Alleged FIN7 scammer Denys Iarmak is set to plead guilty

Two of his alleged associates were sentenced to 10 and seven years in prison in separate cases.
Eastern District, federal courthouse, Alexandria, Virginia
(Tim Evanson / Flickr)

An alleged member of the FIN7 hacking group is set to plead guilty, admitting to a role in a criminal organization that used front companies and array of fraud techniques to steal more than $1 billion from victims worldwide, CyberScoop has learned.

Attorneys for Denys Iarmak, a Ukrainian national, have notified a federal court in Washington state that Iarmak intends to change his plea after he declared himself not guilty at a May 2020 arraignment hearing. While one defense counselor said Iarmak could change his mind before his next hearing, scheduled for Nov. 22, attorneys have agreed in principle to a plea deal with the U.S. Department of Justice.

“That’s what’s most likely,” said defense attorney Michael Craig Nance, who is representing Iarmak as a local attorney on behalf of the defense team in the Western District of Washington. “It’s not final until a person stands in court and says they’re guilty.”

A representative from the law firm Sharova, which is handling the Iarmak case, did not answer specific questions about the matter.


“However, we can say that Denys Iarmak is entitled to the presumption of innocence and the full protection of rights afforded any individual who is criminally prosecuted in the United States,” the firm said in a statement. “Our paramount goal always been to secure the best possible outcome for him whatever he and our firm together determine that to be.”

Iarmk was initially charged with a range of criminal counts, including intentional damage to a protected computer, aggravated identity theft and wire fraud. To which charges he intends to plead guilty remains unclear.

FIN7 is a notorious hacking group best known for masquerading as a technology company in order to recruit talent and cloak its malicious activity. U.S. prosecutors have alleged that by fabricating a firm called Combi Security, FIN7 targeted restaurant chains including Chipotle, Red Robin, Taco John and the department store Saks Fifth Avenue, among others. In some cases, attackers posed as U.S. Securities and Exchange Commission officials and angry restaurant customers to dupe victims into opening email messages, infecting their computers with malicious software.

Iarmak, who went by the online alias GakTus, appeared to work as a penetration tester, in which he was tasked with probing victims’ digital defenses and infiltrating their systems. Upon finding vulnerabilities, Iarmak would provide that information to a FIN7 administrator, who instructed other members of the hacking group on how to exploit the weakness, according to a 2019 indictment.

The group would then gather usernames, passwords and payment card information to sell on illicit forums, such as the Joker’s Stash, the charges allege.


Two of Iarmak’s alleged associates, Andrii Kolpakov and Fedir Hladyr, were sentenced this year to seven and 10 years in prison, respectively. Kolpakov was convicted of supervising a small team of hackers who were responsible for monetizing illicit access, while Hladyr functioned as a kind of technical guru, controlling an instant messaging service that members used to communicate in real time.

The FIN7 group has reportedly remained active in the months since, using the name Bastion Secure to hire technical specialists who carried out attacks on the group‘s behalf, The Wall Street Journal reported.

Update, Nov. 18: This story was amended after publication to include a statement from the law firm Sharova. 

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts