What would POS terminal cybercriminals do if they didn?t know you were watching? Imagine you could understand and see a clear connection between a payment terminal compromise, credit card numbers getting stolen from those terminals, and ultimately their sale on the underground. Attribution of attackers is often difficult, especially when dealing with point of sale terminal breeches. Trying to establish tools, tactics and procedures in order to better understand the adversary also takes time, effort, and dedicated resources. Using a combination of physical and virtual honeypots, we tracked POS attackers from the initial infection all the way to the sale of fake credit cards on underground forums. In this new research, we cover the malware, TTP's, and attack chain behind several POS actors against our honeypots. Finally, learn about a tool we created and used that aided in the analysis of attacks, file drops, and communications? FileGrabber ? that we are going to release at the end the talk.