The FBI has arrested another alleged member of the FIN7 cybercrime gang, which has been stealing millions of payment cards and other financial data since at least September 2015, according to federal court documents.

Ukrainian national Denys Iarmak was extradited from Thailand and arrested in Seattle on Friday, according to documents unsealed by the U.S. District Court for the Western District of Washington in Seattle. He’s the fourth alleged member of the group to be arrested and charged in the last two years.

Iarmak, who remains in federal custody, has been charged with multiple criminal counts, including wire fraud; conspiracy to commit computer hacking; conspiracy to commit wire and bank fraud; three counts of aggravated identity theft; three counts of accessing a protected computer in furtherance of fraud; three counts of intentional damage to a protected computer; and access device fraud and forfeiture allegations, the federal court documents show.

FIN7, also known as Carbanak or Navigator, is a financially motivated cybercrime group known to use spear-phishing mails containing malicious Word and Google document attachments that load malware on targeted devices to steal payment card information, according to federal prosecutors.

Over the years, authorities allege, FIN7 has targeted restaurant chains, casinos and hospitality businesses, including Chipotle Mexican Grill, Arby’s, Chili’s, Red Robin Gourmet Burgers, Taco John’s, Sonic Drive-in and Emerald Queen Hotel and Casino.

The group allegedly stole more than 15 million payment card records from over 6,500 point-of-sale terminals across more than 3,600 business locations, according to the Justice Department.

Court documents first revealed by Vice’s Motherboard detail a highly organised crew, if one which made some serious (and welcome) operational security errors.

Fin7 used private JIRA servers to raise tickets on specific companies they were targeting. Its members also used a wide range of encrypted messengers run on private servers, including Jabber and the late HipChat. It also used the messenger services Mumble, Telegram, Threema and Viber.

The cyber crime organisation exploited a “wide variety” of digital currencies, including Binance, Electro, and Monero.

The FBI gained significant amounts of intelligence by cooperation with law enforcement in other countries, which allowed them to gain access to both a mobile phone and a laptop while members of the group that they were targeting were on holiday, the court documents reveal.

Fin7 Hackers: WFH Since 2015

“The hacking group does not have a central office or work location”, the court documents note. “Instead [it] uses a distributed work force that relies on a secure, virtual work environment.”

Many of the group’s members provided true names and addresses via encrypted Jabber communications to “certain high-level members of the group” in order to get paid for their work.

Iarmak, meanwhile, used a Gmail account for certain communications that contained emails featuring his passport and other ID documents. This also revealed communications with antivirus companies, that were later forward on to other members of the hacking group.

These revealed that Fin7 would regularly test their malware against offline versions of the AV software to see if it detected it.

Iarmak, who went by the handle GakTus, was extradited from Thailand.

The story was first reported by Motherboard’s Joseph Cox, after a tip-off from George Washington University’s Seamus Hughes.

Iarmark’s Role

To carry out its activities, FIN7 created a front company called Combi Security that purported to be a cybersecurity pen-testing firm based in Russia and Israel, prosecutors allege in court documents.

The front company then “hired” computer programmers under the pretense of having them work on pen-testing for clients, prosectutors allege. Iarmak was allegedly one such “pen-tester” whose job was breaching the security of victims’ networks, according to the indictment.

“In truth and in fact, the defendant and his FIN7 co-conspirators well knew Combi Security was a front company used to hire and deploy hackers who were given tasks in furtherance of the FIN7 conspiracy,” the indictment states.

Law enforcement officials allege that Iarmak sent internal system information stolen from a victim company to FIN7 manager Fedir Hladyr in a Jabber communication. Numerous other Jabber communications between Iarmark and other FIN7 members discussing phishing emails, malware tools, victim information and other illegal activities were also found, according to the indictment.

Hladyr, who is also from Ukraine, pleaded guilty to multiple charges in federal court September 2019 and is awaiting sentencing, federal prosecutors say.

FIN7’s Illegal Activities

The spear-phishing emails lured victims by faking an interest in their organization or by falsely claiming to be from organizations such as the U.S. Securities and Exchange Commission, according to the indictment. While targeting one restaurant chain, the hackers inquired about placing a catering order, the details of which they said were in a malicious attachment, according to court documents.

The FIN7 hackers went one step further, calling the victims to convince them to open the attached documents, the indictment alleges.

Once a victim’s computer was infected, FIN7 allegedly would install additional malware, such as the backdoor Carbanak, to remotely control the device and then add it to the gang’s botnet, according to the court documents. The group operated a global network of servers and used Jira project management software to collaborate with other members of the group and share attack details, the document adds.

Other Arrests

In 2018, the Justice Department unsealed indictments against three alleged high-level members of the gang: Hladyr, Dmytro Fedorov and Andrii Kolpakov.

Fedorov was arrested in Bielsko-Biala, Poland, and Kolpakov was arrested in Lepe, Spain, in 2018. Both were later extradited to the U.S. and pleaded not guilty. Their trial began in August 2019 and is set to continue in October 2020. According to the FBi the Fin7 group has still been active as early as March this year.