{ "id": "50d9d05d-6071-439e-9c9f-455972caf92c", "created_at": "2026-04-06T00:13:12.341941Z", "updated_at": "2026-04-10T03:35:53.108709Z", "deleted_at": null, "sha1_hash": "805a2c0666ee96476ab824c78032d3eca3cf5a89", "title": "Three Carbanak cyber heist gang members arrested", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 354786, "plain_text": "Three Carbanak cyber heist gang members arrested\r\nBy Warwick Ashford\r\nPublished: 2018-08-02 · Archived: 2026-04-05 14:58:30 UTC\r\nThree alleged members of the Carbanak gang believed to be responsible for more\r\nthan 100 cyber heists worldwide have been arrested, US authorities have\r\nannounced\r\nFour months after the arrest of the suspected mastermind of the Carbanak cyber heist gang in Spain, three more\r\n“high-ranking” members have been arrested, according to the US Department of Justice (DoJ).\r\nSince 2013, the cyber crime gang – also known as Fin7 and JokerStash – has attempted to attack banks, e-payment\r\nsystems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt, and is\r\nlinked to the theft of up to $1bn from financial institutions worldwide.\r\nThe criminal operation has targeted banks in more than 40 countries and has resulted in cumulative losses of more\r\nthan €1bn for the financial industry, according to Europol, with the Cobalt malware enabling criminals to steal up\r\nto €10m per heist.\r\nThe DoJ said the latest arrests involve three Ukrainian citizens linked to the theft of credit and debit card records\r\nfrom restaurants, casinos and other businesses across the US, as well as in the UK, France and Australia, with\r\nlosses totalling tens of millions of dollars.\r\nDmytro Fedorov (44), Fedir Hladyr (33) and Andrii Kolpakov (30) face 26 charges that include wire fraud,\r\ncomputer hacking and identity theft.\r\nHladyr, who was arrested in Germany in January, is in custody in Seattle, while Fedorov is being held in Poland\r\nand Kolpakov is in Spain, both awaiting extradition to the US.\r\nThe group is believed to have hacked into thousands of computer systems and stolen millions of customer credit\r\nand debit card numbers, which the group used or sold for profit through criminal marketplaces on the dark web,\r\nthe DoJ said in a statement.\r\nIn many cases, the gang is believed to have used cleverly crafted emails to trick employees into activating an\r\nadapted version of the Carbanak malware and other tools to access and steal payment card data.\r\nAccording to the DoJ, the group – which is still believed to be active – stole more than 15 million payment card\r\ndetails from more than 6,500 payment check-out points in the US alone.\r\nhttps://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested\r\nPage 1 of 4\n\n“Protecting consumers and companies who use the internet to conduct business – both large chains and small\r\n“mom and pop” stores – is a top priority for all of us in the Department of Justice,” said US Attorney Annette\r\nHayes. \r\n“Cyber criminals who believe that they can hide in faraway countries and operate from behind keyboards without\r\ngetting caught are just plain wrong. \r\n“We will continue our long-standing work with partners around the world to ensure cyber criminals are identified\r\nand held to account for the harm that they do – both to our pocketbooks and our ability to rely on the cyber\r\nnetworks we use,” she said.\r\nThe naming of the gang leaders marks a major step towards dismantling this sophisticated criminal enterprise, said\r\nFBI special agent in charge Jay Tabb.\r\n “As the lead federal agency for cyber attack investigations, the FBI will continue to work with its law\r\nenforcement partners worldwide to pursue the members of this devious group, and hold them accountable for\r\nstealing from American businesses and individuals,” he said.\r\nHladyr’s trial is currently scheduled for 22 October. No other trial dates have been set.\r\nRead more on Hackers and cybercrime prevention\r\nDOJ indicts 5 individuals in North Korea IT worker scam\r\nBy: Arielle Waldman\r\nhttps://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested\r\nPage 2 of 4\n\nEuropol sting operation smokes multiple botnets\r\nBy: Alex Scroxton\r\nAuthorities Successfully Disrupt LockBit Ransomware Group\r\nhttps://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested\r\nPage 3 of 4\n\nBy: Jill Hughes\r\nHHS, FBI Disrupt BreachForums Cybercriminal Marketplace\r\nBy: Jill Hughes\r\nSource: https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested\r\nhttps://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested\r\nPage 4 of 4\n\n https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested \nEuropol sting operation smokes multiple botnets \nBy: Alex Scroxton \nAuthorities Successfully Disrupt LockBit Ransomware Group\n Page 3 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "references": [ "https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested" ], "report_names": [ "Three-Carbanak-cyber-heist-gang-members-arrested" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434392, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/805a2c0666ee96476ab824c78032d3eca3cf5a89.pdf", "text": "https://archive.orkl.eu/805a2c0666ee96476ab824c78032d3eca3cf5a89.txt", "img": "https://archive.orkl.eu/805a2c0666ee96476ab824c78032d3eca3cf5a89.jpg" } }