Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



“FIN10” Cybercrime Group Extorts Canadian Firms

A profit-driven cybercrime group tracked as FIN10 has been running an extortion operation mainly targeting organizations in North America, security firm FireEye reported on Friday.

A profit-driven cybercrime group tracked as FIN10 has been running an extortion operation mainly targeting organizations in North America, security firm FireEye reported on Friday.

A majority of the FIN10 attacks observed by FireEye have been aimed at mining companies and casinos in Canada. The hackers breached the targeted organization’s systems, obtained valuable data, and threatened to make it public unless a ransom was paid. Victims that refused to pay up had their data published online and their systems disrupted.

FIN10 has been around since as early as 2013 and its activities have continued through at least 2016. The first phase of its attacks has, at least in some cases, involved spear-phishing emails carrying links to servers controlled by the cybercrooks. The phishing emails were apparently crafted using data obtained from LinkedIn and other sources.

The early stage tools used by the attackers included software such as Meterpreter, the Splinter remote access trojan (RAT), and PowerShell-based utilities, including ones written by the hackers themselves.

The attackers then used compromised credentials, the Windows RDP service and tools such as Splinter RAT, PowerShell Empire and Meterpreter to maintain persistence and move laterally within the victim’s network. Their goal was to steal corporate business data, including correspondence and customer PII, which they could use to extort the victim.

Organizations that refused to pay had their data leaked and their systems and networks were often disrupted via batch scripts designed to delete critical files.

Victims were asked to pay between 100 and 500 bitcoins, which are worth hundreds of thousands of dollars. FireEye told SecurityWeek that some of the victims gave in to the extortion demands.

Advertisement. Scroll to continue reading.

FIN10 has carried out its attacks claiming to represent various hacker groups, particularly hacktivists. In one operation they claimed to be a Russian group called “Angels_Of_Truth” and told their victim that the attack was carried out in response to Canada’s economic sanctions on Russia. Researchers determined, however, that the posts in Russian were likely written using online translation tools and not by a native speaker. reported in June 2015 that a group calling itself “Angels_Of_Truth,” claiming to be from Russia, breached the systems of Canada-based intermediate gold producer Detour Gold Corporation. At the time, the hackers leaked personal information of employees and customers, salary information, confidential deals, donation records, medical records, legal documents, invoices, performance reviews and other data.

In other attacks, the hackers claimed to represent “Tesla Team,” a Serbian hacktivist group. In one operation, the group introduced itself as Tesla Team, but later changed its name to “Anonymous Threat Agent.”

In order to increase their chances of making the victim pay the ransom, FIN10 sent emails to staff and board members of the targeted organization. The group also informed the media about its breaches, either to put pressure on the victim or to maximize the exposure of those who refused to pay, FireEye said.

Researchers believe that FIN10’s focus on North America could suggest the attacker’s familiarity with this region.

“The relative degree of operational success enjoyed by FIN10 makes it highly probable the group will continue to conduct similar extortion-based campaigns at least in the near term. Notably, we already have some evidence to suggest FIN10 has targeted additional victims beyond currently confirmed targets,” FireEye said in its report. “Furthermore, while FIN10 is predominantly financially motivated, as evidenced by its preferred monetization technique (i.e., extortion), it is plausible the group is also motivated, at least in part, by ego.”

Related: FIN7 Hackers Change Phishing Techniques

Related: Cybercriminals Target Employees Involved in SEC Filings

Related: “FIN6” Cybergang Steals Millions of Cards From PoS Systems

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...