Three Ukranian nationals have been arrested in connection with a lengthy hacking campaign that targeted more than 100 American businesses, including the theft of credit card information from Chili’s, Arby’s, and Chipotle. According to the indictment, the group stole more than 15 million credit card records from more than 6,500 point-of-sale terminals over the course of the campaign.
Known to security researchers as the Carbanak group, the group used social engineering and phishing attacks to infiltrate businesses and steal financial data. The initial infection typically came from malware included as an email attachment, sometimes presented as a lost hotel reservation or an SEC complaint.
In one incident, the group masqueraded as the FDA’s Center for Food Safety and Applied Nutrition, informing the business of a food poisoning incident. (Chipotle has struggled with food safety issues, although it’s unclear if they were the target of the spoofed FDA email.) “You can find attached the list of inspections and checks scheduled to take place at your restaurant,” the email read. In fact, the attachment contained malware.
The indictments unsealed today name Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov as conspiring to commit the attacks, charging each man with 26 counts of conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft. According to the indictment, the men constructed a sham security company as a front for the hacking campaign, pretending to offer penetration testing services to corporate customers. The arrests were made in Germany, Poland, and Spain in cooperation with local authorities, and two of the three suspects are still awaiting extradition.
It’s not the first arrest made in connection with the Carbanak hacking campaign. In March, the Spanish National Police announced they had apprehended the mastermind of the Carbanak group, describing him as a Ukrainian national called “Denis K.” One of today’s suspects, Andrii Kolpakov, was also arrested in Spain, although the arrest took place months after the Denis K. announcement.