Advertisement

FIN7 ‘technical guru’ sentenced to 10 years in prison

Prosecutors described Hladyr as a "technical guru" integral to FIN7's operations.
FIN7 sentencing
The U.S. District Court, Western District of Washington in Seattle is pictured. A judge there sentenced FIN7 suspect Fedir Hladyr to 10 years in prison. (Photo by Jason Redmond / AFP) (Photo by JASON REDMOND/AFP via Getty Images)

A U.S. federal judge on Friday sentenced Fedir Hladyr to 10 years in prison for his alleged role as an administrator of the multibillion-dollar cybercrime group known as FIN7, which has breached hundreds of U.S. firms.

The 10-year sentence includes three years Hladyr has already spent in detention since his arrest, and $2.5 million in restitution to be distributed to victims.

FIN7 is one of the most formidable cybercriminal groups of the last decade, allegedly siphoning off millions of credit card numbers from restaurant and hospitality chains in 47 U.S. states. And Hladyr, a Ukrainian in his mid-30s, is allegedly a big reason that FIN7 operated like a well-oiled multinational corporation.

Hladyr allegedly controlled an instant messaging service that the crime group used to upload stolen payment card data and screenshots from hacked financial firms. He also allegedly organized FIN7’s work through a project-tracking software that managed thousands of stolen usernames and passwords.

Advertisement

Federal prosecutors argued for a 10-year prison sentence for Hladyr because it would “send a strong message of public deterrence” to persistent cybercriminals. They described him as a “technical guru,” an elite hacker among talented ones, whose skills were integral to making FIN7 a vaunted threat to U.S. businesses.

Hladyr’s prosecution is win for Justice Department officials looking to make a dent in the array of well-funded cybercriminal groups that target U.S. businesses from Eastern Europe. Yet despite his prosecution, and the arrest of other alleged FIN7 members, the group has continued to try to steal from businesses. In early 2020, the group used the U.S. Postal Service to send malware-laced USB sticks to multiple organizations.

Hladyr’s was arrested in Germany in January 2018, and subsequently extradited to the U.S. District Court for the Western District of Washington. He pleaded guilty in September 2019 to wire fraud and conspiracy to commit computer hacking as part of plea deal aimed at getting him a reduced sentence. Hladyr’s lawyer, George Grasso, argued that his client’s three years of incarceration, during which he said Hladyr contracted the coronavirus, was enough of a deterrent. Grasso also said that Hladyr had experienced extensive tragedy in his life, and should be released so he could care for sick family members who needed his support.

While previous estimates from cybersecurity researchers had put FIN7’s theft at $1 billion, U.S. prosecutors said in their sentencing memorandum for Hladyr that a “conservative estimate” of the losses caused by the group is between $3 billion to $5.7 billion.

FIN7 has disguised much of its criminal activity behind a front company dubbed Combi Security. Grasso acknowledged that after Hladyr learned of Combi Security’s criminal activities, his client continued to work for the front company. Grasso said Hladyr felt compelled to do so to provide for his son.

Advertisement

Hladyr told the court he regretted the day he started with Combi Security, and accepted responsibility for his crimes.

“I was so stupid, careless and reckless and for this I sincerely apologize to the court and to the government,” he said before the sentencing.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts