“Pen tester” who helped FIN7 gang cause $1 billion damage, sentenced to five years behind bars

Bitdefender Premium Security India

A Ukrainian man has been sentenced to five years in prison by a US court for his involvement in the notorious criminal hacking group, FIN7.

32-year-old Denys Iarmak worked for FIN7 (which is also sometimes known as Carbanak, Navigator Group, or Anunak) between approximately November 2016 and November 2018, according to the US Department of Justice, co-ordinating the gang’s malicious activity as it broke into businesses to access and steal payment card data.

Many of the stolen payment card numbers stolen by the FIN7 group have been offered for sale online through underground criminal marketplaces.

In the United States alone, FIN7 successfully breached the networks of companies in all 50 states and the District of Columbia, stealing over 20 million payment card records from thousands of point-of-sales terminals at over 3,600 separate business locations.  Court documents estimate that victims incurred costs over US $1 billion.

High profile targets of the FIN7 hacking group included the likes of Lord & Taylor, Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, Jason’s Deli, and Saks Fifth Avenue.

In addition, there were multiple breaches of computers systems abroad, hitting organisations in Australia, France. and the United Kingdom.

In a typical attack, malware-laced emails would be sent to targeted companies posing as legitimate communications through the use of social engineering.

If the recipient opened the included attachment, their computer would be infected by malware.

In some cases telephone calls from the attackers would accompany the sending of the boobytrapped emails, in an attempt to make the emails appear less suspicious.

“Mr. Iarmak was directly involved in designing phishing emails embedded with malware, intruding on victim networks, and extracting data such as payment card information,” said US Attorney Nicholas W. Brown of the Western District of Washington. “To make matters worse, he continued his work with the FIN7 criminal enterprise even after the arrests and prosecution of co-conspirators. He and others in this cybercrime group used hacking techniques to essentially rob thousands of locations of multiple restaurant chains at once, from the comfort and safety of their keyboards in distant countries.”

FIN7 operated a front company called Combi Security, which claimed to offer penetration testing services.

On its website, Combi Security described itself as “one of the leading international companies in the field of information security.”

But in truth it was a means for Combi Security, which had no legitimate customers, to recruit other hackers into the criminal operation.

Internally within the gang, Iarmak was described as a “pen tester.”

“This cyber-criminal probed and mapped victims’ networks searching for data to exploit,” aid Donald M. Voiret of the FBI’s Seattle Field Office. “Masquerading as a legitimate business, the hacking group he belonged to recruited other members to assist with their criminal activities. Thanks to the hard work of law enforcement, this defendant, who is responsible for an enormous loss amount, will be spending the next few years in prison.”

Having initially fought extradition after being arrested in Bangkok, Thailand in November 2019, Iarmak was transferred to US custody in May 2020, and pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking in November 2021.

Iarmak joins his co-conspirators Fedir Hladyr and Andrii Kolpakov behind bars, who are serving sentences of 10 and seven year sentences respectively.