The Fin7 hacking group has leeched, by at least one estimate, well over a billion dollars from companies around the world. In the United States alone, Fin7 has stolen more than 15 million credit card numbers from over 3,600 business locations. On Wednesday, the Justice Department revealed that it had arrested three alleged members of the group—and even more important, detailed how it operates.

The indictments allege that three Ukrainian nationals—Dmytro Fedorov, Fedir Hladyr, and Andrii Kopakov—are members of Fin7, contributing to the group’s years-long reign as one of the most sophisticated, and aggressive, financially motivated hacking organizations in the world. Each has been charged with 26 felony counts, ranging from conspiracy to wire fraud to computer hacking to identity theft.

The three men allegedly had high-profile roles in Fin7: Hladyr as its systems administrator, and Fedorov and Kopakov as supervisors to groups of hackers. And although Fin7 has continued to operate since they entered custody—Hladyr and Fedorov in January, and Kolpakov in June—the arrests do mark law enforcement’s first win against the shadowy cybercrime empire.

“This investigation continues. We are under no illusion that we have taken this group down altogether. But we have made a significant impact,” said US attorney Annette Hayes at a press conference announcing the indictments. “These hackers think they can hide behind keyboards in faraway places, and that they can escape the long arm of United States law. I’m here to tell you, and I think this announcement makes clear, that they cannot do that.”

The DoJ's announcement, along with a new report by security firm FireEye, also gives unprecedented insight into how, and at what level, Fin7 operates. “They’ve brought a lot of techniques that we usually see associated with a state-sponsored attacker into the financial attacker realm,” says Barry Vengerik, a threat analyst at FireEye and coauthor of the Fin7 report. “They’re applying a level of sophistication that we’re not used to really seeing from financially motivated actors.”

Phish Fry

On or around March 27 of last year, an employee at a Red Robin Gourmet Burgers and Brews received an email from ray.donovan84@yahoo.com. The note complained about a recent experience; it urged the recipient to open the attachment for further details. They did. Within days, Fin7 had mapped Red Robin’s internal network. Within a week, it had obtained a username and password for the restaurant’s point-of-sale software management tool. And inside of two weeks, a Fin7 member allegedly uploaded a file containing hundreds of usernames and passwords for 798 Red Robin locations, along with “network information, telephone communications, and locations of alarm panels within restaurants,” according to the DoJ.

'We are under no illusion that we have taken this group down altogether. But we have made a significant impact.' US Attorney Annette Hayes

The Fin7 indictment alleges nine other incidents in addition to Red Robin, and each follows roughly the same playbook. It starts with an email. It looks innocuous enough: a reservation inquiry sent to a hotel, say, or a catering company receiving an order. It doesn’t necessarily even have an attachment. Just another client or customer reaching out with a question or concern.

Then, either in that first outreach or after a few emails back and forth, comes the request: Please see the attached Word doc or rich text file, it has all the pertinent information. And if you don’t open it—or maybe before you even receive it—someone gives you a phone call, as well, reminding you to.

“When targeting a hotel chain or restaurant chain, a conspirator would make a follow-up call falsely claiming that the details of a reservation request, catering order, or customer complaint could be found in the file attached to the previously delivered email,” the indictment says.

FireEye mentions one restaurant target who received a “list of inspections and checks scheduled to take place,” on convincing FDA letterhead. An email to a hotel victim might claim to contain a picture of a bag someone left behind in a room. The approaches varied. And while “don’t open attachments from strangers” is the first rule of not getting phished, Fin7 targeted organizations that need to do just that in the regular course of business.