Cybercrime high Eastern Europe (Russia/Ukraine)

FIN7

Russian-speaking cybercrime group (Carbanak-linked) · Financial — fraud, ransomware, data theft

Reports 1

Active Since 2013

Last Reported 8 May 2026

Sectors Targeted finance

Tactics, Techniques & Procedures (TTPs)

Spear-phishing with lure documents (malicious Office macros, LNK files)
Custom loader malware (Carbanak, BIRDWATCH, PowerPlant)
Supply chain and software impersonation
POS and payment card data theft
REvil and Darkside ransomware affiliate activity
Legitimate pen-test tool abuse (Cobalt Strike)

Known Targets

Financial services and bankingRetail and hospitality (POS systems)Healthcare organisationsTechnology companiesUS and European enterprises

Analyst Notes

One of the most prolific financially-motivated threat actors. Estimated to have stolen over $1 billion from financial institutions. Has evolved from pure card fraud to ransomware deployment.

Also Known As

Carbon SpiderSangria TempestELBRUS

Intelligence Reports

Briefing finance

FIN7 Pivots to Financial Services with New Phishing Infrastructure and Loader Malware

The FIN7 group has refreshed its phishing infrastructure and is deploying a new loader variant against mid-tier UK and European financial institutions. Targets include wealth managers, brokers, and payment processors.

8 May 2026 · 3 min read