FIN7 / Carbanak: Threat Actor Profile
FIN7 is one of the most adaptable career cybercrime organizations on record — from point-of-sale card theft and the €1B Carbanak bank heists to modern ransomware enablement. A full threat-actor profile.
Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.
FIN7 is one of the most adaptable career cybercrime organizations ever tracked. It began with point-of-sale intrusions and payment-card monetization, overlapped with the Carbanak/Cobalt bank-heist ecosystem, ran a fake front company to recruit talent, and later shifted toward ransomware and broader intrusion services.
FIN7: at a glance
- Aliases: GOLD NIAGARA, ITG14, Carbon Spider, Sangria Tempest; overlaps with Carbanak and Cobalt Group
- Country / affiliation: Russian-speaking / Eastern European cybercrime nexus
- Assessed status (as of July 2026): Active / evolved
- Primary objectives: Financial theft, payment-card fraud, access resale, and ransomware-enabled monetization
- Financial destruction / gain: ~$1.1B equivalent inferred from Europol's €1B Carbanak/Cobalt estimate, plus millions of stolen cards and large downstream U.S. fraud losses
- Type: Financially motivated cybercrime syndicate
Who is FIN7?
Europol and Kaspersky tied the Carbanak/Cobalt campaign to around €1 billion in bank theft; separately, U.S. cases describe FIN7 stealing millions of cards from thousands of U.S. business locations. The group remains active in evolved forms in 2026.
Aliases and attribution
Public reporting treats Carbanak, Cobalt Group, and FIN7 as overlapping clusters in the same Russian-speaking threat actor nexus — a textbook case of messy cyber attribution. Vendors label it GOLD NIAGARA (Secureworks), Carbon Spider (CrowdStrike), and Sangria Tempest (Microsoft). The FBI detailed how FIN7 attacked U.S. companies, and Europol arrested an alleged Carbanak mastermind in 2018.
Financial impact and damage
Europol's €1 billion (~$1.1B) estimate covers the Carbanak/Cobalt bank-theft campaign that manipulated ATMs and payment systems across 100+ financial institutions. Separate U.S. indictments describe theft of more than 15 million payment-card records from thousands of business locations, producing large downstream fraud losses. FIN7's shift into ransomware enablement extends its financial footprint further.
FIN7 timeline
- 2013: Carbanak bank intrusions begin
- 2015: Kaspersky details the $1B bank-theft campaign
- 2018: Europol arrests alleged Carbanak mastermind; DOJ exposes FIN7 and its Combi Security front
- 2020: MITRE notes a shift toward ransomware
- 2026: Group remains active in evolved forms
Notable attacks and campaigns
FIN7 ran a sham penetration-testing company, 'Combi Security,' to recruit operators who often did not realize they were part of a criminal enterprise. Its Carbanak backdoor drained banks by observing operations and manipulating transfers and ATMs. In recent years FIN7 has provided intrusion and initial-access brokers services that feed ransomware affiliates.
Tactics, techniques, and procedures (TTPs)
The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.
- T1566 — Phishing: FIN7 indictments describe spearphishing against restaurant, gaming, and hospitality targets. Tighten mail security, detonate attachments, and detect account takeover. See phishing.
- T1078 — Valid Accounts: Carbanak-style operations abuse legitimate credentials after foothold and banking observation. Alert on atypical admin logins, impossible travel, and privilege changes in finance systems.
- T1005 / T1041 — Collection and Exfiltration: U.S. cases describe theft of millions of payment cards and proprietary data. Segment POS networks, monitor card-track access, and inspect outbound archives from retail segments.
Detection and defense against FIN7
FIN7 excels at blending into legitimate business processes, so defense emphasizes identity and payment-system integrity:
- Harden email security with attachment detonation and account-takeover detection.
- Segment point-of-sale and payment networks; monitor card-track data access.
- Vet contractor and 'security testing' identities carefully and control remote onboarding access.
- Alert on atypical admin logins, impossible travel, and privilege changes in financial systems.
- Inspect outbound archives from retail and finance segments for exfiltration.
The bottom line
FIN7 shows how a criminal enterprise can operate like a business — evolving from card theft to billion-dollar bank heists to ransomware enablement without ever going away. See how FIN7 ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.
Frequently asked questions
What is FIN7?
FIN7 is a Russian-speaking financially motivated cybercrime group active since around 2013, tied to the Carbanak and Cobalt bank-heist campaigns, large-scale payment-card theft, and, more recently, ransomware enablement.
How much has FIN7 / Carbanak stolen?
Europol estimated the Carbanak/Cobalt campaign at around €1 billion (~$1.1B). Separate U.S. cases describe theft of millions of payment-card records and significant downstream fraud.
What was Combi Security?
Combi Security was a fake penetration-testing company FIN7 created to recruit operators, many of whom did not realize they were participating in a criminal operation.
Is FIN7 still active?
Yes. FIN7 remains active in evolved forms, having shifted toward ransomware and intrusion-as-a-service, and is tracked under names like Sangria Tempest and Carbon Spider.
Primary sources & further reading
This guide is reviewed and fact-checked against authoritative primary sources: