Hackers in the US have cracked card PIN codes used in cash machines.
Citibank-branded machines in 7-Eleven convenience stores across the country were targeted in the biggest remote PIN code theft scam seen in the US.
Between last autumn and this spring, at least $2m (£1m) was stolen from customer accounts using copied cards and the stolen PINs.
The fraud came to light after the alleged hackers were charged in a New York court. They are Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva.
They have been charged with conspiracy and fraud, although the actual hacking is believed to have been completed by another party remotely.
The ring-leader is said to be Rakushchynets, a 32-year-old Ukrainian.
When his Brooklyn home was raided, investigators found $800,000 (£400,000) cash stuffed in rubbish bags.
It is not known how many Citibank and other banking customers were affected by the scam.
There are nearly 5,700 Citibank-branded cash machines inside 7-Eleven stores, but different firms maintain and operate the remote servers dealing with transactions.
It is not clear which server was compromised in the hacking operation.
Read more about PINs:
Read more on IT risk management
The gang responsible for record identity thefts may also have been responsible for hacking an outsourced Citibank ATM network.