The systems administrator for a notorious organized cybercrime group has been handed a 10-year jail sentence for his part in financial crimes that cost firms and consumers billions.
Ukrainian national Fedir Hladyr, 35, was manager and sysadmin for FIN7 (aka Carbanak), which is believed to have made a fortune from targeting banks, restaurants, gambling and hospitality firms.
The campaign which Hladyr has been linked to involved the compromise of thousands of computer systems internationally, including all 50 US states and the District of Columbia.
According to court documents, the gang stole 20 million customer card records from over 6,500 individual point-of-sale (PoS) terminals at more than 3,600 separate business locations, causing billions in damages at firms including Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.
Hladyr is said to have originally joined FIN7 via a front cybersecurity company known as Combi Security. Despite realizing early on it was a fake business, he continued to work for the gang, aggregating stolen payment card information, supervising FIN7 hackers, maintaining its command-and-control servers, and managing its encrypted communications.
Operating since at least 2015, the group itself is said to number around 70 individuals, highly organized into separate business units and teams, some developing malware and others engaged in hands-on hacking.
Initial compromise of those thousands of victim systems appears to have been via phishing emails and scam calls.
Hladyr was arrested in the German city of Dresden in 2018 and extradited to the US, where he pleaded guilty in 2019 to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.
“The defendant and his conspirators compromised millions of financial accounts and caused over a billion dollars in losses to Americans and costs to the US economy,” said acting assistant attorney general Nicholas McQuaid of the Justice Department’s Criminal Division.
“Protecting businesses — both large and small — online is a top priority for the Department of Justice. The department is committed to working with our international partners to hold such cyber-criminals accountable, no matter where they reside or how anonymous they think they are.”