SEATTLE — Three Ukrainian members of a sophisticated international hacking group that targeted restaurants, casinos and other businesses in 47 U.S. states to steal credit and debit card records have been arrested and face charges in federal court in Seattle, officials said Wednesday.
The hacking group, known as FIN7 or Carbanak, stole about 15 million credit and debit cards records and also targeted establishments in the District of Columbia and around the world, U.S. Attorney Annette Hayes told reporters. Companies that had information stolen included Chipotle, Arby’s, Red Robin and Jason’s Deli.
Losses totalled in the tens of millions of dollars, Hayes said.
“We are under no illusions that we have taken this group down altogether, but we have made a significant impact,” Hayes said.
The operation is one of the largest cybercrime cases the FBI has handled, in terms of losses, number of victims and the size of the criminal organization, said FBI Special Agent Jay Tabb.
Suspects Dmytro Fedorov, Fedir Hladyr and Andrii Kolpakov face 26 felony charges that range from wire fraud, computer hacking and identity theft, according to the indictment.
“The charges are very serious and my client may be facing the decades in jail if convicted,” said Arkady Bukh, a lawyer representing Hladir.
Bukh said the case is complex and that “there is no clear decision at this time whether (we) will go to trial or will consider a plea.”
Officials say Hladyr, who was arrested in Germany in January and is in custody in Seattle, was FIN7’s systems administrator and maintained the group’s servers. His trial is set for October 22.
Fedorov and Kolpakov supervised hackers who breached the computer systems, officials said. Fedorov is being held in Poland and Kolpakov is in Spain awaiting extradition to the U.S.
“Our intention is to bring them back here to Seattle so they can face these charges and we can hold them to account,” Hayes said. “These hackers think they can hide behind keyboards in faraway places and escape the long arm of the United States law.”
The group used sophisticated techniques to worm their way into computer networks, sending carefully crafted emails to employees at the businesses that appeared to be legitimate, Tabb said.
“These emails were sent to people and catering departments at hotels or restaurants and appeared to be harmless,” Tabb said. “They often accompanied the emails with phone calls to employees to get them to open the attachments sent in emails. Of course, if they opened the attachment, that would deploy the malware onto the victim company’s computer systems.”
Fin7 used an adapted version of the notorious Carbanak malware with an arsenal of other tools to steal payment card information from the businesses, Tabb said.
The stolen credit and debit card numbers were often were sold in underground online marketplaces and criminals then made charges on the cards, Tabb said.
Tabb said the investigation is ongoing and that there could be more arrests.
He said the group’s success stealing credit and debit card information in nearly every U.S. state should serve as a warning for people to “take measures to secure finances, including credit monitoring and reporting suspicious activity on payment cards to your bank or credit card provider.”