How the FIN7 Cybercrime Gang Operates

The Grugq has written an excellent essay on how the Russian cybercriminal gang FIN7 operates. An excerpt:

The secret of FIN7’s success is their operational art of cyber crime. They managed their resources and operations effectively, allowing them to successfully attack and exploit hundreds of victim organizations. FIN7 was not the most elite hacker group, but they developed a number of fascinating innovations. Looking at the process triangle (people, process, technology), their technology wasn’t sophisticated, but their people management and business processes were.

Their business… is crime! And every business needs business goals, so I wrote a mock FIN7 mission statement:

Our mission is to proactively leverage existing long-term, high-impact growth strategies so that we may deliver the kind of results on the bottom line that our investors expect and deserve.

How does FIN7 actualize this vision? This is CrimeOps:

  • Repeatable business process
  • CrimeBosses manage workers, projects, data and money.
  • CrimeBosses don’t manage technical innovation. They use incremental improvement to TTP to remain effective, but no more
  • Frontline workers don’t need to innovate (because the process is repeatable)

Posted on September 16, 2020 at 6:00 AM9 Comments


Clive Robinson September 16, 2020 8:47 AM

@ All,

As the Grugq notes,

Crime pays when you move up the value chain into project management!

But it’s not just “project managment” but managment in general.

From back in the 1980’s when cracking first started to move from “ego food” to “crime” few at the sharp end had even the slightest idea on how to monetize their activities.

A decade or so later academic researchers talking about bot nets did not appear to realise that the operators were not effectively monetizing. When I pointed this out on a well known sectuity blog[1], it got a grumpy response.

But realisticly even as little as a decade ago cyber monetization was still realy not very good at all. More money was being taken in the US on creditcard fraud of the traditional style.

My viewpoint has been for several decades and still is that cyber criminals are realy quite bad at monetization, though they are slowly getting better.

One of the reasons I have advised for many years and still do advice tech people to study Business Managment is that not only does it help you “speak business to the man that cuts your cheques” it also broadens your outlook and thus your perspectives.

If you think about it what works for you in the commercial world will also work for you in the criminal world, they are at the end of the day little different.

So yes which ever colour hat you chose to wear a good knowledge of business is very much going to improve your bottom line.

[1] It was not this blog but another one I mention from time to time. As for the academic concerned, I think from his later progress he took the idea on board.

mark September 16, 2020 11:28 AM

Why does this sound like the Scummy Mortgage Co I worked for in Ausint, back in the late 80’s?

But… moving up makes you more money? Bruce, are you trying to suggest that it’s not just… but an MLM?

jcb September 16, 2020 3:35 PM

FIN7 was not the most elite hacker group

Probably not. Most criminals are not that “elite” at anything. A true business philosophy of excellence does not generally inure to crime.

Frontline workers don’t need to innovate (because the process is repeatable)

That really is how any business needs to run! If you’re going to step back and look at the process, try to make it more efficient, then by definition you are no longer on the front line of production, with the tight schedules and hard deadlines that require idiot-proof reliability under pressure. There’s management of course, but research is a different department with its own front line. As available workers become more EDUCATED, and learn to automate their production, more of them naturally shift over in the research direction.

The problem with corporate “research” is that management as such all too often has dreams of monetizing business innovations far beyond the improvement of their own business process, with the Luddite chains of intellectual property, patent protection rackets, the WIPO copyright enforcement cártel, and vague or inconsistent trademark claims.

Erdem Memisyazici September 16, 2020 8:30 PM

I suppose you know you wrote a decent software package when even crooks use it to stay organized. Good job JIRA Team XD

Marti September 17, 2020 3:03 AM

They use incremental improvement to TTP to remain effective

So what is TTP? Trusted third party? Text transfer protocol? Thrombotic thrombocytopenic purpura?

1&1~=Umm September 17, 2020 3:32 AM


“So what is TTP?”

It is explained in the Grugq article that the quote is taken from. It is a fairly quick read.

c1ue September 17, 2020 11:18 AM

I wrote a number of articles on LinkedIn talking about DoIT – “denial of IT” as a new and growing cyber crime methodology. DDoS was an early DoIT; ransomware is the latest.
And one of the things I noted is that the cyber criminals clearly had no idea just how much value they were impeding, as evidenced by picayune ransoms, but that this situation would change.
Today, we regularly hear of double digit million ransoms.
Hopefully we won’t get to the next phase: cyber feudalism – which I also wrote about.
The reason there is royalty in Europe was because the feudal lords needed some system to protect against other feudal lords. Any such regulatory system needs hierarchy, and hierarchy over time has to ascend to a single point.
The OG gangsters, the feudal lords, forcing peasants to cough up in return for protection became governments.

1&1~=Umm September 18, 2020 3:59 AM


“The reason there is royalty in Europe was because the feudal lords needed some system to protect against other feudal lords.”

Your reasoning lacks depth of historical knowledge.

Royalty is just one of many names for the transfer of power by heredity, and is seen not just in humans but animal troops. As such it is just a factor in mating privileges.

We have very good reason to believe such heredity privilege occurs in by far the greater number of social groupings as evidenced in pre-human tribes and may well have started in areas we now call Africa or Asia. It’s also seen in other fauna such as most mamals, birds and fish.

As for the need for it, well it’s down to “response times in herds”. In herds it is usually the best tactic when attacked to behave not as a group of individuals with different thoughts but as though a very much larger single minded organism. For this to work effectively you need a single mind in charge, behaviour relay minds and subservient minds that follow either the single or relay minds actions.

So your wish of,

“Hopefully we won’t get to the next phase: cyber feudalism”

Is most likely not going to happen as ‘cyber-space’ becomes just another arena for social groupings. Likewise what we now call ‘out of space’.

Because as far as we can tell feudalism is not a higher level function of primates it’s a fundemental part of DNA based life forms and all flora and fauna practice some version of it as part of evolution.

It’s one of the reasons people occasionaly ask,

‘Is intelligence anti Darwinian’

Because as intelligent beings we can see from the past the harm that occurs in a more general way due to mating privilege and can thus project it into the future. So can attempt to control the basic individual evolutionary drivers for societal benifit.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.