Few owners of hijacked machines know they have been compromised
Spanish police have revealed that they have arrested three men responsible for one of the world's biggest networks of virus-infected computers.
All are Spanish citizens with no criminal records and limited hacking skills.
It is estimated that the so-called Mariposa botnet was made up of nearly 13 million computers in 190 countries.
It included PCs inside more than half of Fortune 1000 companies and more than 40 major banks, investigators said.
The criminals have so far only been identified by their internet names, netkairo, aged 31, johnyloleante, aged 30 and ostiator, 25.
Other arrests may follow, the investigators believe.
The first member of the gang was arrested in early February, when he inadvertently logged into the network without disguising the address of his computer.
His computer linked investigators to two more suspects who were arrested later in the month.
The botnet was being monitored and was rendered inactive in December, following a major investigation conducted by the FBI, the Spanish Guardia Civil and security experts around the world.
The network of computers was designed to steal sensitive information, including usernames, passwords, banking credentials and credit card data, from social media sites and other online e-mail services.
One of the arrested men had 800,000 pieces of personal data on his machine.
Some very high profile businesses were targeted.
"It would be easier for me to provide a list of the Fortune 1000 companies that weren't compromised," said Christopher Davis, chief executive of security firm Defence Intelligence, one of the firms that was invited to join the Mariposa Working Group, which was set up to deal with the botnet in May 2009.
Panda Security was also in the group.
Senior research advisor Pedro Bustamante said the criminals behind the botnet did not have "advanced hacking skills".
"This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss," he said.
The gang made money by renting out parts of the botnet to other cyber-criminals as well as selling stolen credentials and using banking and credit card information to make transactions via so-called money mules.
Working with law enforcement agencies is not without its risks for security firms.
After the botnet was closed down, Defence Intelligence was hit by a Distributed Denial of Service (DDoS) attack as an apparent act of retaliation.
A DDoS attack occurs when a website is bombarded by requests for pages, often by a botnet, effectively taking it offline.
The attack was powerful enough to knock customers of an unnamed ISP offline for several hours.
The firm remains determined to pursue such cases.
"We will continue to fight the threat of botnets and the criminals behind them. We'll start by dismantling their infrastructure and won't stop until they're standing in front of a judge," said Mr Davis.