Three members of one of the world’s largest cybercrime organizations that stole over a billion euros from banks across the world over the last five years have been indicted and charged with 26 felony counts, the Justice Department announced on Wednesday.
The three suspects are believed to be members of the organized Russian cybercrime group known as FIN7, the hackers group behind Carbanak and Cobalt malware and were arrested last year in Europe between January and June.
The suspects—Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30—are all from Ukraine and accused of targeting 120 companies based in the United States, as well as U.S. individuals.
The victims include Chipotle Mexican Grill, Jason’s Deli, Red Robin Gourmet Burgers, Sonic Drive-in, Taco John’s, Chili’s, Arby’s, and Emerald Queen Hotel and Casino in Washington state.
According to the press release published by DoJ, the suspects stole more than 15 million credit cards from over 6,500 individual point-of-sale terminals at 3,600 business locations in 47 states using malware they sent via phishing emails.
Each of the three suspects has been charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft, the DoJ said.
Hladyr was detained in Dresden, Germany; Fedorov in Poland; and Kolpakov in Spain. While Hladyr has been transferred to Seattle, where he’s awaiting trial, Fedorov and Kolpakov are not in the United States yet, as the US government is attempting to extradite them.
Hladyr has not pleaded guilty and denied any wrongdoing, according to his attorney, Arkady Bukh.
First uncovered by Russian cybersecurity firm Kaspersky Labs in 2014, FIN7 started its activities almost five years ago by launching a series of malware attacks using Anunak and Carbanak to compromise banks and ATM networks worldwide, from which they swiped millions of credit card details from US-based retailers
According to the European authorities, the criminal group later developed a sophisticated heist-ready banking trojan called Cobalt, based on the Cobalt Strike penetration testing software, which was in use until 2016.
To compromise bank networks, FIN7 sent malicious spear-phishing emails to hundreds of employees at different banks, which infected computers with Carbanak malware if opened, allowing attackers to transfer money from the banks to fake accounts or ATMs monitored by them.
In early 2017, FIN7 was also found abusing various Google services to issue command and control (C&C) communications in order to monitor and control the machines of its victims.
Though the charges in the indictments are merely allegations, all the three suspects could face decades in prison, if convicted.