A Ukrainian member of an international hacking group, FIN7 — also known as Carbanak Group and the Navigator Group — was sentenced to 5 years of prison in Washington state.

According to the Department of Justice (DOJ), the man, Denys Iarmak, 32, served in a role that FIN7 called a “pen tester,” a high-level hacker, and is the third person to be sentenced from the group in the US.

“Iarmak and his conspirators compromised millions of financial accounts, causing over a billion dollars in losses to Americans and costs to America’s economy,” said Assistant Attorney General Kenneth A. Polite, Jr. of the DOJ’s Criminal Division.

Initially arrested in Bangkok, Iarmak unsuccessfully fought his extradition and was finally taken to the US in Feb. 2020.

He assisted the group in breaching computer networks in 50 US and D.C. which resulted in the theft of around 20 million credit card records according to the DOJ. The group would then either use or sell the information on underground sites, which resulted in damages of up to $1 billion for US consumers, around 6,5000 individuals, and businesses, around 3,600 separate US locations.

Businesses in the US that have publicly disclosed being hacked by FIN7 include Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.

“He and others in this cybercrime group used hacking techniques to essentially rob thousands of locations of multiple restaurant chains at once, from the comfort and safety of their keyboards in distant countries,” according to Attorney Nicholas W. Brown from the Western District of Washington state.

The group has been operational since around 2015 and primarily targets the hospitality, casino, and restaurant industries. It also operates internationally with reports of hacks in the U.K., Australia, and France.

“Masquerading as a legitimate business, the hacking group he belonged to recruited other members to assist with their criminal activities,” Special Agent in Charge Donald M. Voiret with the FBI’s field office in Seattle said.

For FIN7, Iarmak worked on “designing phishing emails embedded with malware, intruding on victim networks, and extracting data such as payment card information,” even after his co-conspirators were arrested and prosecuted. He worked for the group from 2016 to 2018.

These emails were designed to look legitimate to both attract talent and steal payment information from consumers and businesses.

“Once a file attached to a fraudulent email was opened and activated, FIN7 would use an adapted version of the Carbanak malware, in addition to an arsenal of other tools, to access and steal payment card data for the business’s customers,” a news release on the matter read.

The DOJ also noted that FIN7 also used JIRA, a project management and issue-tracking program which is hosted on “private virtual servers in various countries” and is used by software development teams.

The US Justice Department announced the indictment of four Russian hackers
The US Justice Department announced the indictment of four Russian hackers AFP / Stefani Reynolds
RELATED STORIES