Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
Threat Actor Profile
FIN7
FIN7, also tracked as Carbon Spider, GOLD NIAGARA, Sangria Tempest , and ITG14, is a financially motivated cybercrime group that has been active since approximately 2015. Originating from Eastern Europe, their operations focus heavily on the theft of payment card data via POS system compromises, ransomware deployment, and extortion tactics. Their evolving techniques and organizational structure set them apart as one of the most sophisticated cybercrime syndicates today.
Threat Actor Profile
FIN7
Country of Origin
While FIN7's operations are widely linked to individuals in Eastern Europe, particularly Ukraine and Russia, the exact nature of any state sponsorship remains unclear. Unlike state-backed advanced persistent threat (APT) groups, FIN7's activities are financially driven, with no direct evidential ties to government mandates.
Members
Exact membership counts for FIN7 are unknown, though evidence reveals a sophisticated structure mimicking that of legitimate organizations. Members fulfill various roles, such as developers, administrators, and recruiters, with performance-driven incentives. The group has disguised itself through front companies like Combi Security, presented as a legitimate penetration-testing firm, complete with a corporate website listing actual US victim organizations as purported clients, to recruit hackers unwittingly into criminal work. The scale of the group's confirmed activity reflects substantial operational depth: by the time of the 2018 indictments, FIN7 had breached computer networks in 47 U.S. states, stealing more than 15 million customer card records from over 6,500 individual POS terminals at more than 3,600 separate business locations.
Leadership
FIN7's internal leadership structure has been partially exposed through law enforcement actions. In August 2018, the DOJ unsealed three federal indictments against Ukrainian nationals who served in senior roles. Each was charged with 26 felony counts including conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft. Despite these arrests, FIN7 continued operations, demonstrating the group's resilience and depth of membership beyond these individuals.
FIN7 TTPs
Tactics
The group's primary goals center on financial gains through payment card theft and ransomware operations. Their targeting strategy often focuses on industries with POS systems or high volumes of credit/debit transactions, such as retail, hospitality, and restaurants.
Techniques
Their techniques include spear-phishing campaigns with tailored social engineering to gain initial access. These emails often disguise themselves as business-related correspondence and are sometimes followed by phone calls to increase credibility. They also employ malvertising campaigns, leveraging fake ads to attract victims, and use malware to infiltrate systems and conduct data exfiltration.
Procedures
FIN7 is known for deploying custom and adapted malware such as Carbanak, NetSupport RAT, POWERTRASH, and DICELOADER. They use these tools to escalate privileges, laterally move across networks, and target point-of-sale systems. Recently, they’ve evolved to conduct ransomware activities, where data theft and ransom demands combine to amplify financial extortion.
Want to Shut Down Threats Before They Start?
Indicators of Compromise (IoCs)
FIN7's IOCs include IP addresses linked to command-and-control servers, email domains used in phishing campaigns, and signatures of their custom malware like DICELOADER or Carbanak. Paying attention to abnormal traffic activities and reviewing forensic behaviors of these tools can help detect the group’s operations.
Key Victims
FIN7's notable victims include high-profile chains such as Chipotle, Chili’s, Arby’s, Jason’s Deli, and Red Robin. Beyond the restaurant sector, their victims also span the retail and hospitality industries globally, with a strong focus on organizations in the United States.
Notable Cyberattacks
Among their significant cyberattacks, the breaches between 2017 and 2018 targeting major food and retail chains stand out, where extensive POS data was stolen across thousands of locations nationwide. Since approximately 2020, FIN7 has materially evolved its operations toward big game hunting ransomware, shifting from opportunistic card theft to high-value targeted intrusions. The group has been linked to operations involving REvil, DarkSide, BlackMatter, and Cl0p ransomware, as well as operating their own ransomware infrastructure. This shift significantly elevated FIN7's threat profile — combining their proven initial access expertise and Carbanak/DICELOADER tooling with ransomware deployment and double extortion to amplify financial pressure on victims. Organizations beyond traditional retail and hospitality are now in scope, including manufacturing, technology, and financial services.
Law Enforcement & Arrests
Law enforcement agencies, including the U.S. Department of Justice (DOJ), have made strides in tackling FIN7. In August 2018, the DOJ unsealed indictments against three senior members: Fedir Hladyr, Dmytro Fedorov, and Andrii Kolpakov — all Ukrainian nationals arrested across Europe (Germany, Poland, and Spain respectively) and extradited to face charges in U.S. federal court in Seattle. Each faced 26 felony counts. Hladyr subsequently pleaded guilty and was sentenced to 10 years in federal prison in 2021. Fedorov and Kolpakov's proceedings continued separately. However, despite these arrests, FIN7 demonstrably continued operations, launching new ransomware campaigns and recruiting replacement members, indicating the group's resilience, depth of membership, and decentralized structure that extends well beyond any arrested individuals.
How to Defend Against FIN7
1
Implement robust employee training on phishing recognition.
2
Segment networks to isolate critical systems, such as Point-of-Sale (POS) networks.
3
Maintain up-to-date Endpoint Detection and Response (EDR) tools.
4
Regularly patch vulnerabilities in software and systems.
Huntress's Managed Endpoint Detection and Response solutions can detect malware used by FIN7, monitor abnormal network behaviors, and strengthen defenses against phishing and other initial access techniques.
