Russian malware writers have scored at least US$25.7 million (£17.8 million, A$33.6 million) in raids against banks in their home country, intelligence firm Group IB says.
The "Buhtrap" group has since 2014 used simple but coordinated attacks to target Russian banks directly and with devastating effectiveness.
It is the first to use a worm to infect vast swathes of banking infrastructure which makes the attacks noisy but hard to completely disinfect.
Clean up operations trigger widespread shutdowns impacting service availability for customers.
The Buhtrap group gains access to banks' networks through phishing emails aimed at staff, and through the use of off-the-shelf exploit kits.
Group IB researchers write in a report published last week that direct successful malware attacks against banks are no longer rare.
"In many respects, this group’s activity has led to the current situation where attacks against Russian banks causing direct losses in the hundreds of millions of rubles are no longer taken as something unusual," the researchers say.
"The fundamental element of Buhtrap’s success is a general lack of awareness concerning targeted attacks against the financial sector.
"[Also there] is the over-reliance on traditional security measures, such as licensed and updating antivirus, operating systems, firewall [and] data leak prevention systems which are mistakenly expected to stop criminals at the initial stages of attacks."
The researchers say in the report [PDF] the criminals stole the US$25.7m between August and February in 13 attacks against Russian banks.
Attackers are also fleecing financial institutions in the Ukraine, however.
The largest since robbery yielded US$8.8 million (£6.1 million, A$11.5 million) while the smallest scored the crew US$376,485 (£260,212, A$492,2300).
The firm says each victim bank could have prevented the attacks if they were more security savvy, adding that one single attack would outweigh the cost of proper defences by a factor of 28.
Buhtrap initially compromised users by distributing legitimate software modified to compromise machines.
More details of the group and its indicators of compromise are available in the 27-page report. ®