FIN7 hacking group ‘pen tester’ sentenced to 5 years in prison

Denys Iarmak, a Ukrainian member and a “pen tester for the FIN7 financially-motivated hacking group, was sentenced on Thursday to 5 years in prison for breaching victims’ networks and stealing credit card information for roughly two years, between November 2016 and November 2018.

He has been in custody since his November 2019 arrest in Bangkok, Thailand, and was extradited to the US in May 2020.

Iarmak pleaded guilty to counts of conspiracy to commit wire fraud and to commit computer hacking in November 2021.

Iarmak is the third FIN7 member sentenced in the US after Fedir Hladyr (a high-level manager) received ten years in prison on April 16, 2021, and Andrii Kolpakov (another “pen tester”) got seven years on June 24, 2021, following their 2018 arrest.

According to the indictment, he and his cybercrime conspirators caused more than a billion dollars in losses to Americans after compromising millions of financial accounts and the computer networks of hundreds of businesses across the US.

“Mr. Iarmak was directly involved in designing phishing emails embedded with malware, intruding on victim networks, and extracting data such as payment card information,” said US Attorney Nicholas W. Brown.

“To make matters worse, he continued his work with the FIN7 criminal enterprise even after the arrests and prosecution of co-conspirators.”

Posing as a legitimate business

FIN7 was posing as a legitimate business while recruiting new members, something made obvious by Iarmak using legitimate project management software (such as Atlassian JIRA) to coordinate FIN7’s malicious activity and manage network intrusions.

Using such tools he provided guidance to and tracked FIN7 members’ progress while breaching their targets’ networks, uploading the stolen data to the cybercrime gang’s servers.

“Masquerading as a legitimate business, the hacking group he belonged to recruited other members to assist with their criminal activities,” added FBI Special Agent in Charge Donald M. Voiret.

“Thanks to the hard work of law enforcement, this defendant, who is responsible for an enormous loss amount, will be spending the next few years in prison.”

FIN7 now using teddy bears and malicious USB flash drives

Since first spotted in mid-2015, the FIN7 financially-motivated hacking group has mainly targeted banks and European and US companies’ point-of-sale (PoS) terminals from various industry sectors (predominantly restaurants, gambling, and hospitality) with the multi-functional Carbanak backdoor.

Even though some FIN7 members have been arrested over the years, the cybercrime group is still active and has since moved to use other malware strains and tactics.

In January, the FBI warned US companies for the second time of USB drive-by attacks coordinated by FIN7 targeting the US defense industry with packages containing malicious USB devices that deploy ransomware.

Two years ago, FIN7 operators also impersonated Best Buy while mailing similar packages with malicious flash drives via USPS to hotels, restaurants, and retail businesses. These packages also included teddy bears to trick the targets into lowering their guard.