According to security company Kaspersky Lab, the gang, dubbed Carbanak, takes the approach of stealing directly from banks, rather than posing as customers to withdraw money from companies’ or individuals’ accounts. It said the gang included cyber criminals from Europe, including Russia and Ukraine, as well as China.

Carbanak used emails to trick pre-selected employees into opening malicious software files, a common technique known as spear phishing. They were then able to get into the internal network and track down administrators computers for video surveillance.

This way, the criminals learned how the bank clerks worked and could mimic their activity when transferring the money.

In some cases, Carbanak inflated account balances before pocketing the extra funds through a fraudulent transaction. Because the legitimate funds were still there, the account holder would not suspect a problem.

Kaspersky said Carbanak also remotely seized control of ATMs and ordered them to dispense cash at a predetermined time, when a gang member would be waiting to collect the money.