Federal authorities have smashed a computer-hacking ring that stole millions of credit card records from restaurants across 47 states for at least three years, the U.S. Attorney General’s office revealed Aug. 1.
The victims included units of Arby’s, Chipotle, Chili’s, Red Robin and Jason’s Deli, along with a number of other credit card-accepting businesses in 47 states, according to the authorities. The criminal operation, known as FIN7 as well as other aliases, used malware to infiltrate 6,500 point-of-sale terminals at 3,600 business locations. About 100 companies were targeted in total, the officials said.
The usual process was to send the businesses a seemingly innocent email, and then to follow it up with phone calls and other emails to convince the recipients of the communications’ legitimacy. All came from a front company called Combi Security. Once any of the emails was opened, a well-known form of malware called Carbanak would be released into the computer system.
That technique netted the gang credit card records for about 15 million U.S. consumers, according to the authorities.
FIN7 operated out of Eastern Europe. Three of its principals—Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30—are now in federal custody in Seattle.
Although their arrests started with the apprehension of Hladyr in January and concluded with taking Kolpakov in June, the indictments for the three were not unsealed until Aug. 1.
“Protecting consumers and companies who use the internet to conduct business—both large chains and small mom and pop stores—is a top priority for all of us in the Department of Justice,” U.S. Attorney Annette Hayes said in a statement. “Cybercriminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong.”