One of three men who allegedly helped lead the FIN7 hacking group, which the U.S. Department of Justice says is behind the theft of 15 million payment card numbers, is scheduled to be extradited to the U.S., CyberScoop has learned.
Andrii Kolpakov, will plead not guilty when he arrives in court from Spain to face charges in U.S. District Court for the Western District of Washington, according to his attorney, Vadim Glozman, who took over the case in April.
Glozman said the timing of the extradition is unclear, but another source familiar with the matter said it will be “in the coming weeks.”
Spanish police arrested Kolpakov in June 2018 at the behest of U.S. authorities. The Ukrainian national, who was 30 when he was taken into custody, faces 26 criminal counts in the U.S., including aggravated identity theft, intentional damage to a protected computer and wire fraud, according to a U.S. indictment made public in August.
“I’m preparing for him to be extradited at some point soon,” Glozman said. “I’ve been briefly in touch with him and his family … but it’s hard to communicate when he’s in jail in Spain.”
A Department of Justice spokesperson declined to comment, citing the government’s policy of not responding to questions about extradition-related matters until a defendant is in the U.S. The FBI declined to comment.
The FIN7 group is accused of stealing more than 15 million customer card records from companies in 47 states, then reselling data on cybercriminal forums. The financial crime collective allegedly included dozens of members who had responsibilities such as crafting spearphishing emails, phoning potential victims to make the ruse appear legitimate, and hiring penetration testers and developers. The group used a customized version of the Carbanak malware, which can capture screenshots of infected machines, to steal victims’ information, and disguised much of its activity behind a front company called Combi Security.
Victimized organizations typically included restaurants and retail businesses, like Chipotle, Red Robin, Sonic Drive-In, Saks Fifth Avenue, Whole Foods and others.
Kolpakov worked as one of the main directors of the group, according to the indictment.
He posed as a high-level penetration tester and supervised other hackers responsible for breaching the security of victims’ computer systems without the victims’ knowledge or consent, according to the indictment. Upon successfully hacking into an organization, an effort the group described as a “project,” FIN7 members would share stolen information, including internal credentials, in private chats.
The extradition status of the other accused FIN7 members arrested last year, Dmytro Fedorov and Fedir Hladyr, was not immediately clear.
The rest of the group has remained active since those three arrests, according to Kaspersky Labs research published Wednesday. FIN7 has relied on a tailored phishing campaign over the past year that may have infiltrated more than 130 companies, Kaspersky said. Malicious emails included hacking tools known as INCLUDEPICTURE, which posed as a harmless Microsoft Word document, and GRIFFON, a malware implant that gives attackers persistent access to a victim’s machines.
FIN7 also is using another fake pen-testing company that appeared to be “fully owned by the Russian government,” with offices in Moscow and Saint Petersburg, even though the address listed the fake firm as being located in New York City’s Trump Tower.