{
	"id": "2d61b3d5-7cc0-44d4-bfb2-40bb19f6a2ce",
	"created_at": "2026-04-06T00:12:34.263378Z",
	"updated_at": "2026-04-10T13:11:22.324043Z",
	"deleted_at": null,
	"sha1_hash": "5ac6aea44db5752448c4855ad22b47ff7e0d28ce",
	"title": "FIN7 manager sentenced to 7 years for role in global hacking scheme",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 182611,
	"plain_text": "FIN7 manager sentenced to 7 years for role in global hacking\r\nscheme\r\nBy Adam Janofsky\r\nPublished: 2022-12-17 · Archived: 2026-04-05 16:08:04 UTC\r\nA key member of the international cybercrime group FIN7 was sentenced to 84 months in prison and ordered to\r\npay $2.5 million in restitution on Thursday for his role in breaching a wide range of American businesses.\r\nAndrii Kolpakov, a Ukranian national, pleaded guilty in November to conspiracy to commit wire fraud and\r\ncomputer hacking. Kolpakov worked as a manager and recruiter for the gang, hiring and supervising hackers who\r\nstole payment card information from dozens of companies primarily in the restaurant, gaming, and hospitality\r\nindustries, including Chipotle, Chili’s, Arby’s, and Red Robin.\r\nProsecutors said FIN7 attacked hundreds of U.S. businesses to steal tens of millions of payment cards, causing\r\nover $1 billion in damages according to some estimates. The group monetized the stolen information in various\r\nways, including selling large dumps of credit cards on underground marketplaces such as Joker’s Stash.\r\nKolpakov’s offenses carried a penalty of up to 25 years in prison and fines of up to half a million dollars, which\r\nwere waived by the judge.\r\nIn the sentencing hearing held in a Seattle court on Thursday, Kolpakov’s lawyer said that he was not a criminal\r\nmastermind, but a person who was “backed into a corner” after unwittingly joining the group. Kolpakov\r\nmaintained that he did not seek to join FIN7—he applied to a classified advertisement for what he thought was a\r\nlegitimate cybersecurity job at a company called Combi Security. Additionally, Kolpakov made about $75,000 for\r\nhis work—an amount that provided his family security and stability, but a modest sum for a cybercriminal.\r\nKolpakov's lawyer claimed that he was unaware of FIN7's illegal activity, and joined the group after applying for\r\na job at Combi Security, which he believed to be legitimate.\r\nKolpakov spoke during the sentencing hearing, apologizing for his work with the group and asking for forgiveness\r\nfrom his victims, saying that he suffered greatly while in custody during a pandemic in a foreign country.\r\nAccording to prosecutors, FIN7 masqueraded as Combi in order to recruit hackers and give its workers plausible\r\ndeniability that they were involved in a global hacking scheme. They also claimed it would be obvious to a key\r\nhttps://therecord.media/fin7-manager-sentenced-to-7-years-for-role-in-global-hacking-scheme/\r\nPage 1 of 3\n\nemployee like Kolpakov that the organization was engaging in illegal activity.\r\nFrom at least april 2016 to June 2018, prosecutors alleged that Kolpakov served as a “high-level hacker” in the\r\norganization, probing and mapping victims’ networks in search of point-of-sale systems and customer payment\r\ncard data. They specifically tied him to the hack of Jason’s Deli, a restaurant chain with hundreds of locations\r\nacross the U.S. that had millions of customer records breached and sold on the dark web.\r\n“He was elevated to a managerial role in which he also managed and supervised a small team of hackers tasked\r\nwith breaching the security of victims’ computer systems,” prosecutors wrote in a memorandum submitted days\r\nbefore the sentencing. “He was assigned to supervise and train new recruits and appraised his team members of\r\nnew tools and developments in the FIN7’s phishing campaigns and malware arsenal.”\r\nFIN7 typically launched tailored phishing campaigns against employees of target companies, especially targeting\r\ncustomer service representatives and managers. In one email sent to a restaurant manager, a group member\r\ncomplained about food poisoning to pressure the victim into clicking on a malicious attachment. “Yesterday my\r\ncolleagues ate your food. In a few hours we felt discomfort in the stomach… I would like to understand what had\r\nhappened and solve the issue. Enclosed file contains all the necessary information.”\r\nSpanish police arrested Kolpakov in 2018 while he was on vacation in the town of Lepe. He was in possession of\r\nelectronic devices, including a laptop, phone, and storage devices that were used in the scheme, and he was\r\nextradited to the U.S. the following year.\r\nhttps://therecord.media/fin7-manager-sentenced-to-7-years-for-role-in-global-hacking-scheme/\r\nPage 2 of 3\n\nAdam Janofsky\r\nis the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity\r\nand privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for\r\nThe Wall Street Journal.\r\nSource: https://therecord.media/fin7-manager-sentenced-to-7-years-for-role-in-global-hacking-scheme/\r\nhttps://therecord.media/fin7-manager-sentenced-to-7-years-for-role-in-global-hacking-scheme/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/fin7-manager-sentenced-to-7-years-for-role-in-global-hacking-scheme/"
	],
	"report_names": [
		"fin7-manager-sentenced-to-7-years-for-role-in-global-hacking-scheme"
	],
	"threat_actors": [
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf",
			"created_at": "2023-01-06T13:46:38.405479Z",
			"updated_at": "2026-04-10T02:00:02.961112Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"ATK32",
				"G0046",
				"G0008",
				"Sangria Tempest",
				"ELBRUS",
				"GOLD NIAGARA",
				"Coreid",
				"Carbanak",
				"Carbon Spider",
				"JokerStash",
				"CARBON SPIDER"
			],
			"source_name": "MISPGALAXY:FIN7",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bfded1cf-be73-44f9-a391-0751c9996f9a",
			"created_at": "2022-10-25T15:50:23.337107Z",
			"updated_at": "2026-04-10T02:00:05.252413Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"FIN7",
				"GOLD NIAGARA",
				"ITG14",
				"Carbon Spider",
				"ELBRUS",
				"Sangria Tempest"
			],
			"source_name": "MITRE:FIN7",
			"tools": [
				"Mimikatz",
				"AdFind",
				"JSS Loader",
				"HALFBAKED",
				"REvil",
				"PowerSploit",
				"CrackMapExec",
				"Carbanak",
				"Pillowmint",
				"Cobalt Strike",
				"POWERSOURCE",
				"RDFSNIFFER",
				"SQLRat",
				"Lizar",
				"TEXTMATE",
				"BOOSTWRITE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82",
			"created_at": "2022-10-25T16:07:23.619566Z",
			"updated_at": "2026-04-10T02:00:04.690061Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"APT-C-11",
				"ATK 32",
				"G0046",
				"Gold Niagara",
				"GrayAlpha",
				"ITG14",
				"TAG-CR1"
			],
			"source_name": "ETDA:FIN7",
			"tools": [
				"7Logger",
				"Agentemis",
				"Anubis Backdoor",
				"Anunak",
				"Astra",
				"BIOLOAD",
				"BIRDWATCH",
				"Bateleur",
				"Boostwrite",
				"CROWVIEW",
				"Carbanak",
				"Cobalt Strike",
				"CobaltStrike",
				"DICELOADER",
				"DNSMessenger",
				"FOWLGAZE",
				"HALFBAKED",
				"JSSLoader",
				"KillACK",
				"LOADOUT",
				"Lizar",
				"Meterpreter",
				"Mimikatz",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"POWERPLANT",
				"POWERSOURCE",
				"RDFSNIFFER",
				"Ragnar Loader",
				"SQLRAT",
				"Sardonic",
				"Sekur",
				"Sekur RAT",
				"TEXTMATE",
				"Tirion",
				"VB Flash",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434354,
	"ts_updated_at": 1775826682,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5ac6aea44db5752448c4855ad22b47ff7e0d28ce.pdf",
		"text": "https://archive.orkl.eu/5ac6aea44db5752448c4855ad22b47ff7e0d28ce.txt",
		"img": "https://archive.orkl.eu/5ac6aea44db5752448c4855ad22b47ff7e0d28ce.jpg"
	}
}