A 32-year-old Ukrainian national has been sentenced to five years in prison in the U.S. for the individual’s criminal work as a “high-level hacker” in the financially motivated group FIN7.
Denys Iarmak, who worked as a penetration tester for the cartel from November 2016 through November 2018, had been previously arrested in Bangkok, Thailand in November 2019, before being extradited to the U.S. in May 2020.
In November 2021, Iarmak had pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.
FIN7 has been attributed to a number of attacks that have led to the theft of more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations in the U.S, costing the victims $1 billion in losses.
The criminal gang, also known as Carbanak Group and the Navigator Group, has a track record of hitting restaurant, gambling, and hospitality industries to siphon customer credit and debit card numbers since at least 2015 that were then used or sold for profit.
“Mr. Iarmak was directly involved in designing phishing emails embedded with malware, intruding on victim networks, and extracting data such as payment card information,” said U.S. Attorney Nicholas W. Brown of the Western District of Washington. “To make matters worse, he continued his work with the FIN7 criminal enterprise even after the arrests and prosecution of co-conspirators.”
According to court documents released by the U.S. Justice Department (DoJ), the defendant used Atlassian’s Jira project management and issue-tracking software to coordinate and share details pertaining to different intrusions conducted by the group.
“Under each issue, FIN7 members tracked their progress breaching a victim’s security, uploaded data stolen from the victim, and provided guidance to each other,” the DoJ said.
Iarmak is the third FIN7 member of the group to be sentenced in the U.S. after Fedir Hladyr and Andrii Kolpakov, both of whom were awarded a prison term of 10 years and seven years respectively in April and June last year.
The development comes as threat intelligence and incident response firm Mandiant detailed the evolution of FIN7 into a resilient cyber crime group, linking it to 17 clusters of previously unattributed threat activity spanning several years, while also calling out its upgraded attack toolkit and initial access techniques and its shift to ransomware to monetize its attacks.