A high-level member of the notorious organized cybercrime group FIN7 is to spend the next seven years in an American prison.
Hacker Andrii Kolpakov was an active member of FIN7 from at least April 2016 until his arrest in Lepe, Spain, on June 28, 2018.
The 33-year-old Ukrainian national, who was referred to within the hacking group as a pen tester, pleaded guilty in June 2020 to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.
The dozens of members of FIN7 (also referred to as Carbanak Group and the Navigator Group, among other names) stole more than a billion dollars from hundreds of companies in the United States.
Since at least 2015, the group used malware to hack into thousands of computer systems and exfiltrate millions of customer credit and debit card numbers. The stolen credentials were then either used by FIN7 or sold on to other cyber-criminals for profit.
The group successfully breached the computer networks of businesses in all 50 states and the District of Columbia, stealing more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations.
Most of the companies targeted by FIN7 in the United States were in the restaurant, gambling and hospitality industries. Among the group's many victims were Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli.
FIN7 also attacked companies in Australia, France and the United Kingdom.
Explaining how the group's nefarious scheme operated, the Department of Justice stated: "FIN7 carefully crafted email messages that would appear legitimate to a business’s employees and accompanied emails with telephone calls intended to further legitimize the emails.
"Once an attached file was opened and activated, FIN7 would use an adapted version of the Carbanak malware, in addition to an arsenal of other tools, to access and steal payment card data for the business’s customers."
Kolpakov was extradited from Spain to the United States on June 1, 2019. On Thursday, he was sentenced to seven years in prison and ordered to pay restitution of $2.5m.