{ "id": "9889e84f-1aea-48a4-8479-6da370ef20c9", "created_at": "2026-04-06T00:12:28.827949Z", "updated_at": "2026-04-10T03:35:52.877108Z", "deleted_at": null, "sha1_hash": "d8bf505e803d53fe7d7514c3fd8717ed60ba5259", "title": "Three Members of Notorious International Cybercrime Group “Fin7” In Custody for Role in Attacking Over 100 U.S. companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42397, "plain_text": "Three Members of Notorious International Cybercrime Group\r\n“Fin7” In Custody for Role in Attacking Over 100 U.S. companies\r\nPublished: 2018-08-01 · Archived: 2026-04-02 11:32:10 UTC\r\nThree high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe\r\nhave been arrested and are currently in custody facing charges filed in U.S. District Court in Seattle, announced\r\nAssistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division, U.S. Attorney\r\nAnnette L. Hayes for the Western District of Washington and Special Agent in Charge Jay S. Tabb Jr. of the FBI\r\nSeattle Field Office.\r\nAccording to three federal indictments unsealed today, Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33,\r\nand Andrii Kolpakov, 30, are members of a prolific hacking group widely known as FIN7 (also referred to as the\r\nCarbanak Group and the Navigator Group, among other names).  Since at least 2015, FIN7 members engaged in a\r\nhighly sophisticated malware campaign targeting more than 100 U.S. companies, predominantly in the restaurant,\r\ngaming, and hospitality industries.  As set forth in indictments, FIN7 hacked into thousands of computer systems\r\nand stole millions of customer credit and debit card numbers, which the group used or sold for profit. \r\nIn the United States alone, FIN7 successfully breached the computer networks of companies in 47 states and the\r\nDistrict of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations.  Additional intrusions occurred abroad, including in\r\nthe United Kingdom, Australia, and France.  Companies that have publicly disclosed hacks attributable to FIN7\r\ninclude such familiar chains as Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli.  Additionally\r\nin Western Washington, FIN7 targeted other local businesses. \r\n“The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted\r\nAmerican companies and citizens by stealing valuable consumer data, including personal credit card information,\r\nthat they then sold on the Darknet,” said Assistant Attorney General Benczkowski.  “Because hackers are\r\ncommitted to finding new ways to harm the American public and our economy, the Department of Justice remains\r\nsteadfast in its commitment to working with our law enforcement partners to identify, interdict, and prosecute\r\nthose responsible for these threats.”\r\n“Protecting consumers and companies who use the internet to conduct business – both large chains and small\r\n‘mom and pop’ stores -- is a top priority for all of us in the Department of Justice,” said U.S. Attorney Hayes. \r\n“Cyber criminals who believe that they can hide in faraway countries and operate from behind keyboards without\r\ngetting caught are just plain wrong.  We will continue our longstanding work with partners around the world to\r\nensure cyber criminals are identified and held to account for the harm that they do – both to our pocketbooks and\r\nour ability to rely on the cyber networks we use.”\r\n“The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal\r\nenterprise,” said Special Agent in Charge Tabb.  “As the lead federal agency for cyber-attack investigations, the\r\nhttps://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100\r\nPage 1 of 3\n\nFBI will continue to work with its law enforcement partners worldwide to pursue the members of this devious\r\ngroup, and hold them accountable for stealing from American businesses and individuals.”\r\nEach of the three FIN7 conspirators is charged with 26 felony counts alleging conspiracy, wire fraud, computer\r\nhacking, access device fraud, and aggravated identity theft. \r\nIn January 2018, at the request of U.S. officials, foreign authorities separately arrested Ukrainian Fedir Hladyr and\r\na second FIN7 member, Dmytro Fedorov.  Hladyr was arrested in Dresden, Germany, and is currently detained in\r\nSeattle pending trial.  Hladyr allegedly served as FIN7’s systems administrator who, among other things,\r\nmaintained servers and communication channels used by the organization and held a managerial role by\r\ndelegating tasks and by providing instruction to other members of the scheme.  Hladyr’s trial is currently\r\nscheduled for Oct. 22.\r\nFedorov, a high-level hacker and manager who allegedly supervised other hackers tasked with breaching the\r\nsecurity of victims’ computer systems, was arrested in Bielsko-Biala, Poland.  Fedorov remains detained in Poland\r\npending his extradition to the United States.\r\nIn late June 2018, foreign authorities arrested a third FIN7 member, Ukrainian Andrii Kolpakov in Lepe, Spain. \r\nKolpakov, also alleged to be a supervisor of a group of hackers, remains detained in Spain pending the United\r\nStates’ request for extradition.\r\nAccording to the indictments, FIN7, through its dozens of members, launched numerous waves of malicious\r\ncyberattacks on numerous businesses operating in the United States and abroad.  FIN7 carefully crafted email\r\nmessages that would appear legitimate to a business’ employee, and accompanied emails with telephone calls\r\nintended to further legitimize the email. Once an attached file was opened and activated, FIN7 would use an\r\nadapted version of the notorious Carbanak malware in addition to an arsenal of other tools to ultimately access\r\nand steal payment card data for the business’ customers. Since 2015, FIN7 sold the data in online underground\r\nmarketplaces. (Supplemental document “How FIN7 Attacked and Stole Data” explains the scheme in greater\r\ndetail.)\r\nFIN7 used a front company, Combi Security, purportedly headquartered in Russia and Israel, to provide a guise of\r\nlegitimacy and to recruit hackers to join the criminal enterprise.  Combi Security’s website indicated that it\r\nprovided a number of security services such as penetration testing.  Ironically, the sham company’s website listed\r\nmultiple U.S. victims among its purported clients. \r\nThe charges in the indictments are merely allegations, and the defendants are presumed innocent until proven\r\nguilty beyond a reasonable doubt in a court of law.\r\nThe indictments are the result of an investigation conducted by the Seattle Cyber Task Force of the FBI and the\r\nU.S. Attorney’s Office for the Western District of Washington, with the assistance of the Justice Department’s\r\nComputer Crime and Intellectual Property Section and Office of International Affairs, the National Cyber-Forensics and Training Alliance, numerous computer security firms and financial institutions, FBI offices across\r\nthe nation and globe, as well as numerous international agencies. Arrests overseas were executed in Poland by the\r\n“Shadow Hunters” from CBŚP (Polish Central Bureau of Investigation); in Germany by the LKA Sachsen -\r\nDezernat 33, (German State Criminal Police Office) and the Polizeidirektion Dresden (Dresden Police); and in\r\nhttps://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100\r\nPage 2 of 3\n\nSpain the Grupo de Seguridad Logica within the Unidad de Investigación Technologica of the Cuerpo Nacional de\r\nPolicía (Spanish National Police)..\r\nThis case is being prosecuted by Assistant U.S. Attorneys Francis Franze-Nakamura and Steven Masada of the\r\nWestern District of Washington with assistance from Trial Attorney Anthony Teelucksingh of the Justice\r\nDepartment’s Computer Crime and Intellectual Property Section.\r\nSource: https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100\r\nhttps://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100" ], "report_names": [ "three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434348, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d8bf505e803d53fe7d7514c3fd8717ed60ba5259.pdf", "text": "https://archive.orkl.eu/d8bf505e803d53fe7d7514c3fd8717ed60ba5259.txt", "img": "https://archive.orkl.eu/d8bf505e803d53fe7d7514c3fd8717ed60ba5259.jpg" } }