{ "id": "d83f721b-8400-48d7-a904-24f949ada874", "created_at": "2026-04-06T00:12:19.631475Z", "updated_at": "2026-04-10T13:12:51.580682Z", "deleted_at": null, "sha1_hash": "b39c2c22572566062e6ff698103d3d291eb0f1e8", "title": "FIN7 sysadmin behind \"billions in damage\" gets 10 years", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 41078, "plain_text": "FIN7 sysadmin behind \"billions in damage\" gets 10 years\r\nBy Pieter Arntz\r\nPublished: 2021-04-19 · Archived: 2026-04-05 19:44:10 UTC\r\nIn 2018 three high-ranking members of a sophisticated international cybercrime group operating out of Eastern\r\nEurope were arrested and taken into custody by US authorities. Ukrainian nationals Dmytro Fedorov, Fedir\r\nHladyr, and Andrii Kolpakov, were members of a prolific hacking group widely known as FIN7.\r\nHladyr is the systems administrator for the FIN7 hacking group, and is considered the mastermind behind the\r\nCarbanak campaign, a series of cyberattacks said to stolen as much as $900 million from banks in early part of the\r\nlast decade. Last week Hladyr was sentenced in the Western District of Washington to 10 years in prison for his\r\nhigh-level role in FIN7.\r\nThe Carbanak campaign first made international headlines in 2015 as one of the first malware campaigns that\r\nspecialized in remote ATM robberies. But FIN7 had already been active for a few years at that point and was\r\ninvolved in a lot more banking and financial malware than just the ATM machines manipulation.\r\nThe malware\r\nSince 2013 FIN7 have attempted to attack banks, e-payment systems, and financial institutions using pieces of\r\nmalware they designed, known as Carbanak and Cobalt. Carbanak is considered a further development of the\r\nAnunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the\r\nworld.\r\nThe campaigns all started with spear-phishing targeted at bank employees. When targets executed a malicious\r\nattachment the criminals were able to remotely control the victims’ infected machine. With access to a bank’s\r\ninternal network, they were able to work their way internally until they gained control of the servers controlling\r\nATMs.\r\nA very detailed analysis of Anunak by Fox-IT and Group-IB can be found here (pdf).\r\nBy the following year, the same coders had improved the Anunak malware into a more sophisticated version,\r\nknown as Carbanak. From then onwards, FIN7 focused its efforts on developing an even more sophisticated wave\r\nof attacks by using tailor-made malware based on the Cobalt Strike penetration testing software, but Carbanak\r\nremained part of their toolset.\r\nIn the US alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of\r\nColumbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals\r\nat more than 3,600 separate business locations.\r\nAttribution\r\nhttps://blog.malwarebytes.com/reports/2021/04/fin7-sysadmin-behind-billions-in-damage-gets-10-years/\r\nPage 1 of 3\n\nMany believe that the Carbanak malware was used by at least two separate entities. FIN7 and the Carbanak\r\nGroup. This can be very confusing when trying to establish a timeline. Or when trying to solve any “whodunnit”\r\nmysteries. Once malware has been released and has proven to be successful you can count on other criminals\r\ntrying to steal, copy, or rip off the code and techniques. So, if the Carbanak malware was used in a specific attack,\r\nit is not always clear which group was behind that attack, although it is clear that FIN7 was one of its users.\r\nThe arrest\r\nThe leader of the crime gang behind the Carbanak and Cobalt malware attacks was arrested in Alicante, Spain.\r\nThe arrest was announced by Europol on 26 March 2018. According to Europol, the activities of the gang were\r\nbelieved to have resulted in losses of over EUR 1 billion for the financial industry.\r\nArresting the leader of that group did not stop the activities of the group though. The FIN7 campaigns appear to\r\nhave continued, with the Hudson’s Bay Company breach using point-of-sale malware in April of 2018 being\r\nattributed to the group.\r\nThe arrest of Hladyr in August of 2018 at the request of the US Department of Justice, along with two other high-ranking members of the group did not have that effect either. In 2020 a cooperation between FIN7 and the Ryuk\r\noperators was suspected when the tools and techniques of FIN7, including the Carbanak Remote Administration\r\nTool (RAT), were used to take over the network of an enterprise.\r\nThe conviction\r\nAfter being extradited to the US in 2019, Hladyr pleaded guilty to one count of conspiracy to commit wire fraud\r\nand one count of conspiracy to commit computer hacking, in his role as the systems administrator of the FIN7\r\ngroup.\r\nAccording to acting US Attorney Tessa M. Gorman of the Western District of Washington:\r\nThis criminal organization had more than 70 people organized into business units and teams.  Some\r\nwere hackers, others developed the malware installed on computers, and still others crafted the\r\nmalicious emails that duped victims into infecting their company systems. This defendant worked at the\r\nintersection of all these activities and thus bears heavy responsibility for billions in damage caused to\r\ncompanies and individual consumers.\r\nThe Department of Justice says that Hladyr joined FIN7 via a front company called Combi Security but soon\r\nlearned that it was a fake cybersecurity company with a phony website and no legitimate customers. It asserts that\r\nHladyr served as FIN7’s systems administrator and played a central role in aggregating stolen payment card\r\ninformation, supervising FIN7’s hackers, and maintaining the servers used to attack and control victims’\r\ncomputers. Hladyr also controlled the organization’s encrypted channels of communication.\r\nAbout the author\r\nWas a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich\r\nmahogany and leather-bound books.\r\nhttps://blog.malwarebytes.com/reports/2021/04/fin7-sysadmin-behind-billions-in-damage-gets-10-years/\r\nPage 2 of 3\n\nSource: https://blog.malwarebytes.com/reports/2021/04/fin7-sysadmin-behind-billions-in-damage-gets-10-years/\r\nhttps://blog.malwarebytes.com/reports/2021/04/fin7-sysadmin-behind-billions-in-damage-gets-10-years/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.malwarebytes.com/reports/2021/04/fin7-sysadmin-behind-billions-in-damage-gets-10-years/" ], "report_names": [ "fin7-sysadmin-behind-billions-in-damage-gets-10-years" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434339, "ts_updated_at": 1775826771, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b39c2c22572566062e6ff698103d3d291eb0f1e8.pdf", "text": "https://archive.orkl.eu/b39c2c22572566062e6ff698103d3d291eb0f1e8.txt", "img": "https://archive.orkl.eu/b39c2c22572566062e6ff698103d3d291eb0f1e8.jpg" } }