The European Union Agency for Law Enforcement Cooperation (Europol) on Monday said it has arrested the suspected leader of a cyber gang reportedly responsible for the Carbanak and Cobalt malware attacks.

The suspect was picked up in Alicante, Spain, following a joint investigation that involved the Spanish National Police and several other law enforcement agencies including the FBI as well as Romanian, Taiwanese and Belarussian authorities.

Europol said the group has been operating since late 2013 when it launched the Anunak malware campaign that targeted ATMs and financial transfers. The team reportedly built on its success a year later with a more sophisticated version called Carbanak that remained in use until 2016 before graduating to an even more mature variant that was based on the Cobalt Strike penetration testing software.

According to Europol, the group hit banks across more than 40 countries, resulting in cumulative losses of more than 1 billion euros. With the Cobalt malware, Europol said the group was stealing up to 10 million euro per heist.

Cash was extracted using one of three systems. With ATMs, the group would reportedly schedule machines to dispense cash at pre-determined times and have associates waiting nearby to grab it. In other instances, the group would modify databases to artificially inflate account balances and when using e-payment networks, the team would simply transfer money to their account or foreign bank accounts.

The stolen cash in some instances was laundered using cryptocurrencies, Europol said, which was then used to buy goods like luxury homes and vehicles.