An accused operator of the FIN7 hacking collective pleaded guilty on Wednesday to charges in connection with working as the administrator of the group that researchers have suggested stole more than $1 billion from victims worldwide.
Fedir Hladyr, 34, appeared in a courtroom in the Western District of Washington to plead guilty to wire fraud and conspiracy to commit computer hacking as part of a deal with prosecutors that will result in a prison sentence of no more than 25 years, according to his defense attorney.
Hladyr was arrested in Dresden, Germany in January 2018 and accused of working as an administrator for the FIN7 group who maintained servers and delegated responsibilities throughout the international hacking crew, among other duties.
He is the first member of the group to be found guilty of hacking-related crimes in U.S. court.
The case marks a significant win for the Department of Justice, which for years has struggled to apprehend, extradite and convict the cybercriminals suspected in attacks against U.S. companies. FIN7 is accused of stealing more than 15 million credit card numbers from victims including Chipotle, Red Robin, Saks Fifth Avenue, Whole Foods and other retailers and restaurants in 47 states. The group, blamed last year for more than $1 billion in losses, remains active, despite Hladyr’s arrest.
“[Hladyr] was facing multiple sentences of life in jail based on the dollar amount and the number of people harmed, which is 90% of the argument,” said defense attorney Arkady Bukh. “At this time, the government gave us a certain level of leniency and will basically limit his legal exposure to 25 years.”
Sentencing is scheduled for Dec. 13.
The FIN7 haunted corporate networks for years with a customized iteration of the Carbanak malware, which proved capable of taking screenshots of infected machines to capture victims’ information. The group also disguised much of its criminal activity behind a front company called Combi Security.
Hladyr was a key part of the scheme. Prosecutors said he served as “a high-level systems administrator” for FIN7 who controlled a private HipChat instant messaging chat where various FIN7 members uploaded malicious software code, stolen payment card data and screenshots from breached companies, among other details. Hladyr also maintained and organized FIN7 work through Jira, a project tracking software where the group uploaded files and thousands of stolen usernames and passwords.
Using data from one of Hladyr’s files, prosecutors said, another FIN7 hacker used the email address “email@example.com” to phish employees at victim companies. Upon stealing the data, the hacker would then upload it to a different Jira file, according to Hladyr’s indictment.
Notably, Hladyr pleaded guilty to only two of the 26 charges against him. Dropped counts included allegations of aggravated identity theft, access device fraud and intentional damage to a protected computer. Those will be dropped at his sentencing, according to a court filing Wednesday, while Hladyr will be punished for wire fraud and conspiracy to commit computer hacking, a charge his lawyer minimized during a conversation with CyberScoop.
“If you give a cup of tea to a criminal you are guilty of conspiracy because you added to the furtherance of the crime,” Bukh said.
The plea agreement is available in full below.