Three men arrested for stealing over 15 million payment cards

They’re allegedly part of the notorious Carbanak cybercrime group.

US officials announced today that three alleged leaders of the cybercrime group known alternatively as Fin7, Carbanak and the Navigator Group have been arrested in Germany, Poland and Spain and charged with 26 felony counts. The charges include conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft. The Department of Justice alleges that Fin7 members have targeted more than 100 US companies, hacked thousands of computer systems and stolen 15 million credit and debit card numbers. The group is said to have breached networks in 47 states and Washington, DC and hacked 6,500 point-of-sale terminals at over 3,600 business locations.

"The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the Darknet," Assistant Attorney General Benczkowski said in a statement. "Because hackers are committed to finding new ways to harm the American public and our economy, the Department of Justice remains steadfast in its commitment to working with our law enforcement partners to identify, interdict and prosecute those responsible for these threats."

Fin7 is also believed to have breached systems in the UK, Australia and France. The Department of Justice indictments released today allege that Fin7 is responsible for hacking systems belonging to businesses like Chipotle, Chili's, Arby's, Red Robin and Jason's Deli. The group has also previously been connected to breaches affecting Lord & Taylor, Saks Fifth Avenue and Oracle.

Fedir Hladyr, who allegedly maintained servers and communication channels for Fin7, was arrested in Dresden, Germany in January and is currently awaiting trial in Seattle. Dmytro Fedorov, arrested in Bielsko-Biala, Poland in January, is said to have supervised other hackers in the group. His extradition to the US is pending. The third member, Andrii Kolpakov, was arrested in Lepe, Spain in June and is also alleged to be a supervisor. The US is working on its extradition request for Kolpakov.

Fin7 is said to have used phishing campaigns to gain access to a business' systems, pairing fraudulent emails with phone calls in order to appear legitimate. The group then used a version of the Carbanak malware -- which has also been used to attack banks and gain control over ATMs -- to steal payment card data, which was later sold online.

"Protecting consumers and companies who use the internet to conduct business -- both large chains and small 'mom and pop' stores -- is a top priority for all of us in the Department of Justice," said US Attorney Annette Hayes. "Cyber criminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong. We will continue our longstanding work with partners around the world to ensure cyber criminals are identified and held to account for the harm that they do -- both to our pocketbooks and our ability to rely on the cyber networks we use."