A U.S. federal judge on Friday sentenced Fedir Hladyr to 10 years in prison for his alleged role as an administrator of the multibillion-dollar cybercrime group known as FIN7, which has breached hundreds of U.S. firms.
The 10-year sentence includes three years Hladyr has already spent in detention since his arrest, and $2.5 million in restitution to be distributed to victims.
FIN7 is one of the most formidable cybercriminal groups of the last decade, allegedly siphoning off millions of credit card numbers from restaurant and hospitality chains in 47 U.S. states. And Hladyr, a Ukrainian in his mid-30s, is allegedly a big reason that FIN7 operated like a well-oiled multinational corporation.
Hladyr allegedly controlled an instant messaging service that the crime group used to upload stolen payment card data and screenshots from hacked financial firms. He also allegedly organized FIN7’s work through a project-tracking software that managed thousands of stolen usernames and passwords.
Federal prosecutors argued for a 10-year prison sentence for Hladyr because it would “send a strong message of public deterrence” to persistent cybercriminals. They described him as a “technical guru,” an elite hacker among talented ones, whose skills were integral to making FIN7 a vaunted threat to U.S. businesses.
Hladyr’s prosecution is win for Justice Department officials looking to make a dent in the array of well-funded cybercriminal groups that target U.S. businesses from Eastern Europe. Yet despite his prosecution, and the arrest of other alleged FIN7 members, the group has continued to try to steal from businesses. In early 2020, the group used the U.S. Postal Service to send malware-laced USB sticks to multiple organizations.
Hladyr’s was arrested in Germany in January 2018, and subsequently extradited to the U.S. District Court for the Western District of Washington. He pleaded guilty in September 2019 to wire fraud and conspiracy to commit computer hacking as part of plea deal aimed at getting him a reduced sentence. Hladyr’s lawyer, George Grasso, argued that his client’s three years of incarceration, during which he said Hladyr contracted the coronavirus, was enough of a deterrent. Grasso also said that Hladyr had experienced extensive tragedy in his life, and should be released so he could care for sick family members who needed his support.
While previous estimates from cybersecurity researchers had put FIN7’s theft at $1 billion, U.S. prosecutors said in their sentencing memorandum for Hladyr that a “conservative estimate” of the losses caused by the group is between $3 billion to $5.7 billion.
FIN7 has disguised much of its criminal activity behind a front company dubbed Combi Security. Grasso acknowledged that after Hladyr learned of Combi Security’s criminal activities, his client continued to work for the front company. Grasso said Hladyr felt compelled to do so to provide for his son.
Hladyr told the court he regretted the day he started with Combi Security, and accepted responsibility for his crimes.
“I was so stupid, careless and reckless and for this I sincerely apologize to the court and to the government,” he said before the sentencing.