FBI nabs alleged hackers in theft of 15M credit cards from Chipotle, others

The bureau says the three Ukrainian nationals are behind breaches that hit Arby's, Chili's and other restaurants.

Alfred Ng
Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
3 min read
Man wearing a "security" jacket in front of a Chipotle outlet.

The FIN7 hacking group allegedly stole credit card records from Chipotle.

Saul Loeb/Getty Images

A prolific hacking group behind hundreds of cyberattacks on restaurants just lost its leaders, says the US Justice Department.

On Wednesday, the DOJ said it had arrested three high-ranking members of the international hacking group FIN7. The cybercrime ring was behind attacks on restaurants like Chipotle, Chili's and Arby's, according to indictments unsealed by the department.

The hacking group allegedly stole 15 million credit card records after striking more than 3,600 locations in 47 states. FIN7 hit more than 100 US companies, with a focus on restaurants, hotels and gaming establishments, Western District US attorney Annette Hayes said during a Wednesday press conference. 


A graphic from the Justice Department showing the extent of FIN7's hacking campaign.

Justice Department

The group carried out its attacks through carefully crafted email messages packed with malware designed to infiltrate its victims' networks, prosecutors said. Once the phishing emails tricked someone at a business into opening a file, FIN7's hackers would dig through the networks to search for and steal credit card information, which they'd then sell online.

The emails arrived with a malware-laced word-processing file attached, which pretended to make an order for catering.

The file "appeared to be harmless," said Jay Tabb Jr., an FBI agent involved in the investigation, and the hackers "would often accompany the emails with phone calls in attempts to get [victims] to open the attachment."


One of the many phishing emails used to trick victims into installing malware.

Justice Department

The campaign of attacks is estimated to have cost tens of millions of dollars in damages, Hayes said. FIN7 also carried out attacks against businesses in France, the UK and Australia.

"We are under no illusion that we have taken this group down all together," Hayes said, "but we have made a significant impact."

The three FIN7 members are all Ukrainian nationals and have been charged with 26 felony counts of computer hacking, identity theft and wire fraud. The first arrest occurred in January, when Fedir Hladyr was caught in Germany and extradited to the US. 

Hladyr was allegedly a systems administrator for FIN7 who maintained the cybercrime group's servers and communications. Dymtro Fedorov, also arrested in January, is currently facing extradition in Poland. He's a high-level hacker within FIN7, prosecutors said, and managed other cybercriminals in the organization. 

Andrii Kopakov, also allegedly a FIN7 supervisor, was arrested in June in Spain and is facing extradition.

Watch this: Justice Department indicts 12 Russian cyberspies suspected in DNC hacking

The three alleged hackers used a fake company called Combi Security to recruit members, pretending to be based in Russia and Israel. According to prosecutors, the fake company's website listed many of FIN7's victims as its clients.

The gang had been considered one of the largest cybercrime operations in the last five years.

"For nearly four years, the Fin7 gang has been the major supplier of stolen payment card data to criminals in the dark web," Andrei Barysevich, the director of Advanced Collection at security firm Recorded Future, said in a statement.

Researchers from security firm FireEye also found that FIN7 had targeted members of the US Securities and Exchange Commission in 2017, but Justice Department officials said the group is not backed by any governments.

The cybercrime gang has been around since 2014, and it's continue to grown with its attacks, Kimberly Goody, a manager of financial crime analysis at FireEye, said. 

"Their exceptional social engineering savvy and innovative methods to evade detection played a key role in their rise as a sophisticated organized criminal enterprise," Goody said in a statement.

First published Aug. 1 at 11:11 a.m. PT.
Update at 12:58 p.m. PT: Added remarks from cybersecurity experts.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.