Content, Breach

Alleged Fin7 Hackers Arrested for Chipotle, Arby’s and Chili’s Breaches


It’s not everyday that alleged big fish hackers get caught. Score, one -- actually three -- for the U.S. Department of Justice and a slew of collaborators for apprehending a trio of alleged members of an infamous international hacking group called FIN7, said to have breached the networks of at least 100 U.S. companies.

The three Ukranian nationals are reputed big shots in FIN7, according to the Justice Department. FIN7, operating out of Eastern Europe, is accused of cyber attacks against retailers in 47 U.S. states, including high profile businesses such as Chipotle, Arby’s and Chili’s, to steal more than 15 million customer bank card records. The hackers broke into 6,500 individual point of sale terminals at more than 3,600 separate business locations, the agency said. FIN7’s targets were companies in the restaurant, gaming, and hospitality industries.

Additional intrusions reportedly victimized businesses in Australia, France and the U.K. The crooks apparently got inside using phishing emails to employees that ultimately resulted in springing a variant of the Carbanak malware, according to the indictments. In what can only begrudgingly be called a clever ruse, FIN7 used a front company called Combi Security, reportedly operating out of Russia and Israel, not only to appear as a legitimate enterprise but also to serve as a home base to recruit new blood.

“The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the Darknet,” Assistant Attorney General Benczkowski said in a statement last week. Unsealed federal indictments named Dmytro Fedorov, Fedir Hladyr and Andrii Kolpakov as conspirators in the scheme.

Each is charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft. Charges were filed in U.S. District Court in Seattle.

“The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise,” said Federal Bureau of Investigation (FBI) Special Agent in Charge Jay Tabb. He said the law enforcement agency will continue to chase down other members of the group.

The arrests provide a glimpse into the inner-workings of FIN7 operation. Hladyr, who was arrested in Germany and is in custody in Seattle pending trial on October 22, reportedly served as FIN7’s system administrator. Fedorov, who was arrested in Poland and awaits extradition to the U.S., allegedly oversaw other hackers tasked with executing the hacks. And, Andrii Kolpakov, also said to supervise hackers in the group, has been detained in Spain pending a U.S. request for extradition, the Justice Department said.

The indictments result from a large collaboration of law enforcement, federal agencies and private industry, including the Seattle Cyber Task Force of the FBI and the U.S. Attorney’s Office for the Western District of Washington, the Justice Department’s Computer Crime and Intellectual Property Section and Office of International Affairs, the National Cyber-Forensics and Training Alliance, numerous computer security firms and financial institutions, the FBI and international agencies.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.