FIN7 hacking group member sentenced to five years behind bars

He worked as a penetration tester for the criminal outfit.
Written by Charlie Osborne, Contributing Writer

A Ukrainian national has been sentenced as a member of the FIN7 hacking group.

On Thursday, the US Department of Justice (DoJ) announced the sentencing of Denys Iarmak to five years in prison for working as a FIN7 penetration tester.

FIN7, also known as Carbanak, is a prolific cybercriminal group that focuses on financial theft. Active since at least 2015, FIN7 has tended to target the retail and banking sector through Business Email Compromise (BEC) scams, attacks against point-of-sale (PoS) systems, and supply chain compromise.

The group is constantly evolving its tactics and improving its toolkit. The malware used by the group includes backdoors, information stealers, Trojans, RDP access modules, and even malicious USB drives that are physically mailed to unsuspecting businesses.

Blueliv researchers say that FIN7 is one of the top threats to today's financial sector. The DoJ estimates that at least $1 billion in damages has been done to US organizations and consumers.

Prosecutors say that Iarmak worked as a pentester for the group. In cybersecurity, pen testers may be tasked with testing software and security, but in this case, the 32-year-old was responsible for managing network intrusions.

Among his tasks was creating intrusion 'projects' in JIRA to track cyberattacks, including the initial access, surveillance progress, and data theft. Group members could comment on each project and offer each other advice. 

"As one example, Iarmak created a JIRA issue, to which he and other members of the cybergroup had access, for a specific victim company, and, on or about March 3, 2017, Iarmak updated that JIRA and uploaded data he had stolen from that company," the DoJ says.

While prosecutors didn't say how much Iarmak earned, they noted his paycheck "far exceeded comparable legitimate employment in Ukraine."

Iarmak was apprehended and arrested in Bangkok, Thailand, in 2019. The hacker fought extradition but was sent to the US in 2020.

He was charged and pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.

The DoJ began arresting FIN7 members in 2018. To date, three have been sentenced in the United States. Iarmak joins Fedir Hladyr, who was sentenced to 10 years behind bars, and Andrii Kolpakov, who will serve a seven-year prison term.

"Iarmak was directly involved in designing phishing emails embedded with malware, intruding on victim networks, and extracting data such as payment card information," commented US Attorney Nicholas Brown of the Western District of Washington. "To make matters worse, he continued his work with the FIN7 criminal enterprise even after the arrests and prosecution of co-conspirators."

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards