View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
May 27, 2020updated 28 May 2020 8:05am

JIRA Tickets, Jabber Servers and… Gmail Accounts? FBI Papers Reveal Cyber Criminals’ IT Infrastructure

Unsealed court documents reveal highly organised, WFH, crew

By CBR Staff Writer

The FBI has arrested a hacker at the heart of one of the world’s most prolific hacking crews, Fin7, newly unsealed court documents show.

Ukrainian national Denys Iarmak, 31, whose resume included stints as a systems administrator, helped steal data including millions of credit card details from casinos, credit unions and Trump Hotels.

Fin7 has been active since at least September 2015 and typically made its initial intrusion via personalised phishing attacks.

The FBI said: “Based on initial estimates, this hacking scheme has stolen tens of millions of payment card numbers and has caused over $100 million in losses to US financial institutions and companies.”

See also: Russian Malware Kingpin Indicted

Court documents first revealed by Vice’s Motherboard detail a highly organised crew, if one which made some serious (and welcome) operational security errors.

Fin7 used private JIRA servers to raise tickets on specific companies they were targeting. Its members also used a wide range of encrypted messengers run on private servers, including Jabber and the late HipChat. It also used the messenger services Mumble, Telegram, Threema and Viber.

The cyber crime organisation exploited a “wide variety” of digital currencies, including Binance, Electro, and Monero.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The FBI gained significant amounts of intelligence by cooperation with law enforcement in other countries, which allowed them to gain access to both a mobile phone and a laptop while members of the group that they were targeting were on holiday, the court documents reveal.

Fin7 Hackers: WFH Since 2015

“The hacking group does not have a central office or work location”, the court documents note. “Instead [it] uses a distributed work force that relies on a secure, virtual work environment.”

Many of the group’s members provided true names and addresses via encrypted Jabber communications to “certain high-level members of the group” in order to get paid for their work.

Iarmak, meanwhile, used a Gmail account for certain communications that contained emails featuring his passport and other ID documents. This also revealed communications with antivirus companies, that were later forward on to other members of the hacking group.

These revealed that Fin7 would regularly test their malware against offline versions of the AV software to see if it detected it.

Iarmak, who went by the handle GakTus, was extradited from Thailand.

The story was first reported by Motherboard’s Joseph Cox, after a tip-off from George Washington University’s Seamus Hughes.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.