Three Ukrainians are facing charges of hacking into more than 100 U.S. companies and stealing millions of records, federal officials said.
Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30, were members of a “sophisticated international cybercrime group” called “FIN7,” said Department of Justice (DoJ) officials.
“Since at least 2015, FIN7 members engaged in a highly-sophisticated malware campaign targeting more than 100 U.S. companies, predominantly in the restaurant, gaming, and hospitality industries,” DoJ officials said.
“FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers, which the group used or sold for profit,” it said.
DoJ said members of the group also targeted computer networks in Britain, Australia, and France.
FBI special agent Jay Tabb said at a press conference in Seattle, Washington, where the arrests were announced, the hacking was not state-sponsored.
“No linkage at all to any state-sponsored activity,” Tabb said. “This is just old-fashioned organized crime.”
Fedorov, a “high-level hacker and manager,” ended up arrested in Bielsko-Biala, Poland, in January and is being detained pending extradition to the United States, DoJ officials said.
Hladyr, FIN7’s systems administrator, was arrested in Dresden, Germany, in January, and is being held in Seattle, Washington, pending a trial scheduled to open October 22.
Kolpakov, described as a “supervisor of a group of hackers,” was arrested in Lepe, Spain, in late June and is being detained there pending a U.S. extradition request, the department said.
“Cyber criminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong,” said Annette Hayes, US Attorney for the Western District of Washington.
The charges against the three were contained in federal indictments unsealed Wednesday.
They were charged with 26 counts of conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.
DoJ said FIN7 also known as the “Carbanak Group” and the “Navigator Group,” breached computer networks of companies in 47 U.S. states and Washington DC.