FIN Threat Group
What is FIN Threat Group?
FIN Threat GroupA Mandiant-style designation for a financially motivated threat group whose intrusions target payment systems, retailers, hospitality, and financial institutions.
Mandiant (now Google Threat Intelligence) uses the FIN prefix for tracked threat clusters whose primary motive is financial profit, in contrast to APT for espionage actors. Well-known examples include FIN6 (point-of-sale card data, later involved in ransomware deployment), FIN7 (long-running carding and BEC operation, public indictments in 2018, evolved into Carbanak/Carbon Spider), FIN8 (POS targeting hospitality and retail, later Ragnar Locker affiliate), FIN11 (Cl0p ransomware leak-site operator, MOVEit campaign) and FIN12 (top-tier ransomware deployer). FIN clusters are differentiated by tooling, kill-chain artefacts, lure themes, infrastructure, and crypto-cash-out patterns. Some FIN groups later overlap with state interests; analysts maintain naming until graduation criteria are met.
● Examples
- 01
FIN7 members were arrested and indicted by the US Department of Justice in 2018 for tens of millions of dollars in card fraud.
- 02
FIN11 was attributed to the 2023 Cl0p MOVEit Transfer mass-extortion campaign affecting hundreds of victims.
● Frequently asked questions
What is FIN Threat Group?
A Mandiant-style designation for a financially motivated threat group whose intrusions target payment systems, retailers, hospitality, and financial institutions. It belongs to the Defense & Operations category of cybersecurity.
What does FIN Threat Group mean?
A Mandiant-style designation for a financially motivated threat group whose intrusions target payment systems, retailers, hospitality, and financial institutions.
How does FIN Threat Group work?
Mandiant (now Google Threat Intelligence) uses the FIN prefix for tracked threat clusters whose primary motive is financial profit, in contrast to APT for espionage actors. Well-known examples include FIN6 (point-of-sale card data, later involved in ransomware deployment), FIN7 (long-running carding and BEC operation, public indictments in 2018, evolved into Carbanak/Carbon Spider), FIN8 (POS targeting hospitality and retail, later Ragnar Locker affiliate), FIN11 (Cl0p ransomware leak-site operator, MOVEit campaign) and FIN12 (top-tier ransomware deployer). FIN clusters are differentiated by tooling, kill-chain artefacts, lure themes, infrastructure, and crypto-cash-out patterns. Some FIN groups later overlap with state interests; analysts maintain naming until graduation criteria are met.
How do you defend against FIN Threat Group?
Defences for FIN Threat Group typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for FIN Threat Group?
Common alternative names include: FIN cluster, Financially motivated FIN group.
● Related terms
- defense-ops№ 057
APT Group
A named, tracked threat actor (usually state-sponsored) that conducts targeted, long-term, well-resourced intrusion campaigns against specific organisations or sectors.
- defense-ops№ 1191
UNC Cluster (Uncategorized)
A Mandiant tracking label for a set of related intrusions whose actor, motivation, or sponsor has not yet been confirmed enough to graduate to APT or FIN.
- defense-ops№ 901
Ransomware Gang
A financially motivated cybercriminal group that develops, operates, or distributes ransomware to extort organisations through file encryption and data leak threats.
- defense-ops№ 1145
Threat Actor
An individual or group that intentionally causes or attempts to cause harm to information systems, organisations, or people through cyber operations.
- defense-ops№ 1148
Threat Intelligence
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.
- defense-ops№ 1131
Tactics, Techniques and Procedures (TTPs)
A layered description of how a threat actor operates: tactics (the why), techniques (the how), and procedures (the specific implementation).