Threat Actor Profile

FIN7

FIN7, also tracked as Carbon Spider, GOLD NIAGARA, Sangria Tempest , and ITG14, is a financially motivated cybercrime group that has been active since approximately 2015. Originating from Eastern Europe, their operations focus heavily on the theft of payment card data via POS system compromises, ransomware deployment, and extortion tactics. Their evolving techniques and organizational structure set them apart as one of the most sophisticated cybercrime syndicates today.

Threat Actor Profile

FIN7

Fancy Bear TTPs

Aenean interdum tempor lectus, nec rutrum nisl interdum ut. Aliquam mattis felis vulputate dui ultrices, ac finibus ligula interdum. Proin metus enim, sagittis fringilla viverra quis, pulvinar sit amet quam. Donec eget ullamcorper nibh. Praesent a nisl eu nunc interdum efficitur.

Country of Origin

While FIN7's operations are widely linked to individuals in Eastern Europe, particularly Ukraine and Russia, the exact nature of any state sponsorship remains unclear. Unlike state-backed advanced persistent threat (APT) groups, FIN7's activities are financially driven, with no direct evidential ties to government mandates.

Members

Exact membership counts for FIN7 are unknown, though evidence reveals a sophisticated structure mimicking that of legitimate organizations. Members fulfill various roles, such as developers, administrators, and recruiters, with performance-driven incentives. The group has disguised itself through front companies like Combi Security, presented as a legitimate penetration-testing firm, complete with a corporate website listing actual US victim organizations as purported clients, to recruit hackers unwittingly into criminal work. The scale of the group's confirmed activity reflects substantial operational depth: by the time of the 2018 indictments, FIN7 had breached computer networks in 47 U.S. states, stealing more than 15 million customer card records from over 6,500 individual POS terminals at more than 3,600 separate business locations.

Leadership

FIN7's internal leadership structure has been partially exposed through law enforcement actions. In August 2018, the DOJ unsealed three federal indictments against Ukrainian nationals who served in senior roles. Each was charged with 26 felony counts including conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft. Despite these arrests, FIN7 continued operations, demonstrating the group's resilience and depth of membership beyond these individuals.

Tactics

The group's primary goals center on financial gains through payment card theft and ransomware operations. Their targeting strategy often focuses on industries with POS systems or high volumes of credit/debit transactions, such as retail, hospitality, and restaurants.

Techniques

Their techniques include spear-phishing campaigns with tailored social engineering to gain initial access. These emails often disguise themselves as business-related correspondence and are sometimes followed by phone calls to increase credibility. They also employ malvertising campaigns, leveraging fake ads to attract victims, and use malware to infiltrate systems and conduct data exfiltration.

Procedures

FIN7 is known for deploying custom and adapted malware such as Carbanak, NetSupport RAT, POWERTRASH, and DICELOADER. They use these tools to escalate privileges, laterally move across networks, and target point-of-sale systems. Recently, they’ve evolved to conduct ransomware activities, where data theft and ransom demands combine to amplify financial extortion.

Want to shut down threats before they start?

Indicators of Compromise (IOCs)

Organizations should monitor for:

  • Known Fancy Bear malware signatures (e.g., XAgent, ADVSTORESHELL).
  • Suspicious domains mimicking government or defense entities.
  • Zero-day exploits in applications like Microsoft Windows and Adobe Flash.
  • Abnormal network traffic patterns indicating command-and-control communications.

Key Victims

Fancy Bear targets include:

  • Governments (United States, Germany, France, Ukraine, and others).
  • Military Organizations (focus on NATO-aligned entities).
  • Media Outlets and Journalists (especially those covering Kremlin-related topics).
  • Critical Infrastructure (energy, aerospace, and defense).
  • International Sporting Organizations (e.g., WADA).
  • Political Groups (e.g., the Democratic National Committee).

Notable Cyber Attacks

Aenean interdum tempor lectus, nec rutrum nisl interdum ut. Aliquam mattis felis vulputate dui ultrices, ac finibus ligula interdum. Proin metus enim, sagittis fringilla viverra quis, pulvinar sit amet quam. Donec eget ullamcorper nibh. Praesent a nisl eu nunc interdum efficitur.

Notable Cyberattacks

Among their significant cyberattacks, the breaches between 2017 and 2018 targeting major food and retail chains stand out, where extensive POS data was stolen across thousands of locations nationwide. Since approximately 2020, FIN7 has materially evolved its operations toward big game hunting ransomware, shifting from opportunistic card theft to high-value targeted intrusions. The group has been linked to operations involving REvil, DarkSide, BlackMatter, and Cl0p ransomware, as well as operating their own ransomware infrastructure. This shift significantly elevated FIN7's threat profile — combining their proven initial access expertise and Carbanak/DICELOADER tooling with ransomware deployment and double extortion to amplify financial pressure on victims. Organizations beyond traditional retail and hospitality are now in scope, including manufacturing, technology, and financial services.

Glitch effectGlitch effect

How to Defend Against FIN7

1

Implement robust employee training on phishing recognition.

2

Segment networks to isolate critical systems, such as Point-of-Sale (POS) networks.

3

Maintain up-to-date Endpoint Detection and Response (EDR) tools.

4

Regularly patch vulnerabilities in software and systems.

Huntress's Managed Endpoint Detection and Response solutions can detect malware used by FIN7, monitor abnormal network behaviors, and strengthen defenses against phishing and other initial access techniques.


Law Enforcement & Arrests


Law enforcement agencies, including the U.S. Department of Justice (DOJ), have made strides in tackling FIN7. In August 2018, the DOJ unsealed indictments against three senior members: Fedir Hladyr, Dmytro Fedorov, and Andrii Kolpakov — all Ukrainian nationals arrested across Europe (Germany, Poland, and Spain respectively) and extradited to face charges in U.S. federal court in Seattle. Each faced 26 felony counts. Hladyr subsequently pleaded guilty and was sentenced to 10 years in federal prison in 2021. Fedorov and Kolpakov's proceedings continued separately. However, despite these arrests, FIN7 demonstrably continued operations, launching new ransomware campaigns and recruiting replacement members, indicating the group's resilience, depth of membership, and decentralized structure that extends well beyond any arrested individuals.



References

Related Threat Actor Profiles

Notable developments include the U.S. indictment of GRU-affiliated officers in 2018. Despite these measures, Fancy Bear remains operational, emphasizing the challenges of deterring state-sponsored cyber actors.

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free