Request a Demo Contact Us


The FIN5 is a threat group that targets point-of-sale data to get payment card information.

The FIN5 is a threat group that targets point-of-sale data to get payment card information. The FIN5 group, populated by what is believed to be Russian-speaking threat actors, has made a lucrative living in the restaurant, hospitality, and gaming industries. Cybersecurity researchers believe that FIN5 has been active since approximately 2008.

In the case of one major casino, the data associated with 150,000+ credit cards were breached by FIN5. The FIN5 group navigated through the organization’s networks to penetrate the payment systems and exfiltrate sensitive credit card data. In context, it has been said that this casino did not have firewalls isolating their payment systems or basic logging in place. Further, the F6 threat group appears to have enabled access to the casino databases for over one year without being identified. In context, most of the casinos targeted by FIN5 are in the United States and Europe.

Security researchers further noted that FIN5 developed its malicious software tools, utilized stolen credentials, and seemed to have compromised the active directory on multiple occasions. Particularly concerning is that in most cases, FIN5 started the initial compromise using authorized credentials, but the source of how they acquired these credentials is not known or understood.

One of FIN5’s preferred tools is a backdoor called Tornhull, which is used in conjunction with VPN Flipside. FIN5 also uses a brute force scanning tool called GET2 Penetrator that finds credentials and login information. FIN5 is also known for using RawPOS malware in conjunction with its attack procedures and using it to infect servers. RawPOS is very powerful and comes with several valuable components. RawPOS allowed FIN5 to attack payment systems by scraping the memory of PoS searching for credit card data. RawPOS malware is a memory scraper repeatedly found within the hospitality industry since 2008. RawPOS targets the memory locations where payment information may be temporarily stored.


Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.

Get started with Bugcrowd

Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.