The US authorities have charged four Vietnamese nationals for their involvement in a series of computer intrusions that collectively caused over $71 million in losses to US companies. The accused, Ta Van Tai, aka “Quynh Hoa” and “Bich Thuy,” Nguyen Viet Quoc, aka “Tien Nguyen” Nguyen Trang Xuyen, and Nguyen Van Truong, aka “Chung Nguyen,” were identified as members of the sophisticated international cybercrime group known as “FIN9.”

From at least May 2018 through October 2021, the defendants allegedly hacked into the computer networks of several companies across the United States, stealing or attempting to steal non-public information, employee benefits, and funds, officials said.

The FIN9 members used phishing campaigns and supply chain attacks to gain unauthorized access to their victims’ computer networks. Once inside the networks, the cybercriminals exfiltrated or attempted to exfiltrate sensitive information, including employee benefits and funds. In one instance, the criminals redirected digital employee benefits, such as gift cards, to accounts they controlled and stole gift card information stored on the victims' networks.

In addition to employee benefits, the defendants also stole personally identifiable information (PII) and credit card information belonging to employees and customers of their target companies. To conceal their identities, they allegedly used this stolen information to register accounts on cryptocurrency exchanges and server hosting companies under false names. Tai, Xuyen, and Truong sold the stolen gift cards to third parties via an account registered under a fake name on a peer-to-peer cryptocurrency marketplace.

The charges against Tai, Quoc, Xuyen, and Truong include one count of conspiracy to commit fraud, extortion, and related activity in connection with computers; one count of conspiracy to commit wire fraud; and two counts of intentional damage to a protected computer.

If convicted, the accused face up to five years in prison for the conspiracy to commit fraud, up to 20 years for wire fraud, and up to 10 years for each count of intentional damage to a protected computer. Additionally, Tai, Xuyen, and Truong face one count of conspiracy to commit money laundering, which carries a maximum penalty of 20 years in prison.

Tai and Quoc are also charged with one count of aggravated identity theft, which has a mandatory consecutive term of two years in prison, and one count of conspiracy to commit identity fraud, which carries a maximum penalty of 15 years in prison.