A recent series of thefts indicates the cybercriminals are using increasingly sophisticated techniques to ransack bank accounts.
The criminals' internet domain was shut down when Finjan researchers alerted police after they found evidence of illegal money transfers on a Ukraine-based server.
Logs on the server showed the cybercriminals had stolen €300,000 from German bank accounts in 22 days. At this rate, cybercriminals could steal €5m in a year.
The cybercriminals used the LuckySploit toolkit to exploit vulnerabilities in the browsers of victims through both fake and compromised legitimate websites.
The URLZone bank Trojan toolkit was used to control the money transfers from the victims' bank accounts via "money mule" laundering accounts to the cybercriminals.
The Trojans used in the attacks were designed to steal bank login details, steal money without raising alarms and then cover their tracks.
"This is the first time we have seen attacker use Trojans that contain logic to decide how much money to steal," said Yuval Ben-Itzhak, chief technology officer at Finjan.
The researchers uncovered code in the malware that adjusts the amount of money transferred to a money mule account based on the current balance.
"The code ensures that the amounts stolen fall below the thresholds of anti-fraud systems used by banks," said Ben-Itzhak.
Cybercriminals are likely to increase their use of such techniques for bank fraud, which is a very big problem, he said.
"The scale of losses due to internet banking fraud is largely hidden because there is no law that requires disclosure by banks that prefer not to talk about it," he said.
The Trojans also make sure that targeted bank accounts are not left with a zero or negative balance to avoid triggering alerts on anti-fraud systems, he said.
Researchers even found code in the Trojans used to specify to which money mule accounts the money should be sent.
The Trojans use money mule accounts only a limited number of times to avoid detection by anti-fraud systems.
"Another first is that the Trojans are able to deliver fake bank web pages to users that hide the thefts by displaying unaltered balances," said Ben-Itzhak.
By the time victims discover their accounts have been raided, the funds have been safely sent to the cybercriminals through their money mule network, he said.
The cybercriminals behind the attacks were getting the money using a well developed network of mules who thought they were working for a legitimate company.
According to Ben-Itzhak most mules allow their bank accounts to receive funds from the Trojans and forward the money without realising they are helping criminals.
Anyone receiving job offers should check if the company exists before accepting by conducting a few simple online searches to see if the company is real, he said.
"If the employer asks you to use your bank account or to open a new one, drop the offer and move forward," said Ben-Itzhak.