Facebook and cybersecurity investigators used clues discovered on Koobface command and control server to identify the suspected cybercriminals and track them to St Petersburg in Russia.
The Koobface worm, which was typically disguised as a Flash update, was used to give the cybercriminals behind it control of hundreds of thousands of hijacked computers.
The investigators estimate that the Koobface gang was making around $2m a year from its botnet made up of as many as 800,000 hijacked computers.
Details of the investigation are detailed in a report by independent researcher Jan Dromer and Dirk Kollberg of security firm Sophos that was published in the firm’s Naked Security blog.
Graham Cluley, a senior technology consultant at Sophos, told the BBC he believed they had identified the right people: "We're pretty confident. I mean obviously we have to assume these people are innocent until proven guilty.”
Facebook said it has known the identities of the gang members for some time, but decided to name them publicly because of frustration over the lack of action by law enforcement authorities, according to The Telegraph.
Research into the suspects was mainly conducted from early October 2009 until February 2010 and has since been made available to various international law enforcement agencies, Sophos said.