A high-level member of the FIN7 organized crime group has been sentenced to 7 years in jail. The U.S. Department of Justice recently announced that Ukrainian national Andreii Kolpakov has been convicted in the Western District of Washington on one count of wire fraud and one count of conspiracy to commit computer hacking related to payment card theft. In addition to the lengthy jail term, Kolpakov was ordered to pay $2.5 million in restitution.
FIN7, also known as the Carbanak Group and Navigator Group, has been active since at least 2015. FIN7 is known for conducting phishing campaigns that distribute malware capable of stealing sensitive information such as debit and credit card data. The group targeted Point-of-Sale (PoS) systems of restaurants, retail outlets, hotels, and casinos. Once deployed, the malware silently exfiltrated bank card data when customers paid their bills. In many cases, it took several months for the malware to be detected, during which time tens of thousands of bank card details were stolen. The group then sold the stolen data to other cybercriminal operations for profit.
“FIN7 carefully crafted email messages that would appear legitimate to a business’s employees and accompanied emails with telephone calls intended to further legitimize the emails,” explained the U.S. Department of Justice. “Once an attached file was opened and activated, FIN7 would use an adapted version of the Carbanak malware, in addition to an arsenal of other tools, to access and steal payment card data for the business’s customers.” In the past year FIN7 has also been conducting data exfiltration and ransomware attacks on selected targets.
Kolpakov was a high-level FIN7 hacker referred to as a penetration tester by the FIN7 gang. Kolpakov was involved with the FIN7 gang from at least April 2016 until his arrest in June 2018. He was responsible for identifying weaknesses in the security defenses of targeted companies and breaching their defenses. Kolpakov also managed a group of lover level hackers within the FIN7 group.
FIN7 had dozens of members who together stole more than 20 million credit card numbers from more than 6,500 POS terminals at over 3,600 businesses in the United States. The gang attacked companies in all 50 states and the District of Columbia since 2015 and stole more than 1 billion dollars from U.S. companies, as well as conducting attacks in the United Kingdom, France, and Australia.
[FIN7] engaged in a highly sophisticated malware campaign to attack hundreds of U.S. companies, predominantly in the restaurant, gambling and hospitality industries. FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers that were then used or sold for profit,” said the Department of Justice. “During the course of the scheme, Kolpakov received compensation for his participation in FIN7, which far exceeded comparable legitimate employment in Ukraine.”
The gang has been actively pursued by law enforcement in the United States, with assistance provided by a number of international agencies. Law enforcement had arrested several suspected members of the FIN7 gang but, despite the arrests, Kolpakov and other gang members continued to operate. Kolpakov was tracked to Spain and, at the request of U.S. law enforcement, was arrested by Spanish law enforcement in June 2018 in Lepe, Spain. Kolpakov was extradited to the United States in June 2019 to face charges related to his pen tester role in the gang and pleaded guilty to the two hacking counts in June 2020.