A Ukrainian national was sentenced to 10 years in prison for his work with a cybercriminal group known as FIN7, a threat actor responsible for malware attacks against hundreds of U.S. companies, mainly in the restaurant, gambling, and hospitality industries. The group stole millions of customers’ banking information and then sold some for profit.

According to court documents, Fedir Hladyr, 35, served as a manager and systems administrator for FIN7. He was arrested in Dresden, Germany, in 2018, and that same year was extradited to the USA. In September 2019, he pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.

“Hladyr originally joined FIN7 via a front company called Combi Security – a fake cyber security company that had a phony website and no legitimate customers. Hladyr admitted in his plea agreement that he soon realized that, rather than a legitimate company, Combi was part of a criminal enterprise. Hladyr served as FIN7’s systems administrator who, among other things, played a central role in aggregating stolen payment card information, supervising FIN7’s hackers, and maintaining the elaborate network of servers that FIN7 used to attack and control victims’ computers. Hladyr also controlled the organization’s encrypted channels of communication,” the US Department of Justice said in a press release.

FIN7 attacks involved carefully crafted email messages that would appear legitimate to a business’ employees, and accompanied emails with telephone calls intended to further legitimize the emails. Once the victim opened a file attached to a malicious message, the adapted version of the Carbanak malware would download onto the computer. The group used various tools to access and steal payment card data, some of which they would later sell on dark web markets.

“In the United States alone, FIN7 successfully breached the computer networks of businesses in all 50 states and the District of Columbia, stealing more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations,” the DoJ wrote. The group also targeted companies in other countries, namely in the United Kingdom, Australia, and France.

Hladyr told the court he regretted working for Combi Security, and accepted responsibility for his crimes.