Fin7 sysadmin pleads guilty to running IT for billion-dollar crime syndicate

A Fin7 sysadmin has pled guilty the first higher-up to be found guilty of hacking in a US court.

The long back story begins like this: Once upon a time, there was a cybercrime wolf syndicate who pulled on the sheepskin of a penetration testing company, calling itself Combi Security and offering absolutely zero services or protection… but lots of penetration.

The Feds arrested three high-ranking members of Fin7 in August 2018. All were Ukrainian nationals. And on Wednesday, one of those three Fedir Oleksiyovich Hladyr pled guilty to being the sysadmin who ran the group's IT operations.

Each of those three had been charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft. But in the plea agreement filed in the US District Court for the Western District of Washington in Seattle on Wednesday, prosecutors dropped it down to just two charges: conspiracy to commit wire fraud, and conspiracy to commit computer hacking. All together, Hladyr's looking at a prison sentence of no more than 25 years, plus fines of up to half a million dollars.

This makes Hladyr the first member of Fin7 to be found guilty of hacking-related crimes in a US court.

Same old admin duties, but for crooks

Fin7 employs dozens of computer experts in multiple countries, as the plea agreement describes. And in August 2015, it hired Hladyr to be a systems administrator.

He thought he was hired by a legitimate computer security outfit called Combi Security: one that supposedly provided pen-testing services to a variety of companies around the world. On its public website, Combi presented itself as “one of the leading international companies in the field of information security.”

Nothing could have been further from the truth. Hladyr soon figured out that he'd been hired by a cybercriminal network that carried out attacks primarily through phishing emails and social engineering to encourage victims to click on malware sent as attachments in boobytrapped emails.

Fin7 uses these breached computers to move laterally through networks, locating sensitive financial information such as payment card data that it can steal and sell. The syndicate also seeks out point-of-sale (POS) systems, through which it can remotely upload malware onto POS terminals used to process payment card transactions at thousands of retail and commercial locations across the US.

No, Combi wasn't legit. It was a front company for Fin7 – an organization trying to, and succeeding at, breaching network security of victim companies.

How do you know when a pen-testing company isn't really a pen-testing company? As the plea agreement outlines, at no time did Hladyr come across…

• Contracts for Combi to perform pen-testing for clients.
• Reports or recommendations from Combi to its purported clients explaining what vulnerabilities had been discovered in their network security and how they might be fixed.
• Any measures taken to safeguard “clients” from misuse of confidential information taken from their networks, such as network credentials, network maps, and sensitive business information.

Hladyr rose through the ranks quickly, taking on ever more responsibility. He became responsible for aggregating stolen payment card information, providing technical guidance to Fin7 members, issuing assignments to Fin7 hackers, and supervising teams of hackers. He'd also routinely relay orders from the head honchos to the group's underlings.