Three Ukrainian men have been arrested on charges they led a hacking group that stole millions of credit card numbers by breaking into the computer systems of major American restaurant and hospitality chains, U.S. officials announced Wednesday.
The hacking group, known as FIN7 or the Carbanak Group, is notorious among cybersecurity experts for a long-running campaign that targeted more than 100 U.S. companies, stealing an estimated 15 million credit card numbers, many of which ended up being sold to other criminals online, authorities said.
The companies allegedly hacked by FIN7 include Chipotle Mexican Grill, Chili’s, Arby’s and Red Robin, officials said.
The hacking group has been active for years. Starting in January, the FBI began quietly arranging arrests when suspects traveled outside their home country.
One of the suspects, Fedir Hladyr, 33, was arrested in Germany early this year and secretly extradited to Seattle, where he is in custody awaiting trial. Another suspect, Dmytro Fedorov, 44, was arrested in Poland and is awaiting extradition. The third, Andrii Kolpakov, 30, was arrested in June in Spain and is awaiting extradition.
They are charged with more than two dozen counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.
“These hackers think they can hide behind keyboards in faraway places and that they can escape the long arm of the United States law,” Seattle U.S. Attorney Annette L. Hayes said. “They cannot do that.”
According to the indictments, FIN7 has dozens of members and used email spear-phishing techniques to secretly implant malware on the computers of unwitting employees of the targeted companies — sometimes placing phone calls to help the emails appear legitimate.
The defendants also allegedly used a front company that purported to provide computer security services as a means of recruiting hackers to join the criminal network, according to the indictments.