They would steal card data and sell it in a black-market carding forum. They also did a side business in the theft and sale of proprietary or non-public information, but that was just gravy: their main course was always selling cards in the criminal-to-criminal market. They targeted more than a hundred companies in the US alone, most of them in the gaming, restaurant, and hospitality sectors. Some of the better-known companies they hacked included Red Robin, Chipotle, and Arby's.
The three men arrested, Dmytro Fedorov, Fedir Hladyr and Andrii Kopakov, are all Ukrainian nationals. They're now in US Federal custody and awaiting trial on twenty-six felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft. Fedorov is awaiting extradition in Poland and Kopakov is doing the same in a Spanish holding cell. Hladyr, picked up by police in Dresden, Germany, is already in Seattle.
Carbanak was a big operation, thought to have stolen more than $1 billion from businesses worldwide. One hopes these arrests will cripple the gang, but criminal organizations have come back from seeming death before.
Social engineering, in this case phishing with follow-up phone calls and even workplace surveillance, is effective, which is why criminals and nation-states will continue to try it. Every organization should consider some realistic, interactive training to help raise its employees' awareness of what's at stake, and how they can prevent potentially catastrophic loss. In the meantime, bravo FBI.
The FBI has the story, complete with a useful infographic explaining how the Fin7 scammers worked, from phishing to carding: https://www.fbi.gov/contact-us/field-offices/seattle/news/stories/how-cyber-crime-group-fin7-attacked-and-stole-data-from-hundreds-of-us-companies