FIN7 Operator Pleads Guilty

A sysadmin behind FIN7 pleaded guilty on Wednesday for leading operations which lead to more than $1 billion in theft from victims around the world. The sysadmin, Fedir Hladyr, was arrested in January 2018 and after more than a year has plead guilty to charges of wire fraud and conspiracy to commit computer hacking. Hladyr plead guilty to just 2 of the 26 charges against him, these will most likely be dropped during sentencing. According to his defense attorney. Hladyr is facing up 25 years in prison. He is the first member of the hacking group to be found guilty of crimes.

Who is FIN7

FIN7, also known as JokerStahs, Carbanak Group or Navigator Group is a billion-dollar hacking group. The group which formed in 2015 is highly professional and organization enterprise which runs itself as a legitimate company. Computer experts are employed from multiple countries, working regular hours with nights and weekends off. Further, it seems like the group has its own research/testing team employed to test methods of evading detection from both authorities and malware scanners.

CTO of Gemini Advisory in the past has stated:

“From what we’ve learned over the years the group is operated as a business entity. They definitely have a mastermind, they have managers, they have money launderers, they have software developers, and they have software testers. And let’s not forget they have the financial means to stay hidden. They make at least $50 million every month. Given that they’ve been in business for many years, they probably have at least a billion dollars on hand.”

According to Hladyr, the group puts up a front by calling itself a penetration testing company, Combi Security and even has a public website.  The website advertises itself as “one of the leading international companies in the field of information security.” They offer and employee people under this name. When Hladyr first began working for the group he thought he was working for Combi Security. However, soon after he found that he was hired by a large cybercriminal network.

Who is a Target?

The group is tied to almost every point of sale (POS)  breach in the U.S hitting the retail, restaurant, and hospitality industries since 2015. They have been behind major attacks against Chipotle Red Robin, Saks Fifth Avenue, Whole Foods, Lord & Taylor and many other businesses.

Attack Vector

Fin7 carries out attacks through phishing emails and social engineering tricks to persuade users into clicking on attachments containing malware. According to prosecutors, an email used by another Fin7 hacker to phish employees was “”. The planted malware is connected to compromised computers connected to command and control (C&C) servers located around the globe. Once malware is downloaded on the computer, FIN7 uses the interconnected network to plant more malware onto the compromised computers. From this point forward, additional surveillance is conducted through lateral movement in the network. The goal during this time is to seek out sensitive financial records and POS systems, which process credit card transactions.

Hladyr’s Role

Prosecutors say he handled high-level systems and provided employees with access to communications and C&C servers. One communications outlet he maintained includes HipChat, a instant messaging software where FIN7 members uploaded malicious software, stolen credit card information, screenshots, etc. Another, software he maintained, Jira, held files and thousands of stolen usernames/passwords. Overall, he aggregated stolen data, provided technical guidance to members, handed out assignments, and supervised teams of attackers.


Contact LIFARS Immediately if Your Organization was Hit with a Data Breach