Four alleged members of the FIN9 cybercrime gang have been charged in relation to a series of hacks that caused over US $71 million of losses for companies across the United States.
The defendants, all Vietnamese nationals, are accused of launching a series of sophisticated phishing and supply-chain attacks to gain unauthorised access to company networks, in order to steal sensitive information.
As the US Department of Justice describes, Ta Van Tai, aka “Quynh Hoa,” aka “Bich Thuy;” Nguyen Viet Quoc, aka “Tien Nguyen;” Nguyen Trang Xuyen; and Nguyen Van Truong, aka “Chung Nguyen,” are alleged to have hacked businesses to steal non-public information, employee benefits, and funds between at least May 2018 through to October 2021.
According to court documents, the indicted individuals accessed employee benefit rewards programs maintained by businesses and re-directed gift cards to accounts under their own control.
The FIN9 group is also accused of stealing gift card information stored on the computer networks of hacked companies, concealing their true identities using stolen information to register accounts at cryptocurrency exchanges and web server hosting firms.
“The FIN9 defendants were prolific international hackers who, for years, allegedly used phishing campaigns, supply chain attacks and other hacking methods to steal millions from their victims,” said US Attorney Philip R. Sellinger. “They did all of this while hiding behind keyboards, VPNs, and fake identities, and even then, the Department of Justice found them. My office remains committed to its pursuit of justice for victims, and cybercriminals everywhere should take notice.”
Tai, Xuyen, and Truong are said to have sold stolen gift cards on a peer-to-peer cryptocurrency marketplace in an attempt to conceal the origin of the stolen money.
All four defendants face charges of conspiracy to commit fraud, extortion, wire fraud, and intentional damage to a protected computer, and could face up to five years in prison for fraud and extortion, up to 20 years for wire fraud, and up to 10 years for each count of computer damage.
In addition, Tai, Xuyen, and Truong also face money laundering charges with a maximum 20-year sentence. Tai and Quoc are additionally charged with aggravated identity theft and conspiracy to commit identity fraud, carrying a mandatory two year sentence and up to 15 years respectively.
The focus on gift cards by the alleged hackers draws comparison with another cybercriminal gang, Storm-0539 (also known as Atlas Lion), which has been very active recently. Last month, the FBI issued a warning to US retailers about how the Storm-0539 cybercrime group was targeting company employees via phishing attacks in an attempt to access systems that could generate fraudulent gift cards.