A Ukrainian national and a mid-level supervisor of the hacking group known as FIN7 has been sentenced to seven years in prison for his role as a "pen tester" and perpetuating a criminal scheme that enabled the gang to compromise millions of customers debit and credit cards.
Andrii Kolpakov, 33, was arrested in Spain on June 28, 2018, and subsequently extradited to the U.S. the following year on June 1, 2019. In June 2020, Kolpakov pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.
The Western District of Washington also ordered Kolpakov to pay $2.5 million in restitution.
The defendant, who was involved with the group from April 2016 until his arrest, managed other hackers who were tasked with breaching the point-of-sale systems of companies, both in the U.S. and elsewhere, to deploy malware capable of stealing financial information.
FIN7, also called Anunak, Carbanak Group, and the Navigator Group, is said to have engaged in a sophisticated malware campaign at least since 2015 targeting restaurant, gambling, and hospitality industries in the U.S. to plunder credit and debit card numbers that were then used or sold for profit on underground forums.
According to court documents, FIN7 used a firm called Combi Security as a front to recruit hackers — one of them being Kolpakov — to "provide a veil of legitimacy to the illegal enterprise," while projecting itself as "one of the leading international companies" that offered penetration testing services to customers worldwide.
"FIN7 carefully crafted email messages that would appear legitimate to a business's employees and accompanied emails with telephone calls intended to further legitimize the emails," the Department of Justice (DoJ) said in a release. "Once an attached file was opened and activated, FIN7 would use an adapted version of the Carbanak malware, in addition to an arsenal of other tools, to access and steal payment card data for the business's customers."
The total damages stemming from these intrusions exceeded $1 billion, the DoJ said.
Kolpakov is the second member of the FIN7 group to be sentenced in the U.S. since the start of the year. In April, another 35-year-old Ukrainian national Fedir Hladyr was awarded 10 years in prison for his role as a high-level manager and systems administrator responsible for maintaining the server infrastructure that FIN7 used to attack and control victims' machines.
This is not the first time FIN7 has disguised itself as a legitimate cybersecurity company to distribute malware.
Last month, researchers from BI.ZONE cyber threats research team found that the collective distributed a toolkit called Lizar (aka Tirion) as a penetration testing software for Windows networks with the aim of conducting reconnaissance and getting a foothold inside infected systems. "These groups hire employees who are not even aware that they are working with real malware or that their employer is a real criminal group," the researchers noted.