A Ukrainian man was sentenced to seven years in prison Thursday for his role in a hacking group that prosecutors said is responsible for stealing millions of U.S. credit and debit card numbers.

Andrii Kolpakov, 33, whom the hacking group FIN7 referred to as "pen tester," was ordered in the Western District of Washington to pay $2.5 million in restitution, according to the Department of Justice. Kolpakov was arrested in Spain in June 2018 and extradited to the United States in June 2019.

He pleaded guilty in June 2020 to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.

Kolpakov was involved in the group from at least April 2016 until his arrest, prosecutors said. Through a series of sophisticated malware campaigns, FIN7 attacked hundreds of U.S. companies.

"FIN7 carefully crafted email messages that would appear legitimate to a business’s employees and accompanied emails with telephone calls intended to further legitimize the emails," the statement said. "Once an attached file was opened and activated, FIN7 would use an adapted version of the Carbanak malware, in addition to an arsenal of other tools, to access and steal payment card data for the business’s customers. Since 2015, many of the stolen payment card numbers have been offered for sale through online underground marketplaces."

In the United States, FIN7 infiltrated businesses in all 50 states and Washington, D.C., stealing more than 20 million customer card records and causing an estimated $1 billion or more in costs for its victims, prosecutors said.

Businesses that have publicly disclosed hacks attributed to the group include restaurant chains such as Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.

Another Ukrainian national, Fedir Hladyr, 35, was sentenced to 10 years in prison for his role in the group in April.

