The hackers targeted businesses, with some having previously acknowledged that they were attacked, including Chipotle and Chili's.
WASHINGTON — Federal prosecutors revealed Wednesday that three men are now in custody, charged in a massive hacking operation that targeted businesses in 47 states and stole the credit and debit card numbers of more than 15 million people.
Annette Hayes, the U.S. attorney in Seattle, said the three were part of a group that called itself FIN7 and used computer malware to steal customer card numbers from the point-of-sale terminals at more than 3,600 business locations. "The total loss so far is in the tens of millions of dollars."
Outlets of more than 100 U.S. companies were hit in all but three states — Alaska, Hawaii, and South Dakota — by sending e-mail messages claiming to request information about catering. Targeted employees were urged to open an attachment, which launched the malicious computer code into the company's systems.
Some victim companies have previously acknowledged that they were attacked, including Chipotle Mexican Grill, Chili's, Arby's, and Red Robin restaurants. The hackers also targeted casinos and hotels, the FBI said.
The FBI's special agent-in-charge in Seattle, Jay Tabb, said many of the stolen customer card numbers later turned up for sale on the dark web, and some were used to make unauthorized charges.
Hayes said the three hackers are from Ukraine. One, Fedir Hladyr was arrested by authorities in Germany at the request of the US and sent to Seattle for trial. His arrest was kept secret until the other two were detained overseas — Dmytro Fedorov in Poland and Andrii Koplakov in Spain. The Justice Department is seeking their extradition to face the charges in the U.S.
The FBI said the group used a front company, Combi Security, which claimed to have headquarters in Russia and Israel to give it the appearance of legitimacy.
But Tabb said there is no information linking the hackers to a state sponsor. "This is good, old-fashioned organized crime."
Computer security firm FireEye said it has been monitoring the FIN7 group since 2015, noting that the hackers showed unusual skill at encouraging target companies to open e-mails that would launch their attacks. "At individual stores, managers were contacted about lost items or sent a 'receipt' claiming overcharging," the company said Wednesday.
FireEye called the three Ukrainians "members of one of the most prolific financial threat groups of this decade."