FIN7

Executive Summary

FIN7 (also known as Carbon Spider and frequently referred to in vendor reporting as Carbanak Group) is a financially motivated cybercriminal group that has been active since at least 2013. The group initially focused on stealing payment card data from point-of-sale (POS) systems at restaurant, hospitality, and retail companies in the United States. Public reporting often uses the Carbanak label in overlapping ways for the malware, campaigns, and operators, so the safest framing is that FIN7 is the primary criminal cluster behind much of that activity rather than that every “Carbanak” reference is a perfect one-to-one alias.

FIN7 is estimated to have stolen over $1 billion and compromised payment card data from over 1,000 restaurants, hotels, and retailers. Multiple members have been arrested and convicted, including three Ukrainian nationals indicted in 2018 and a high-level manager convicted in 2021. Despite law enforcement actions, the group has continued operations and evolved its tactics.

Notable Campaigns

2015-2018 — U.S. Restaurant and Retail POS Targeting

FIN7 compromised over 100 U.S. restaurant chains, hotels, and retailers by deploying POS malware through carefully crafted spearphishing campaigns. The group stole millions of payment card numbers, which were sold on underground markets.

2013-2016 — Carbanak-Linked Banking Operations

FIN7 activity has long overlapped with reporting on the broader Carbanak intrusion set, which targeted financial institutions, ATM infrastructure, and internal banking systems. Because the Carbanak label has been used for malware, campaigns, and operators, the precise boundary varies by source even though FIN7 is consistently central to the tradecraft.

2022-2025 — Ransomware Operations

FIN7 transitioned to ransomware affiliate operations, partnering with REvil, Maze, DarkSide, and BlackBasta. The group created a fake cybersecurity company (“Bastion Secure”) to recruit unwitting penetration testers for pre-ransomware intrusion activities.

Technical Capabilities

FIN7 operates sophisticated spearphishing campaigns using meticulously crafted lure documents tailored to each target’s industry. The group uses VBA macros, COM scriptlets, and more recently, LNK files and ISO images to bypass email security controls. Custom JavaScript backdoors (GRIFFON, JSSLoader) and PowerShell frameworks (PowerPlant) provide post-exploitation capabilities.

The group’s operational model includes a structured organization with specialized roles: social engineers who craft phishing lures, operators who conduct intrusions, and monetization specialists who process stolen financial data.

Attribution

Three FIN7 members (Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov) were charged by the U.S. DOJ in 2018. Hladyr was sentenced to 10 years in prison in 2021, and Kolpakov to seven years. These prosecutions materially strengthen attribution to the criminal organization, but they do not support the stronger claim that FIN7 should be assigned to Russia specifically rather than to a broader Eastern European criminal ecosystem.

MITRE ATT&CK Profile

Initial Access: Spearphishing attachments (T1566.001) with malicious documents, and more recently malicious USB devices sent through the postal service.

Execution: VBA macros (T1059.005), JavaScript (T1059.007), PowerShell (T1059.001) for multi-stage payload delivery.

Persistence: Registry modifications (T1547.001), scheduled tasks (T1053), and backdoor installation.

Impact: POS malware for payment card theft (T1657), ransomware deployment (T1486), and direct financial system manipulation.

Sources & References

• MITRE ATT&CK: FIN7 — MITRE ATT&CK
• US DOJ: Three FIN7 Members Charged — US Department of Justice, 2018-08-01
• CISA: FIN7 Techniques — CISA, 2020-03-26