Four FIN9 hackers indicted for cyberattacks causing $71M in losses

Four Vietnamese nationals linked to the international cybercrime group FIN9 have been indicted for their involvement in a series of computer intrusions that caused over $71 million in losses to companies in the U.S.

The defendants, identified as Ta Van Tai, Nguyen Viet Quoc, Nguyen Trang Xuyen, and Nguyen Van Truong, carried out their cybercrimes from May 2018 until October 2021, stealing both data and funds directly from U.S. organizations.

"The FIN9 defendants were prolific international hackers who, for years, allegedly used phishing campaigns, supply chain attacks and other hacking methods to steal millions from their victims," states U.S. Attorney Philip R. Sellinger.

"They did all of this while hiding behind keyboards, VPNs, and fake identities, and even then, the Department of Justice found them."

FIN9's modus operandi

The group allegedly used fraudulent emails or electronic communications to trick individuals into revealing personal information such as login credentials, passwords, and credit card information.

Targeted phishing attacks were directed at specific individuals within organizations, often appearing as trusted contacts to gain unauthorized access to the victim's computer network.

The DOJ says FIN9 targeted the computer networks of third-party vendors that provided services or software critical to their victims' operations.

By compromising these vendors, a process known as a 'supply chain attack,' they gained indirect access to the downstream networks.

In other cases, they allegedly used malware and scripts to exploit known vulnerabilities in the victim's network, facilitating unauthorized access and data exfiltration.

Once FIN9 established access to a target network, they stole confidential data, including financial information, account credentials, employee benefits, gift cards, and credit card information.

This data was then monetized through various channels, with FIN9 selling the stolen data via P2P networks and social media platforms in exchange for Bitcoin and other crypto.

In some cases, FIN9 used the stolen personally identifiable information (PII) to create fraudulent online accounts and conceal their illegal activities behind assumed identities.

The indictment, dated January 11, 2024, possibly indicating the approximate time of the arrests, presents specific incidents from May 2019.

One highlighted case is when FIN9 accessed the Employee Recognition and Rewards Benefits System of a company in the U.S., issuing approximately 7,617 gift cards worth about $1 million to email accounts under their control.

This attack impacted multiple retail merchants, including a big video game and electronics retailer.

Breaching gift card issuers and generating a large number of cards matches that of Storm-0539, a distinct threat group that first started operating in 2021, with its activities culminating in recent months.

Faced charges

The four defendants face severe penalties if convicted on all counts, with potential cumulative sentences spanning several decades in prison.

The six charges listed in the indictment, but which do not apply to all defendants, are:

• Conspiracy to commit fraud and related activity in connection with computers – Up to 5 years in prison
• Conspiracy to commit wire fraud – Up to 20 years in prison
• Computer fraud and abuse – Up to 10 years in prison per count
• Aggravated identity theft – Mandatory term of 2 years in prison
• Conspiracy to commit fraud in connection with identification documents – Up to 15 years in prison
• Conspiracy to commit money laundering – Up to 20 years in prison

Ta Van Tai is charged with all the above, Nguyen Viet Quoc is excluded from the money laundering charge, and the other two are exempt from identity theft charges, too.

Additionally, the defendants are subject to forfeiture of any property obtained directly or indirectly from their illegal activities, with the provision to confiscate equally valued assets if the property has been transferred or is beyond the court's jurisdiction.