FIN7 hacking gang’s “pen tester” jailed for seven years by US court

The Western District of Washington has sentenced a Ukrainian man to seven years in prison for his role in a hacking gang that are estimated to have caused more than one billion dollars worth of damage.

33-year-old Andrii Kolpakov worked for the FIN7 gang (also sometimes known as Carbanak, Navigator Group, or Anunak) which made its fortune targeting retailers, restaurants, and gambling firms in more than 40 countries around the world, stealing tens of millions of payment card details at thousands of business locations. High profile targets of the FIN7 group included the likes of Lord & Taylor, Chipotle Mexican Grill, and Saks Fifth Avenue.

In a typical attack, boobytrapped emails would be sent to targeted companies posing as legitimate communications through cunning use of social engineering. If the recipient opened the included attachment, their computer would be infected by a version of the Carbanak malware.

In some cases telephone calls from the attackers would accompany the sending of the emails, in an attempt to make the emails appear less suspicious.

Kolpakov’s job within the FIN7 group was to manage and co-ordinate other hackers, tasked with breaking into the computer systems of targeted companies. Internally within the gang, Kolpakov was described as a “pen tester.”

Unusually, FIN7 presented itself as a company called Combi Security, which claimed to offer penetration testing services for businesses. In truth, however, the firm had no legitimate customers.

It remains unclear if all of the hackers employed by FIN7/Combi Security and managed by Kolpakov realised that they were in fact breaking the law.

What is clear, however, is that Kolpakov and other members of the FIN7 gang continued their attacks on US businesses even after they became aware that others in the hacking group had been arrested.

After being apprehended himself by Spanish police in 2018, and eventually extradited to the United States, Kolpakov admitted acted working for FIN7 as both a manager and recruiter, hiring and supervising hackers who breached the defences of corporations and stole data.

Kolpakov has also been ordered by the court to pay restitution in the amount of $2.5 million dollars.

Earlier this year, another member of FIN7 was sentenced to 10 years in jail for his involvement in the cybercrime gang’s activities.