Denys Iarmak, a high-level member of the criminal hacking group FIN7, was sentenced to five years in prison today by a U.S. judge.
Iarmak initially declared himself not guilty in May 2020 but changed his plea in November, CyberScoop first reported.
Iarmak, a Ukrainian national, was involved with the Russia-linked hacking group between November 2016 and November 2018. Iarmark, who worked as a penetration tester, was involved with designing phishing emails embedded with malware and well as coordinating the group’s network intrusions, helping members track their progress.
“There is some irony, that the nation you were plundering is now leading an international effort to protect your country, your people, your family,” Chief U.S. District Judge Ricardo S. Martinez said at the sentencing in a Seattle federal courtroom.
Iarmak originally potentially faced life in prison, but the court agreed to reduce his sentence to just five years, charging him with only two of the 27 counts he was originally indicted on.
“…Upon evaluating the presentation of our firm’s arguments that Mr. Iarmak deserved credit for the time he spent in a Thailand prison, for the fact that he contracted Covid-19 while being held by the Bureau of Prisons, and because of the suffering his family has endured without him in was ravaged Ukraine, the Court agreed to disregard the US Attorney recommendation,” Iarmak’s lawyer Yelena Sharova wrote to CyberScoop in an email.
Since 2015, FIN7 successfully breached the computer networks of U.S. businesses, stealing more than 20 million customer card numbers. Court documents estimate victim losses to be over $1 billion. Many of the credit card numbers ended up for sale on the dark web.
Iarmak is the third member of the FIN7 group to be sentenced. FIN7 members Fedir Hladyr and Andrii Kolpakov were sentenced to 10 and seven years in prison, respectively.
U.S. prosecutors accused Iarmak and two associates in 2018 of operating Combi Security, a company that posed as a penetration testing firm but actually hacked point of sales terminals and breached major American restaurant and retail chains including Chipotle and Saks Fifth Avenue. One campaign by the group including having attackers pose as U.S. Securities and Exchange Commission officials and angry restaurant customers to dupe victims into opening email messages, infecting their computers with malicious software.
The FIN7 group has reportedly continued its activity using the name Bastion Secure to hire technical specialists to carry attacks on the group‘s behalf, The Wall Street Journal reported. Since the arrests of the three leaders, FIN7 has started to pivot from breaking into payment systems to ransomware extortion, researchers have observed over the past year.