Europol, the European Union Agency for Law Enforcement Cooperation, said on Monday it has apprehended the cybercriminal purportedly behind Carbanak, a strain of ransomware that earned a gang of hackers roughly $1.2 billion over the last five years.

Authorities didn’t name the suspect but said he was recently arrested in Alicante, Spain, a move that bookends a lengthy investigation carried out by the Spanish National Police, Europol, the FBI, and authorities in four other nations: Romania, Moldova, Belarus, and Taiwan.

For years the malware was focused on financial services, like banks and e-payment systems.

In 2015 researchers with Kaspersky Lab said the group behind the malware, dubbed the Carbanak gang in some circles, was responsible for stealing $2.5M to $10M per bank and that as many as 100 financial institutions in 30 countries were hit.

Europol more or less backed up those figures on Monday, saying the group carried out over 100 hacks across 40 countries. Each attack net the group an average of €10 million ($12.4 million) per heist.

The group is believed to be behind the several iterations of the malware, including Anunak, Carbanak, and Cobalt.

Criminals cashed out either by gathering money dispensed by ATMs, which were instructed to spit out bills at certain times, via an electronic payment network used to ferry money between the gang and criminal accounts, or by editing account information via databases and allowing money mules, individuals recruited by criminals to transfer money illegally, to collect funds.

It wasn’t until the last few years that attackers behind the malware shifted their strategy and began targeting hospital call centers, restaurants, and retail markets, infecting point of sale systems, enterprise networks, servers, and client workstations.

The gang began leveraging legitimate Google services to spread rigged RTF documents near the end of 2016. One campaign carried out by the group targeted a restaurant chain with over 1,500 locations and a luxury hotel chain with 100 locations.

As with previous takedowns coordinated by Europol, collaboration was key.

The agency's European Cybercrime Centre (EC3) worked alongside the Joint Cybercrime Action Taskforce, the European Banking Federation, individuals banks, and private security companies to carry out the operation.

“This global operation is a significant success for international police cooperation against a top level cybercriminal organization. The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality." Steven Wilson, EC3's head said Monday.

The Cyber Police of Ukraine also said on Monday that it had apprehended a member of the Cobalt hacking group. While the translated press release didn't name the suspect it said he, a 30-year-old resident of Kiev, was involved in the "development of viruses, cyberespionage and sales of personal data from citizens around from around the world."

"The hacker also sold a variety of malicious software, and his viruses were used to remotely access victims' computers and further control of them," the agency said.