court found that Mr Čalovskis would not be exposed to a real risk of ill-treatment if he were extradited to the United States by virtue of his being indicted of cybercrime-related offences. Neither did that risk emerge from the statements of the United States officials relied upon by the applicant," the court ruled. "The applicant’s argument based on the comparison of penalties under the United States and Latvian law did not suffice to demonstrate that the prison sentence in the United States could be 'grossly disproportionate'."

However, Calovskis can't be extradited to the United States just yet. The court has asked the Latvian government not to extradite the suspect until the judgment is final, or until a further decision is taken on the matter.

Calovskis, who has been charged with five counts of bank fraud conspiracy, access device fraud conspiracy and computer intrusion, faces 67 years in prison if convicted in the United States.


view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.