ATM / POS Fraud , Cybercrime , Endpoint Security

Payment Card Theft Ring Tech Leader Gets 10-Year Sentence

Fedir Hladyr of Ukraine Admitted to Working as System Admin for FIN7
Payment Card Theft Ring Tech Leader Gets 10-Year Sentence

A Ukrainian national who admitted to working as a system administrator and IT manager for the notorious FIN7 cybercriminal gang, which has been involved in the theft of millions of payment cards, has been sentenced to 10 years in federal prison, according to the U.S. Justice Department.

See Also: Check Kiting In The Digital Age

Fedir Hladyr, 35, who pleaded guilty in 2019 to federal charges that included conspiracy to commit wire fraud and conspiracy to commit computer hacking, could have faced up to 20 years in federal prison. As part of the plea deal, prosecutors agreed to drop other charges.

In addition to imposing the prison sentence, a federal judge on Friday ordered Hladyr to pay a $2.5 million fine. Hladyr has been in custody since 2018, when he was arrested by police in Dresden, Germany. He'll receive nearly three years of credit toward his 10-year sentence for time served, court documents show.

As a system administrator and IT manager for the FIN7 group, Hladyr admitted that he played a central role in aggregating stolen payment card information, supervising the group's other cybercriminals and attacks and maintaining the global network of servers that the gang used to target and compromise victims. At some points during his time with FIN7, Hladyr also controlled the organization's encrypted communication channels.

Extensive Payment Card Thefts

The government's sentencing memorandum notes that Hladyr was likely responsible for the theft of 5.9 million payment cards and that during his time with FIN7, the gang caused at least $100 million in losses.

Since at least 2015, FIN7 and its associates have caused more than $1 billion worth of damage and losses to organizations and individuals, which includes not only damage to networks from attacks, but tens of millions of stolen credit cards that were eventually sold on underground forums and carding sites, such as the now-defunct Joker's Stash, prosecutors say (see: Darknet Markets Compete to Replace Joker's Stash).

"No hacking group epitomizes the industrialization of cybercrime better than the FIN7 criminal enterprise," the prosecutors note in the sentencing memorandum. "FIN7 has had over 70 members who were organized into discrete departments and teams. One department developed a full suite of malware tools, while another department designed and sent phishing emails. Yet another department consisted of teams of hackers who surveilled and exploited victim companies that inadvertently had activated malware in the phishing emails."

At one point, the FIN7 group sent hundreds of spear-phishing emails that targeted hospitality businesses, casinos and restaurant chains to install malware and then steal credit card data, according to federal prosecutors. The attacks mainly targeted point-of-sale devices.

Between 2015 and 2018, FIN7 targeted dozens of business throughout the U.S., including the restaurant chains Arby's, Chili's, Chipotle Mexican Grill, Jason's Deli, Red Robin Gourmet Burgers, Sonic Drive-In and Taco John's, according to the FBI.

Through a network of cybercriminals mostly in Eastern Europe, FIN7 created spear-phishing emails designed to resemble legitimate messages, such as catering orders or reservation details. Those emails often contained malicious attachments, which, if opened, infected the company's computers, according to security analysts (see: The Art of the Steal: FIN7's Highly Effective Phishing).

"FIN7 successfully breached the computer networks of businesses in all 50 states and the District of Columbia, stealing more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations," the Justice Department says.

Hladyr's Role

Hladyr joined FIN7 in August 2015 through Combi Security, a fake cybersecurity company that had a phony website and no legitimate customers, according to prosecutors. He admitted that he quickly realized Combi Security was part of a criminal enterprise, but he decided to stay with the organization and eventually became the system administrator and worked to keep the gang's command-and-control servers operational.

"The defendant was a high-level manager who directed other members of the group and who controlled FIN7's extensive server infrastructure and encrypted channels of communication," the court documents note. "Quite literally, the defendant held the keys to the kingdom."

Prosecutors say FIN7 paid Hladyr $100,000 for his efforts - a large sum for someone living in Ukraine. But the sentencing memo notes that FIN7's higher-ups made much bigger profits from the cybercriminal operation.

"There was a level of leadership above Hladyr who likely received the lion's share of the criminal proceeds," according to the court documents. "In recommending only a 10-year sentence, the United States weighed heavily the fact that the defendant was not a top-level leader in the criminal enterprise and, as a result, did not make millions in profit."

FIN7 Still Active

When Hladyr was arrested in 2018, several other members of the FIN7 gang were arrested as well, and their cases have been making their way through the U.S. court system. In November 2020, Andrii Kolpakov, a Ukrainian national who was suspected of being a ring leader of the gang, pleaded guilty to conspiracy to commit wire fraud and conspiracy to commit computer hacking (see: Accused Ringleader of FIN7 Hacking Group Pleads Guilty).

Despite the arrests, however, FIN7 remains active. In January, researchers at Morphisec Labs published details about a malware variant called JSSLoader that the group has used for several years (see: Researchers Disclose Details of FIN7 Hacking Group's Malware).

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.