Ukrainian FIN7 Hacker Gets 5-Year Sentence in the United States

A 32-year-old Ukrainian national has been sentenced to five years in prison^[1] in the U.S. for the
individual’s criminal work as a “high-level hacker” in the
financially motivated group FIN7.

Denys Iarmak, who worked as a penetration tester for the cartel
from November 2016 through November 2018, had been previously
arrested in Bangkok, Thailand in November 2019, before being
extradited to the U.S. in May 2020.

In November 2021, Iarmak had pleaded guilty to one count of
conspiracy to commit wire fraud and one count of conspiracy to
commit computer hacking.

FIN7 has been attributed to a number of attacks that have led to
the theft of more than 20 million customer card records from over
6,500 individual point-of-sale terminals at more than 3,600
separate business locations in the U.S, costing the victims $1
billion in losses.

The criminal gang, also known as Carbanak Group and the
Navigator Group, has a track record of hitting restaurant,
gambling, and hospitality industries to siphon customer credit and
debit card numbers since at least 2015 that were then used or sold
for profit.

“Mr. Iarmak was directly involved in designing phishing emails
embedded with malware, intruding on victim networks, and extracting
data such as payment card information,” said U.S. Attorney Nicholas
W. Brown of the Western District of Washington. “To make matters
worse, he continued his work with the FIN7 criminal enterprise even
after the arrests and prosecution of co-conspirators.”

According to court documents released by the U.S. Justice
Department (DoJ), the defendant used Atlassian’s Jira project
management and issue-tracking software to coordinate and share
details pertaining to different intrusions conducted by the
group.

“Under each issue, FIN7 members tracked their progress breaching
a victim’s security, uploaded data stolen from the victim, and
provided guidance to each other,” the DoJ said.

Iarmak is the third FIN7 member of the group to be sentenced in
the U.S. after Fedir Hladyr^[2]
and Andrii Kolpakov^[3], both of whom were
awarded a prison term of 10 years and seven years respectively in
April and June last year.

The development comes as threat intelligence and incident
response firm Mandiant detailed^[4]
the evolution of FIN7 into a resilient cyber crime group, linking
it to 17 clusters of previously unattributed threat activity
spanning several years, while also calling out its upgraded attack
toolkit and initial access techniques and its shift to ransomware
to monetize its attacks.