US law enforcement officials reported the arrest and extradition of Thai citizen of Ukraine Denis Yarmak, also known under the pseudonym GakTus, from Thailand. According to US authorities, Yarmak was a member of the famous hack band FIN7.
Let me remind you that the FIN7 group has been active since mid-2015. The group is suspected of attacks on American companies from the retail segment, as well as the restaurant and hotel business. FIN7 also actively collaborated with the Carbanak group for a long time: attackers exchanged tools and attack methods, as a result of which many experts put a kind of “equal sign” between the groups.
FIN7 criminals are primarily interested in financial information, for example, data on payment cards or credentials for access to computers of financial departments. Having obtained the necessary information, the attackers steal money and transfer it to offshore accounts.
According to the US Department of Justice, since 2015, the group has attacked more than 100 companies and organizations in the United States, breaking into thousands of different systems. In the United States alone, hackers stole over 15,000,000 payment cards, compromising more than 6,500 PoS terminals. Then this data was resold on the darknet to third parties.
It should not be forgotten that the group also acted in other countries, including the UK, Australia, France, and such large companies as Chipotle Mexican Grill, Chili's, Arby's, Red Robin, Jason's Deli suffered from FIN7 attacks. I recall that by given Kaspersky Lab, according to data for 2015, the group managed to steal about a billion dollars in total.
According to judicial documentsDenis Yarmak, like other members of the group, revealed his real name in order to get paid for “work” in FIN7. In chat logs dated 2017, Yarmak transfers to another FIN7 member the user credentials from a compromised company in the USA, as well as internal system information about the victim and a number of documents.
The US authorities received a warrant for access to the Yamarka account in Gmail, which contained photographs of his Ukrainian passports and other identification documents.
“During the investigation, it was found that one of the group’s work methods was to scan their malware with antiviruses that were disconnected from the Internet. This method made it possible to determine whether a malicious program is defined by an antivirus product as malicious, but without providing a copy of the malware to antivirus companies, ”the court document says.
Another paper from the court, dated May 20, 2020, reports that the authorities are currently seeking to hide information about another person who is also under investigation and with whom Yarmak spoke last year.
It is worth noting that back in 2018, American law enforcement officers reported the arrest of three members of FIN7 at once, and it is believed that these people were the leaders of the group. However, after this FIN7 did not disappear from the radar and did not cease to exist. So, a year ago, Kaspersky Lab experts discovered several new incidents that FIN7 participants were behind. Researchers wrote that the group’s methods became more complicated and suggested that FIN7 could increase the number of attacking groups operating under its “umbrella brand” and, with a high probability, continued the practice of hiring employees under the guise of a completely official security vendor.