Threat Intelligence Tarot
pentacles · 6
Criminal (Eastern European, suspected)
G0037★★★★★
risk 4/5
✦ The Dark Counter ✦
FIN6
ITG08 · Skelaton Spider
Retail point-of-saleHospitalityE-commerce20M+ payment cards stolen
Active since ~2015 · Payment card data theft, POS system compromise, Retail financial fraud
The Dark Counter sits inside retail POS systems and counts cards - millions of them, stripped from checkout terminals across American retail. It sold them in batches, then pivoted to ransomware when the market for card data saturated. It adapts. The business model evolves. The victims stay the same.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆20M+ payment cards stolen from US retailers
- ◆Metasploit-based attacks on retail POS environments
- ◆Partnership with TrickBot and LockerGoga for ransomware pivot
- ◆Large-scale card data sold on dark web marketplaces
Defenses
- ▸EMV chip-and-PIN implementation for all POS terminalsPCI DSS
- ▸Point-to-point encryption on all payment data transmissionPCI DSS Requirement 4
- ▸POS network segmentation from corporate ITPCI DSS Requirement 1
- ▸Dark web monitoring for compromised card data indicatorsNIST CSF: ID.RA ↗
Reversed: Their Weakness
FIN6's shift from card theft to ransomware reflected market dynamics: as payment networks improved fraud detection and card data prices fell, the ransomware business model offered better returns. Defenders who tracked the evolution had advance warning to shift defensive priorities.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.