A U.S. court on Thursday sentenced Andrii Kolpakov, a Ukrainian national, to seven years in prison for his role in the FIN7 gang.
Kolpakov, 33, functioned as a supervisor for a small team of hackers who between 2016 and 2018 breached victims including Chipotle, Red Robin, Arby’s and other U.S. corporations. Victims experienced “enormous” losses, according to the Justice Department, that by some estimates have exceeded $1 billion.
Kolpakov pleaded guilty in November 2020 and faced up to 25 years behind bars. Spanish police arrested him in 2018, ultimately extraditing him to the U.S.
“During the course of the scheme, [Kolpakov] received compensation for his participation in FIN7, which far exceeds comparable legitimate employment in Ukraine,” the plea deal noted. “For the purposes of this plea agreement, the parties agree that — during [Kolpakov’s] participation in the malware scheme — FIN7 illegal activity resulted in over $100 million in losses to financial institutions, merchant processors, insurance companies, retail companies and individual cardholders.”
FIN7 presented itself as a legitimate security vendor that specialized in penetration testing, a way of using offensive measures to improve firms’ digital defenses. In fact, the roughly 70 people involved with the collective worked as hackers, though it remains unclear if all of those involved in fact realized they were breaking U.S. law.
Recent court filings in the Kolpakov case help illustrate why the group was so successful. Members duped restaurant workers into downloading malicious email attachments by claiming to be sick customers threatening to sue, and infiltrated public companies by posing as U.S. government officials.
Kolpakov also was ordered to pay $2.5 million in restitution to FIN7 victims.
Another FIN7 member, Fedir Hladyr, who worked as a kind of technical guru for the hacking team, was sentenced in April to ten years in prison.