Four alleged members of the FIN9 cybercrime group have been indicted for their role in a series of hacks that caused more than $71 million in damages to businesses across the United States.
The defendants, all of Vietnamese nationality, are accused of conducting a series of sophisticated phishing and supply chain attacks to gain unauthorized access to corporate networks with the intent of stealing confidential information.
According to the U.S. Department of Justice, Ta Van Tai (aka “Quynh Hoa” and “Bich Thuy”), Nguyen Viet Quoc (aka “Tien Nguyen”), Nguyen Trang Xuyen and Nguyen Van Truong (aka “Chung Nguyen”) are suspected of hacking into companies to steal nonpublic information, employee benefits and funds between at least May 2018 and October 2021.
According to court documents, the individuals charged accessed employee benefit rewards programs administered by the companies and transferred gift cards to accounts under their control.
The FIN9 group is also accused of stealing gift card information stored on the computer networks of the hacked companies and using the stolen information to register accounts at cryptocurrency exchanges and web server hosting companies to conceal their true identity.
“The FIN9 defendants are an internationally active group of hackers who allegedly used phishing attacks, supply chain attacks, and other hacking techniques over a period of years to steal millions of dollars from their victims,” said U.S. Attorney Philip R. Selinger. “They did all this while hiding behind keyboards, VPNs, and fake identities, yet the Department of Justice found them nonetheless. My office is committed to pursuing justice for victims, and cybercriminals around the world should take notice.”
To conceal the source of the stolen money, Thay, Suen and Truong allegedly sold the stolen gift cards on peer-to-peer cryptocurrency marketplaces.
All four defendants are charged with conspiracy to commit fraud, extortion, wire fraud and intentional damage to a protected computer, and could face up to five years in prison for the fraud and extortion charges, up to 20 years for wire fraud and up to 10 years for each computer damage charge.
Additionally, Thay, Suen and Truong are charged with money laundering, which carries a maximum sentence of 20 years in prison. Thay and Quok are additionally charged with aggravated identity theft and conspiracy to commit identity fraud, which carry a maximum sentence of two years and 15 years in prison, respectively.
The suspected hackers’ focus on gift cards draws comparisons with another cybercrime group that has been very active recently, Storm-0539 (aka Atlas Lion). Last month, the FBI warned US retailers that the Storm-0539 cybercrime group was targeting company employees with phishing attacks in an attempt to gain access to systems that could create fraudulent gift cards.
