Threat Intelligence Tarot
cups · 3
Criminal (financially motivated, suspected Western)
G0085★★★★★
risk 4/5
✦ The Insider ✦
FIN4
Pharmaceutical companiesInvestment banksHealthcare firmsSEC-regulated companies
Active since ~2013 · Insider information for securities trading, M&A intelligence, Market manipulation
The Insider does not want your credit card numbers. It wants to know if the drug trial succeeded before the press release. It targets board members, executives, and their advisors - reading emails that will move markets before markets know they should move. It trades on what it steals.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆100+ pharmaceutical and healthcare company targeting for M&A intelligence
- ◆Targeted Board of Director and executive email accounts specifically
- ◆Clinical trial result data theft before public announcement
- ◆SEC charges against alleged operators (2015)
Defenses
- ▸Board and C-suite account hardening with hardware MFANIST SP 800-63B ↗
- ▸Email DLP monitoring for sensitive M&A and clinical dataNIST CSF: PR.DS ↗
- ▸Anomaly detection on executive email access patternsNIST CSF: DE.AE ↗
- ▸Insider trading risk program including cyber breach monitoringSEC guidance
Reversed: Their Weakness
FIN4's narrow focus on insider trading intelligence made it highly identifiable - when patterns of M&A-related email compromise correlated with unusual options activity, the SEC and security researchers triangulated the connection, leading to the first major attribution of a financially-motivated cyber espionage group.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.