Feds Arrest Member of Fin7, Group Tied to a Billion Dollars Worth of Hacks

Victims of the group included Chipotle, Whole Foods, and Trump Hotels.
Hacked servers
Image: Cathryn Virginia

Authorities recently arrested an alleged member of the prolific hacking group known as Fin7, whose victims include Chipotle and other fast food restaurants, casinos, and credit unions, according to newly unsealed court records.

The news signals a notch against one of the world's most sophisticated and successful financially motivated hacking crews. Fin7 pulled in an estimated billion dollars of illicit revenue, and even created fake penetration testing companies to give their operations an air of legitimacy.


Authorities arrested Ukranian national Denys Iarmak, who allegedly broke into victims' systems without their knowledge, according to court records unsealed last week. Iarmark also went by the handle GakTus, and was extradited from Thailand, the records add. Seamus Hughes, deputy director of the program on extremism at George Washington University, discovered and shared the court docket with Motherboard.

Fin7 typically sent phishing emails to targets, tricking them to install malware which then granted the group access to a victim's systems. Credit card information that Fin7 stole eventually ended up for sale on cybercriminal marketplaces such as Joker's Stash, the court documents add. The group has also targeted Whole Foods, Trump Hotels, Arby's, and Jason's Deli.

Do you know anything else about Fin7? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on, or email

The organization is highly professionalized, with its own administrators to handle IT infrastructure for making their attacks more efficient, using Hipchat to interview potential recruits, and other software such as JIRA to track and flag issues to one another.

"Like other members of the group, IARMAK provided his true name in order to receive payment for his work in furtherance of the group," the complaint against Iarmak reads. In chat logs dating from 2017 Iarmak provided another member of Fin7 with user credentials for a compromised U.S. business as well as internal system information from a target, the document adds. Authorities obtained a search warrant for Iamark's Gmail account, which contained photos of his Ukranian passports and other identification documents, the complaint reads.


Iarmak also used this email account to communicate with a cybersecurity company about activating an anti-virus product, the document adds.

"Through this investigation, authorities have determined that one of the techniques used by the group is to check their various malware against AV products disconnected from [sic] Internet. This technique allows the group to determine whether the malware is being detected by the AV product as malicious without providing a copy of the malware to the AV companies," it reads.

"The hacking group remains incredibly active."

Some of the complaint is redacted. Another government court document filed on May 20 reads, "Among other things, the parties seek to redact information about an individual whom is under investigation and with whom Defendant Iarmak has communicated in the past year."

In August 2018, the U.S. Justice Department announced the arrests of three Ukranian nationals for their roles in the Fin7 group. Last year one of those, Fedir Hladyr, pleaded guilty to charges related to their role as an IT administrator for Fin7.

"The hacking group remains incredibly active," FBI Special Agent Briana L. Neumiller wrote in the redacted version of Iarmak's November 2019 complaint.

Subscribe to our cybersecurity podcast, CYBER.