A high-level manager and systems administrator associated with the FIN7 threat actor has been sentenced to 10 years in prison, the U.S. Department of Justice announced Friday.
Fedir Hladyr, a 35-year-old Ukrainian national, is said to have played a crucial role in a criminal scheme that compromised tens of millions of debit and credit cards, in addition to aggregating the stolen information, supervising other members of the group, and maintaining the server infrastructure that FIN7 used to attack and control victims’ machines.
The development comes after Hladyr pleaded guilty to conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking in September 2019. He was arrested in Dresden, Germany, in 2018 and extradited to the U.S. city of Seattle. Hladyr has also been ordered to pay $2.5 million in restitution.
“This criminal organization had more than 70 people organized into business units and teams. Some were hackers, others developed the malware installed on computers, and still others crafted the malicious emails that duped victims into infecting their company systems,” said Acting U.S. Attorney Tessa A. Gorman.
“This defendant worked at the intersection of all these activities and thus bears heavy responsibility for billions in damage caused to companies and individual consumers.”
Also called Anunak, Carbanak Group, and the Navigator Group, the malware campaign unleashed by FIN7 is estimated to have caused overall damage of more than $3 billion to banks, merchants, card companies, and consumers.
The attacks involved targeting the restaurant, gaming, and hospitality industries by sending spear-phishing emails containing decoy documents with the goal of plundering customer payment card data, which were then used or sold for profit in online underground marketplaces at least since 2015.
In the U.S. alone, FIN7 has been responsible for the theft of more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations. Besides the U.S., FIN7 attackers left their fingerprints in a string of orchestrated intrusions against retailers in the U.K., Australia, and France. Some of its high-profile victims included Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.
At the sentencing hearing, Hladyr said he had “ruined years of my life and put [his] family through great risk and struggle.”