Son of a Breach: The Most Notorious Criminal Enterprise on the Dark Web

Son of a Breach: The Most Notorious Criminal Enterprise on the Dark Web article image.

Omni Hotels & Resorts, Jason's Deli, Chipotle, Saks Fifth Avenue, and Lord & Taylor all have something unfortunate in common: They've all been victimized by a highly organized and professional data-hacking organization known as Fin7.

"Fin7 is a large and extremely well-organized group of developers of malware used in numerous cyber attacks against retailers as well as financial institutions," says Steven J.J. Weisman, a data security expert who teaches about white-collar crime at Bentley University in Waltham, MA.

Waltham says the group is widely known to use spear phishing emails containing malware and point of sale malware installations to crack into a company's data network, and make off with valuable customer data. "This model continues to plague businesses and governments around the world."

Not Shy About the Spotlight

Fin7 is responsible for some of the most highly-publicized cyber attacks in the past few years, according to multiple reports. The rouge group even operates its own website on the dark web—Joker's Stash—where they sell the credit cards, Social Security numbers and other stolen data from their cyber attacks.

Major news sites such as NBC News and The Wall Street Journal tie Joker's Stash to the Saks breach and others.

The Saks Fifth Avenue data breach, which resulted in the heist of five million customer credit card and debit card account numbers, immediately resulted in the organization's sale of 125,000 user accounts on the dark web, only days after the breach was revealed. The name the hackers used to hawk their stolen cyber-accounts would've made Tony Soprano proud: BIGBADABOOM-2.

Joker's Stash uses a business model similar to that of legitimate websites in that it provides customer service, discounts to repeat and large customers and even a return policy.

"They are incredibly organized with malware developers constantly improving their products, and are adept at money laundering," Weisman says. "They are incredibly profitable with estimates of at least $50 million dollars of illegal sales occurring each month. They will perform one of their numerous hacks and then sell the stolen credit cards and other data on their own website."

Dmitry Chorine, cofounder of Gemini Advisory, a threat intelligence company, estimates the group has around $1 billion stashed away after multiple years of stealing corporate data, and selling that data on the black market or dark web.

"They're connected to almost every major point of sale breach," he says. "From what we've learned over the years the group is operated as a business entity. They definitely have a mastermind, they have managers, they have money launderers, they have software developers, and they have software testers. And let's not forget they have the financial means to stay hidden."

It's highly unlikely we'll ever know for sure how much Fin7 has made in ill-begotten gains over the years. What is clear is that these hackers know what they're doing, and global law enforcement authorities are struggling to bring the group to justice. Data security specialists agree with the notion that Fin7 is hard to pin down—but there are clues to their identity.

"They are likely a large group of loosely-associated but well-organized people, likely based in Russia or of a Russian-speaking context," says Michela Menting, research director at ABI Research, who says the group, or some version of it, has been around for quite some time, and is notorious in the cybercriminal space.

"They are capable, if not highly advanced, and are persistent," Menting notes. "They function much like any normal business entity; as such, likely have had some turnover, and some spin-offs. This makes it more difficult to pin down exact members."

Target-wise, Fin7 is known for favoring the low-hanging fruit, she adds. "Security awareness and risk management is certainly better today than it was a decade ago. That said, there are more than enough shoddy security implementations that Fin7 doesn't have to use highly sophisticated or complex attacks to obtain access to sensitive/confidential data."

Getting Away With It

How can Fin7 seemingly get away scot free from raiding the data accounts of some of the biggest business brands in the world?

"Organized web mobs function worldwide in numerous jurisdictions and make it difficult for governments to indict them," says Robert Siciliano, a data security expert at "It's likely there are 20-to-100-plus participants in the scheme."

While there are international laws and mandates regarding cybercrime, including the Council of Europe Convention on Cybercrime and law enforcement cooperation like Interpol and Europol, too many countries simply refuse to cooperate on cyber-crime cases, Russia and China most notably.

"Furthermore, they and other countries in Latin America, Asia-Pacific and Africa, may lack extradition treaties with European and North American countries," Menting says. "Often cybercriminals will sit in these ‘haven' countries and attack businesses and people in other countries where they know they won't be extradited to."

Additionally, there are many tools that can be used to steer cybercriminals into the shadows, like virtual private networks and encryption, so it is not a simple matter to track them down, he adds.

Still, "no one is immune" to the long arm of international law, Siciliano says. "Busting these groups takes a significant coordinated effort among governments. It's really just a matter of time until they fall."

Take Aggressive Steps Against Data Hackers

In the meantime, what can companies do to keep data hacking groups like Fin7 at bay?

For starters, expect data breach attempts to occur and be ready to deal with them. Then, over the long-term, make data security a top business priority.

"Data piracy is an inevitability, and companies must be more proactive in safeguarding their customers' personal and financial information," says Jonas Sickler, marketing director at "Companies that don't prioritize data security run the risk of immense financial expenses related to fines, lawsuits, and loss of business through eroded customer trust."

Consumers can take steps to protect their identity as well and be prepared by knowing what to do if they're part of a breach and how to minimize the long-term impact of a data breach.

"The ‘it won't happen to us' mentality is what emboldens hackers to continue making money through data theft," says Sickler. "It's not much different than criminals stealing money from unlocked cars. If everyone does a better job of locking their doors, the rate of theft will significantly decline."

The purpose of this question submission tool is to provide general education on credit reporting. The Ask Experian team cannot respond to each question individually. However, if your question is of interest to a wide audience of consumers, the Experian team may include it in a future post and may also share responses in its social media outreach. If you have a question, others likely have the same question, too. By sharing your questions and our answers, we can help others as well.

Personal credit report disputes cannot be submitted through Ask Experian. To dispute information in your personal credit report, simply follow the instructions provided with it. Your personal credit report includes appropriate contact information including a website address, toll-free telephone number and mailing address.

To submit a dispute online visit Experian's Dispute Center. If you have a current copy of your personal credit report, simply enter the report number where indicated, and follow the instructions provided. If you do not have a current personal report, Experian will provide a free copy when you submit the information requested. Additionally, you may obtain a free copy of your report once a week through April 2022 at AnnualCreditReport.