FIN7 (also tracked as Carbon Spider, Sangria Tempest [Microsoft], ELBRUS, Savage Ladybug, ITG14 [IBM X-Force], and MITRE ATT&CK G0046) is one of the longest-running publicly-tracked organized cyber-criminal clusters in the public record, active since at least 2013 with twelve-plus years of sustained operations despite substantial law-enforcement pressure. The cluster operates predominantly from Russian-speaking jurisdictions including Ukraine, Russia, and adjacent post-Soviet states. Crucially, and distinguishing the cluster's analytical profile from state- aligned clusters covered elsewhere in this corpus, FIN7 is a financially-motivated organized cyber-criminal cluster, not a state-aligned cluster.
Operations are profit-driven rather than intelligence-collection-driven. The cluster has the strongest formal-attribution profile of any publicly-tracked organized cyber-criminal cluster. US DOJ Western District of Washington unsealed August 2018 indictments charging three Ukrainian nationals (Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov) with FIN7 membership and prosecuting them for conspiracy to commit computer fraud, wire fraud, and aggravated identity theft.
The indictments documented FIN7 responsibility for compromising more than one hundred US companies, stealing more than fifteen million payment card records, and causing financial losses exceeding one billion US dollars. Fedir Hladyr was sentenced to ten years in US federal prison in April 2021. The DOJ prosecutions established FIN7 as a formally-attributed organized cyber-criminal cluster , one of the relatively few cyber-criminal clusters to have received sustained formal US criminal-prosecution attribution at the individual-operator level.
The cluster's most distinctive organizational signature is its operation of front companies to recruit technical personnel via standard recruitment channels. "Combi Security" (operated approximately 2015-2018) represented itself publicly as a legitimate cybersecurity consulting firm with offices and corporate infrastructure, hired technical personnel via job listings on Russian-speaking job boards, provided training and salary, and assigned "engagements" that were actually FIN7 criminal operations against real victims. Multiple Combi Security recruits were subsequently identified via DOJ investigation as having been unwitting participants in criminal operations. "Bastion Secure" (surfaced 2021) represented a successor front company continuing the pattern despite the earlier exposure. The recruit-via-front-company tradecraft represents an unusual organizational sophistication exceeding the operational discipline of most publicly-tracked cyber-criminal clusters.
Operationally the cluster has demonstrated organizational sophistication including HR-style operator recruitment, internal training programs, project-management workflows for operations, and corporate-style hierarchical management, exceptional among publicly-tracked cyber-criminal clusters and approaching the organizational sophistication of state-aligned clusters. The cluster's signature initial-access tradecraft is spear- phishing with weaponized Office documents and weaponized .lnk shortcuts targeting customer-service, accounting, or business- operations personnel at target organizations. The lure-and- delivery tradecraft has evolved across multiple years but remains the dominant initial-access vector.
A comparatively unusual modern tradecraft signature is the BadUSB hardware implant tradecraft documented in FBI alerts (notably January 2022 FBI flash alert) and Trustwave SpiderLabs analysis: FIN7 mailing of physical BadUSB hardware implant devices (Teensy and Arduino-based devices masquerading as legitimate Best Buy gift cards, Amazon gift cards, or COVID-19 safety packages) to targeted business addresses. When plugged into a victim Windows host the BadUSB device executes pre-programmed keystroke injection to deploy implants. The hardware-implant tradecraft is comparatively unusual among publicly-tracked cyber-criminal clusters and represents operational investment in physical- attack tradecraft.
Toolkit centers on Carbanak (the broader-ecosystem signature backdoor, Carbanak-presence-alone insufficient for FIN7 attribution given shared Carbanak-ecosystem use), BirdWatch, Griffon (JavaScript implant), BabyMetal, PowerPlant (PowerShell- based implant with continued evolution across 2018-2024), PowerShow, DNSMessenger, BoostWrite, RDFSniffer, Termite, custom POS-targeting memory-scraping malware, Cobalt Strike Beacon for hands-on-keyboard operations, JsSLoader, and various commodity tools (Mimikatz, PsExec, etc.). A major operational pivot occurred during 2020-2024: FIN7 transitioned from POS-data-theft as primary mission to ransomware deployment via affiliate relationships with major ransomware-as- a-service operators. Documented affiliations include Maze ransomware (2020), REvil / Sodinokibi (2020-2021), DarkSide (briefly, 2020-2021), BlackCat / ALPHV (2021-2024), and Black Basta (2022-2024).
The ransomware pivot aligned with broader cyber-criminal-ecosystem shifts during the 2020-2024 period as payment-card-data-protection controls (EMV chip migration, tokenization, end-to-end-encryption) reduced the commercial value of stolen track data while ransomware monetization delivered substantially higher per-victim revenue. A handful of operational notes: First, the relationship between FIN7 and the broader Carbanak ecosystem has been analytically open. Some vendor reporting treats FIN7 and Carbanak as overlapping or sister clusters within the broader Eastern European organized cyber-criminal ecosystem responsible for sustained operations against banks, payment-card processors, and ATM infrastructure since approximately 2013.
Modern vendor consensus treats FIN7 as a distinct cluster identity within the broader Carbanak ecosystem with personnel-overlap and tooling-overlap rather than identical operational identity. Second, the cluster's continued operations through 2024-2025 despite substantial DOJ prosecutions illustrate (consistent with the Star Blizzard, Sandworm, Pioneer Kitten, Cadet Blizzard, NICKEL / Ke3chang patterns in this corpus) that formal prosecution does not necessarily produce operational pauses, though the FIN7 case represents one of the strongest law-enforcement-pressure profiles among publicly-tracked clusters, the operations have continued. Third, FIN7's analytical profile differs from state-aligned clusters in this corpus in several ways: motivation (financial vs intelligence), targeting selection (broad commercial-victim pool vs specific strategic-target selection), monetization (ransomware/extortion/payment-card vs intelligence-collection), operational tempo (high-volume continuous operations vs tasking-driven event-anchored operations), and operational personnel structure (corporate-style hierarchical management via front companies vs state-employed operators).
These differences should inform analytical framing. Fourth, the cluster represents one of the most operationally sustained financially-motivated clusters in the public record and a foundational reference for understanding modern organized cyber-criminal operations. The Combi Security / Bastion Secure front-company tradecraft pattern, the BadUSB hardware-implant tradecraft, and the POS-to-ransomware operational pivot collectively represent significant data points for cyber- criminal-cluster analytical frameworks.