High-Ranking FIN7 Gang Member Receives 7-Year Prison TermProsecutors Say Andrii Kolpakov Was a 'Pen Tester' for Payment Card Theft Group
A high-ranking member of the FIN7 payment card theft group has been sentenced to seven years in federal prison, according to the Department of Justice.
See Also: The Business Email Compromise Handbook
Andrii Kolpakov, 33, pleaded guilty to charges of conspiracy to commit wire fraud and conspiracy to commit computer hacking in November 2020 and faced a maximum sentence of 25 years in prison. On Thursday, a federal judge in Washington state sentenced the Ukrainian national to seven years in prison and ordered him to pay restitution of $2.5 million to victims, the Justice Department says.
Kolpakov was arrested in Spain in June 2018 and extradited to the U.S. in June 2019. He has been in U.S. custody since then. He was one of three FIN7 members arrested in Europe in 2018 after the Justice Department unsealed multiple indictments against members of the crime organization (see: Feds Announce Arrests of 3 'FIN7' Cybercrime Gang Members).
The 36 months that Kolpakov already has spent in jail will count toward his prison sentence, according to court documents.
Between April 2016 and June 2018, Kolpakov worked as a "pen tester" for the FIN7 hacking group and also oversaw other members of the gang who worked to find vulnerabilities and security flaws in the networks of the businesses that the group targeted, federal prosecutors say.
"The defendant’s technical acumen allowed him to rise within the enterprise. [Kolpakov] was elevated to a managerial role in which he also managed and supervised a small team of hackers tasked with breaching the security of victims’ computer systems," according to the sentencing memorandum filed by federal prosecutors in the case. "He was assigned to supervise and train new recruits and apprised his team members of new tools and developments in FIN7's phishing campaigns and malware arsenal."
For his work with the FIN7 gang, Kolpakov was paid $75,000, which "far exceeded comparable legitimate employment available in Ukraine," according to court documents. During his time with FIN7, the Justice Department says, the gang's attacks resulted in over $100 million in losses to various financial institutions, merchant processors, insurance companies, retail companies and individual cardholders.
Since at least 2015, FIN7 and its associates caused more than $1 billion worth of damage and losses to organizations and individuals, which includes not only damage to networks from attacks, but tens of millions of stolen credit cards that were eventually sold on underground forums and carding sites, such as the now-defunct Joker's Stash, prosecutors say.
FIN7 sent hundreds of spear-phishing emails that targeted hospitality businesses, casinos and restaurant chains to install malware and then steal credit card data, according to the Justice Department. The attacks mainly targeted point-of-sale devices.
In most cases, the group used malware called Carbanak that acted as a backdoor and allowed the attackers to steal data and record the keystrokes from compromised devices, the court documents show.
Between 2015 and 2018, FIN7 targeted dozens of businesses throughout the U.S., including the restaurant chains Arby's, Chili's, Chipotle Mexican Grill, Jason's Deli, Red Robin Gourmet Burgers, Sonic Drive-In and Taco John's, according to the FBI.
Kolpakov was involved in the theft of millions of records from the Jason's Deli chain, according to court documents.
Through a network of cybercriminals mostly in Eastern Europe, FIN7 created spear-phishing emails designed to resemble legitimate messages, such as catering orders or reservation details. Those emails often contained malicious attachments, which, if opened, infected the company's computers with malware, such as Carbanak, according to security analysts (see: The Art of the Steal: FIN7's Highly Effective Phishing).
Dozens of attackers worked for FIN7 between August 2015 and January 2018, prosecutors say, and the gang operated its own front company called Combi Security to help hide its activities.
Another Guilty Plea
In April, Fedir Hladyr, 35, was sentenced to 10 years in federal prison for his role in the FIN7 gang. He pleaded guilty to federal charges in 2019 (see: Payment Card Theft Ring Tech Leader Gets 10-Year Sentence).
Hladyr, a system administrator and IT manager for the FIN7 group, admitted that he had played a central role in aggregating stolen payment card information, supervising the group's other cybercriminals and attacks and maintaining the global network of servers that the gang used to target and compromise victims. At some points during his time with FIN7, Hladyr also controlled the organization's encrypted communication channels, according to the Justice Department.
Despite the arrests and guilty pleas, however, FIN7 apparently remains active. In January, researchers at Morphisec Labs published details about a malware variant called JSSLoader that the group has used for several years (see: Researchers Disclose Details of FIN7 Hacking Group's Malware).