{ "id": "7566e950-94ff-41ad-a464-68ffd9fae9a8", "created_at": "2026-04-06T00:10:42.335794Z", "updated_at": "2026-04-10T13:13:06.886868Z", "deleted_at": null, "sha1_hash": "9d1319bbb267b90ef2211302d29d4a68b5ec6980", "title": "Another Alleged FIN7 Cybercrime Gang Member Arrested", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 201905, "plain_text": "Another Alleged FIN7 Cybercrime Gang Member Arrested\r\nBy Ishita Chigilli Palli\r\nArchived: 2026-04-05 18:51:59 UTC\r\nAccount Takeover Fraud , Cybercrime , Fraud Management \u0026 Cybercrime\r\nFaces 13 Charges, Including Computer Hacking (Ishita_CP) • May 27, 2020    \r\nThe FBI has arrested another alleged member of the FIN7 cybercrime gang, which has been stealing millions of\r\npayment cards and other financial data since at least September 2015, according to federal court documents.\r\nSee Also: OnDemand | Transform API Security with Unmatched Discovery and Defense\r\nUkrainian national Denys Iarmak was extradited from Thailand and arrested in Seattle on Friday, according to\r\ndocuments unsealed by the U.S. District Court for the Western District of Washington in Seattle. He’s the fourth\r\nalleged member of the group to be arrested and charged in the last two years.\r\nIarmak, who remains in federal custody, has been charged with multiple criminal counts, including wire fraud;\r\nconspiracy to commit computer hacking; conspiracy to commit wire and bank fraud; three counts of aggravated\r\nidentity theft; three counts of accessing a protected computer in furtherance of fraud; three counts of intentional\r\ndamage to a protected computer; and access device fraud and forfeiture allegations, the federal court documents\r\nshow.\r\nFIN7, also known as Carbanak or Navigator, is a financially motivated cybercrime group known to use spear-phishing mails containing malicious Word and Google document attachments that load malware on targeted\r\nhttps://www.bankinfosecurity.com/another-alleged-fin7-cybercrime-gang-member-arrested-a-14345\r\nPage 1 of 3\n\ndevices to steal payment card information, according to federal prosecutors.\r\nOver the years, authorities allege, FIN7 has targeted restaurant chains, casinos and hospitality businesses,\r\nincluding Chipotle Mexican Grill, Arby's, Chili's, Red Robin Gourmet Burgers, Taco John's, Sonic Drive-in and\r\nEmerald Queen Hotel and Casino (see: Credit Card Theft Ringleader Pleads Guilty).\r\nThe group allegedly stole more than 15 million payment card records from over 6,500 point-of-sale terminals\r\nacross more than 3,600 business locations, according to the Justice Department.\r\nIarmark's Role\r\nTo carry out its activities, FIN7 created a front company called Combi Security that purported to be a\r\ncybersecurity pen-testing firm based in Russia and Israel, prosecutors allege in court documents.\r\nThe front company then \"hired\" computer programmers under the pretense of having them work on pen-testing for\r\nclients, prosectutors allege. Iarmak was allegedly one such \"pen-tester\" whose job was breaching the security of\r\nvictims’ networks, according to the indictment.\r\n\"In truth and in fact, the defendant and his FIN7 co-conspirators well knew Combi Security was a front company\r\nused to hire and deploy hackers who were given tasks in furtherance of the FIN7 conspiracy,\" the indictment\r\nstates.\r\nLaw enforcement officials allege that Iarmak sent internal system information stolen from a victim company to\r\nFIN7 manager Fedir Hladyr in a Jabber communication. Numerous other Jabber communications between\r\nIarmark and other FIN7 members discussing phishing emails, malware tools, victim information and other illegal\r\nactivities were also found, according to the indictment.\r\nHladyr, who is also from Ukraine, pleaded guilty to multiple charges in federal court September 2019 and is\r\nawaiting sentencing, federal prosecutors say.\r\nFIN7's Illegal Activities\r\nThe spear-phishing emails lured victims by faking an interest in their organization or by falsely claiming to be\r\nfrom organizations such as the U.S. Securities and Exchange Commission, according to the indictment. While\r\ntargeting one restaurant chain, the hackers inquired about placing a catering order, the details of which they said\r\nwere in a malicious attachment, according to court documents.\r\nThe FIN7 hackers went one step further, calling the victims to convince them to open the attached documents, the\r\nindictment alleges.\r\nOnce a victim's computer was infected, FIN7 allegedly would install additional malware, such as the backdoor\r\nCarbanak, to remotely control the device and then add it to the gang's botnet, according to the court documents.\r\nThe group operated a global network of servers and used Jira project management software to collaborate with\r\nother members of the group and share attack details, the document adds.\r\nOther Arrests\r\nhttps://www.bankinfosecurity.com/another-alleged-fin7-cybercrime-gang-member-arrested-a-14345\r\nPage 2 of 3\n\nIn 2018, the Justice Department unsealed indictments against three alleged high-level members of the gang:\r\nHladyr, Dmytro Fedorov and Andrii Kolpakov.\r\nFedorov was arrested in Bielsko-Biala, Poland, and Kolpakov was arrested in Lepe, Spain, in 2018. Both were\r\nlater extradited to the U.S. and pleaded not guilty. Their trial began in August 2019 and is set to continue in\r\nOctober 2020.\r\nAccording to an FBI alert, the FIN7 group is still active. In March, the bureau warned businesses that FIN7 was\r\nmailing malicious USB storage devices to victims, along with a teddy bear and supposed $50 gift card to Best Buy\r\n(see: FBI: Cybercrime Gang Mailing 'BadUSB' Devices to Targets).\r\nSource: https://www.bankinfosecurity.com/another-alleged-fin7-cybercrime-gang-member-arrested-a-14345\r\nhttps://www.bankinfosecurity.com/another-alleged-fin7-cybercrime-gang-member-arrested-a-14345\r\nPage 3 of 3\n\n https://www.bankinfosecurity.com/another-alleged-fin7-cybercrime-gang-member-arrested-a-14345 \nIn 2018, the Justice Department unsealed indictments against three alleged high-level members of the gang:\nHladyr, Dmytro Fedorov and Andrii Kolpakov. \nFedorov was arrested in Bielsko-Biala, Poland, and Kolpakov was arrested in Lepe, Spain, in 2018. Both were\nlater extradited to the U.S. and pleaded not guilty. Their trial began in August 2019 and is set to continue in\nOctober 2020. \nAccording to an FBI alert, the FIN7 group is still active. In March, the bureau warned businesses that FIN7 was\nmailing malicious USB storage devices to victims, along with a teddy bear and supposed $50 gift card to Best Buy\n(see: FBI: Cybercrime Gang Mailing 'BadUSB' Devices to Targets). \nSource: https://www.bankinfosecurity.com/another-alleged-fin7-cybercrime-gang-member-arrested-a-14345 \n Page 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bankinfosecurity.com/another-alleged-fin7-cybercrime-gang-member-arrested-a-14345" ], "report_names": [ "another-alleged-fin7-cybercrime-gang-member-arrested-a-14345" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434242, "ts_updated_at": 1775826786, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9d1319bbb267b90ef2211302d29d4a68b5ec6980.pdf", "text": "https://archive.orkl.eu/9d1319bbb267b90ef2211302d29d4a68b5ec6980.txt", "img": "https://archive.orkl.eu/9d1319bbb267b90ef2211302d29d4a68b5ec6980.jpg" } }