Three Ukrainian citizens suspected of being part of a “prolific hacking group” have been arrested, the US Department of Justice has announced.
The three men are accused of using malware to attack more than 120 US companies, including the restaurant chains Chipotle and Arby’s.
Firms in the UK, France and Australia were also said to have been targeted.
Its activities had been widely tracked in the cyber-security press. In some cases it was suspected of being a Russia-based operation.
It said the information was then sold via the “dark net” – a part of the internet that is not indexed by regular search engines such as Google.
The resulting losses are believed to have run into the tens of millions of dollars.
The group is understood to still be active.
Each of the three accused faces allegations of conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.
However, only one of the men is currently in US custody.
Fedir Hladyr is being held in Seattle pending trial after being handed over by the German authorities, who arrested the 33-year-old in January.
Dmytro Fedorov was arrested the same month in Poland. The Spanish authorities are holding the third suspect, Andrii Kopakov. The US is seeking to have both extradited.
It is not known whether the men deny the crimes they are accused of.
“The naming of these Fin7 leaders marks a major step towards dismantling this sophisticated criminal enterprise,” said the FBI agent in charge, Jay Tabb.
“The FBI will continue to work with its law enforcement partners worldwide to pursue the members of this devious group, and hold them accountable for stealing from American businesses and individuals.”
One cyber-security expert said that tackling such crimes required good international collaboration.
“The criminal organisation, to which the individuals arrested are alleged to belong, is one of the larger groups, which likely is the reason for it attracting sufficient attention from law-enforcement,” commented Dr Steven Murdoch from University College London.
“The clever techniques it used to infiltrate companies demonstrates that it is impossible to guarantee that systems processing card numbers will be protected from all attacks.
“For this reason, payment systems are gradually being changed to reduce the value of card numbers to criminals, such as by creating card numbers which can only be used once, or confirming transactions by sending a text message to the customer.”