APT Intelligence Directory
Institute for Critical Infrastructure Cybersecurity
ICIC
UN

FIN8

Medium ConfidenceMedium Threat

Syssphinx

FIN8 is a financially motivated threat actor that has been active since at least 2016, targeting retail, hospitality, and entertainment organizations primarily in North America. The group specializes in deploying point-of-sale malware to steal payment card data. FIN8 is known for their use of the BADHATCH and SARDONIC backdoors, as well as their careful operational security and ability to maintain long-term access to victim networks. They periodically resurface with updated tools after periods of apparent inactivity.

Origin: Unknown
Sponsor: Cybercriminal (No State Sponsor)
Active: 2016 - Present
Victims: 100+ organizations
Advanced
Active
Financial Gain
Risk Assessment
63
Composite Risk Score
Medium Risk
ARCS Compliance68
Escalation Risk65
Grievance Index55
Infrastructure Impact62
History & Evolution

FIN8 is a financially motivated threat actor that has been active since at least 2016, targeting retail, hospitality, and entertainment organizations primarily in North America. The group specializes in deploying point-of-sale malware to steal payment card data. FIN8 is known for their use of the BADHATCH and SARDONIC backdoors, as well as their careful operational security and ability to maintain long-term access to victim networks. They periodically resurface with updated tools after periods of apparent inactivity.

Targeting

Target Sectors

RetailHospitalityEntertainmentInsurance

Target Regions

United StatesCanada
Attribution & Affiliations

Attributed to Cybercriminal (No State Sponsor) (Unknown). Attribution confidence: Medium.

Intelligence Assessment
Medium
Threat Level
Moderately
Targeting
Moderately
Adaptability
Medium
Persistence
Continuous
Op Tempo
Active
Status

Future Outlook

FIN8 is expected to continue operations targeting Retail sectors.

Timeline of Key Events
2016
Major

First observed activity of FIN8

2024
Moderate

Continued active operations