Accused Ringleader of FIN7 Hacking Group Pleads GuiltyAndrii Kolpakov Faces Up to 25 Years for Wire Fraud and Conspiracy
An accused ringleader of the notorious FIN7 hacking group, which prosecutors say stole 15 million payment cards over several years, has pleaded guilty to federal charges, according to court documents filed in the case this week.
Andrii Kolpakov, who is a Ukrainian national, pleaded guilty to charges of conspiracy to commit wire fraud and conspiracy to commit computer hacking. He faces up to a 25-year federal prison term and a $500,000 fine when he's sentenced, federal prosecutors note.
Kolpakov was considered a high-ranking member of FIN7 from when he started working for the hacking group in 2016 to his arrest by law enforcement in Europe in 2018, prosecutors say.
"Defendant Kolpakov served as a high-level hacker, whom the group referred to as a 'pentester,' and was directly involved in breaching the networks of numerous prominent U.S. businesses," according to the plea agreement. "Defendant Kolpakov also managed other hackers tasked with breaching the security of victims’ computer systems. For instance, on or about January 12, 2017, a FIN7 member introduced himself to a new FIN7 recruit and indicated that Kolpakov would be his supervisor."
During his time with the FIN7 hacking group, federal prosecutors estimate that Kolpakov and others caused about $100 million worth of losses to "financial institutions, merchant processors, insurance companies, retail companies and individual cardholders," according to the plea agreement.
Kolpakov was arrested by Spanish police in June 2018, and he was later extradited to the U.S., where he initially pleaded not guilty, according to documents from the U.S. District Court for the Western District of Washington in Seattle (see: Feds Announce Arrests of 3 'FIN7' Cybercrime Gang Members).
In addition to Kolpakov, police arrested and charged two other FIN7 members, Dmytro Fedorov and Fedir Hladyr, who were also accused of allegedly helping to lead the hacking group. Hladyr pleaded guilty in 2019, and his sentencing is scheduled for Dec. 11 (see: Credit Card Theft Ringleader Pleads Guilty). The case against Dmytro is ongoing, court records show.
At its height, the FIN7 hacking group sent hundreds of spear-phishing emails that targeted hospitality businesses, casinos and restaurant chains to steal credit card data, according to federal prosecutors. The gang allegedly stole at least 15 million payment card records from U.S. businesses, resulting in over $100 million in losses over three years, court records show.
FIN7 targeted dozen of business, including the restaurant chains Arby's, Chili's, Chipotle Mexican Grill, Jason's Deli, Red Robin Gourmet Burgers, Sonic Drive-In and Taco John's, according to the FBI.
Through a network of hackers mostly in Eastern Europe, the gang created spear-phishing emails designed to resemble legitimate messages, such as catering orders or reservation details. Those emails often contained malicious attachments, which, if opened, infected the company's computers, according to security analysts (see: The Art of the Steal: FIN7's Highly Effective Phishing).
Gang members would typically call the targeted company to ensure that someone got the messages and also digitally sign malware to help it evade security tools, prosecutors say.
The initial phishing email and malicious attachments enabled FIN7 to open a backdoor into a victim's network, and hackers could then move laterally through the infrastructure, spread additional malware and locate financial data and other sensitive documents.
The gang also infected point-of-sale machines with malware and would then exfiltrate the data, according to prosecutors.
Once the FIN7 group had the credit or payment card number, the name of the cardholder and the ZIP code, the stolen data was packaged and sold on darknet forums, including Joker Stash, the court records show. At one point, Chipotle reported nearly 4 million payment card records stolen, while Jason's Deli had nearly 2 million records compromised.
Dozens of hackers worked for FIN7 between August 2015 and January 2018, prosecutors say, and the gang operated its own front company called Combi Security to help hide its activities.
When police arrested Kolpakov in 2018, the plea agreement notes, he was carrying a laptop, storage device and mobile phone that contained "multiple thousands of payment card numbers and employee credential information stolen from various U.S. victim companies through the aforementioned hacking activity on behalf of the FIN7 hacking group."