FIN10: The North American Extortionist Cybercrime Group
- Suspected Origin
- Unknown
- Motivation
- Financial Gain, Extortion, Ego
- Aliases
- None documented
- Target Sectors
- Mining, Casinos
- Associated Malware
- Meterpreter, SplinterRAT, PowerShell Empire, KOMPROGO
Overview
FIN10 (MITRE ATT&CK ID: G0051) is a financially motivated cybercrime group that operated with considerable success between at least 2013 and 2016. This group primarily focused its attacks on organizations in North America, with a notable concentration on Canadian targets within the mining and casino industries. Their core modus operandi involved breaching corporate networks, exfiltrating sensitive business data, and then leveraging this stolen information for extortion. If their ransom demands were not met, FIN10 was known to publicly leak the data and, in some cases, actively disrupt or destroy the victim’s systems.
While primarily driven by financial gain through cyber extortion, security researchers have also posited that an element of ego might motivate FIN10, given their highly disruptive actions and propensity to taunt victims. The group was adept at using false flags to obscure their true identity, frequently claiming affiliations with hacktivist groups like “Angels_Of_Truth” (purportedly Russian) or “Tesla Team” (purportedly Serbian), which they later sometimes rebranded as “Anonymous Threat Agent”. However, analysis of their communications revealed that posts in Russian were likely generated using online translation tools, indicating a lack of native Russian speakers within the group. Despite their attempts at misdirection, FIN10’s consistent targeting of North American entities suggests a familiarity with the region.
Tactics & Techniques
FIN10’s operational methodology relied heavily on common, publicly available tools and techniques, demonstrating a pragmatic approach to achieve their objectives without developing custom malware.
Initial access was frequently achieved through spear-phishing campaigns. These emails were often meticulously crafted, utilizing data gathered from professional networking sites like LinkedIn to enhance their legitimacy and increase the likelihood of victim interaction. The phishing emails typically contained links directing victims to servers controlled by FIN10.
Once an initial foothold was established, FIN10 focused on persistence and lateral movement within the victim’s network. They leveraged compromised credentials, sometimes exploiting VPNs protected only by single-factor authentication, to gain remote access. The group extensively used the Windows Remote Desktop Protocol (RDP) for lateral movement to other systems. For persistence, they employed frameworks like PowerShell Empire, utilizing its Registry option to add ‘Run’ keys and its Scheduled Task option, including S4U tasks. Meterpreter stagers and SplinterRAT instances were also deployed to maintain access.
In terms of discovery, FIN10 utilized tools like Meterpreter to enumerate users on remote systems, mapping out the network environment and identifying potential targets for further exploitation. Their objective during this phase was to steal valuable corporate business data, including sensitive correspondence and personally identifiable information (PII).
For exfiltration, data was typically copied and staged using standard file transfer tools, then uploaded to public-facing websites such as Pastebin and JustPaste.it, or file-sharing services like Dropbox. This public exposure served as proof of their breach during extortion negotiations.
The ultimate impact delivered by FIN10 was multifaceted. They initiated extortion demands, typically ranging from 100 to 500 Bitcoins, which translated to hundreds of thousands of dollars. To pressure victims into paying, FIN10 would send emails to staff and board members and even contact media outlets to publicize the breach. If the extortion demands were not met, the group would follow through on their threats, publicly releasing the stolen data and, in several documented cases, employing destructive batch scripts to delete critical operating system files, rendering Windows systems inoperable and causing significant disruption to the victim’s operations.
Notable Campaigns
FIN10’s activity was concentrated between 2013 and 2016, primarily targeting Canadian organizations. While specific campaign names beyond vendor tracking are not widely published, a notable incident involved an attack on the Canada-based intermediate gold producer Detour Gold Corporation in 2015. In this campaign, FIN10, operating under the “Angels_Of_Truth” persona, claimed the attack was a response to Canada’s economic sanctions on Russia, a narrative later dismissed due to evidence of machine translation in their communications. Following this breach, the group leaked a wide array of sensitive information, including employee and customer personal data, salary details, confidential business deals, donation records, medical files, and legal documents. This incident highlighted FIN10’s willingness to inflict severe reputational and operational damage on victims who refused to pay their ransom demands.
Associated Malware & Tools
FIN10 stands out for its reliance on readily available and legitimate tools, rather than developing sophisticated custom malware. This approach likely aided in their operational stealth and made attribution more challenging for defenders at the time. Key tools and frameworks observed in their operations include:
- Meterpreter: A Metasploit payload used for remote access, execution, and system enumeration.
- SplinterRAT: A Remote Access Trojan deployed for initial foothold and persistence.
- PowerShell: Heavily utilized for execution of commands, custom utilities, and loading Meterpreter stagers into memory.
- PowerShell Empire: A post-exploitation framework used for establishing persistence through Registry Run keys and Scheduled Tasks.
- Batch Scripts: Employed for destructive actions, specifically deleting critical system files to disrupt victim operations if extortion demands were not met.
- KOMPROGO: Mentioned as an associated tool.
Their use of these legitimate administrative and penetration testing tools meant that their activities could often blend in with normal network traffic, posing a challenge for traditional security defenses.
Current Status
Based on available public reporting, FIN10 appears to have been dormant since at least 2016. While the MITRE ATT&CK page for G0051 was last modified in November 2024, its description continues to state that the group targeted organizations “since at least 2013 through 2016”. Similarly, other threat intelligence resources consistently reflect this timeframe, with no new campaigns or significant activity attributed to FIN10 being publicly reported in recent years. It is plausible that the group either ceased operations, disbanded, or has evolved and rebranded under a different designation, making continued tracking under the “FIN10” moniker no longer applicable. However, without further evidence, the group is considered dormant.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call