3 members of global cybercrime group accused of hacking 100 US companies

SEATTLE -- Three members of a sophisticated international cybercrime group are accused of hacking more than 100 American companies.

U.S. attorney Annette L. Hayes announced the arrests and charges during a press conference at the FBI's Seattle Field Office. One man was arrested in Seattle and the other two were taken into custody in Poland and Spain.

Newly unsealed federal indictments revealed three Ukrainian nationals -- Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30 -- are members of FIN7, a prolific hacking group.

FIN7 is accused of attacking more than 100 U.S. companies since 2015. The majority of the companies were in the restaurant, gaming and hospitality industries.

The group breached the computer networks of businesses in 47 states and the District of Columbia, according to Hayes. The group allegedly stole more than 15 million customer card records at 3,600 business locations -- including chains such as Chipotle, Chili's, Arby's, Red Robin and Jason's Deli.

Many of the first hacks happened in Western Washington, and the U.S. Attorney's Office says Chipotle, Arby's and Jason's Deli had the most card records stolen.

Nationwide, the losses to businesses totaled in the tens of millions of dollars.

Officials say if you are one of the 15 million customers affected, you should have been contacted by your bank or credit company alerting you of fraudulent or suspicious activity. People affected would have automatically received a new card in the mail.

Western Washington's own Emerald Queen Casino was also targeted but was able to stop the intrusion. No customer data was stolen from EQC.

“Protecting consumers and companies who use the internet to conduct business – both large chains and small ‘mom and pop’ stores -- is a top priority for all of us in the Department of Justice,” Hayes said.  “Cyber criminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong.  We will continue our longstanding work with partners around the world to ensure cyber criminals are identified and held to account for the harm that they do – both to our pocketbooks and our ability to rely on the cyber networks we use.”

Each of the FIN7 conspirators is charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

“The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the Darknet,” Assistant Attorney General Benczkowski said.  “Because hackers are committed to finding new ways to harm the American public and our economy, the Department of Justice remains steadfast in its commitment to working with our law enforcement partners to identify, interdict, and prosecute those responsible for these threats.”

FBI Special Agent Jay Tabb says the case was one of the largest it has handled, in terms of loss, number of victims and the size of the criminal organization.

“The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise," said Special Agent in Charge Jay S. Tabb Jr., of the FBI's Seattle Field Office.  “As the lead federal agency for cyber-attack investigations, the FBI will continue to work with its law enforcement partners worldwide to pursue the members of this devious group, and hold them accountable for stealing from American businesses and individuals.”

FBI agents at the Seattle branch are being credited for identifying some of the suspects in this case.

Although card records were the primary target, the indictment does point out several times that FIN7 obtained personal information. For example, in 2017 the indictment states that they obtained 1,000 user names and passwords of generic company accounts and employee accounts.

Investigators are still trying to figure out the scope of how much information FIN 7 managed to steal. Everyone is urged to check financial accounts regularly and contact your bank or credit card companies if there are any fraudulent charges.

Credit card companies say customers are not liable for fraudulent charges.