A gang of unknown thieves has stolen nearly $10 million using micro charges made to more than a million credit and debit cards in an elaborate multiyear scam, according to a lawsuit filed by the Federal Trade Commission in March.

The fraudulent charges went unnoticed by the majority of card owners because they were made in small amounts – ranging from 20 cents to $10 – that bypassed fraud detection algorithms, and because the scammers typically made only one fraudulent charge per card.

The sophisticated scam, which was first reported by IDG News Service, began in 2006 and was stifled only recently after the FTC succeeded to shut down merchant accounts the scammers were using and halt the activities of at least 14 money mules who were laundering illegal proceeds for the gang.

According to court documents filed (.pdf) in the U.S. District Court for the Northern District of Illinois, the scammers – identified only as "John Does" in the complaint – recruited money mules through a spam campaign that sought to hire a U.S.-based financial manager for an international financial services company.

Mules who responded to the ad and were chosen for the task opened multiple bank accounts and about 100 limited liability companies for the scammers, which were then used to make the fraudulent charges and launder money to bank accounts in Cyprus and several Eastern European countries, including Estonia and Lithuania.

Front companies set up by the mules included Albion Group, API Trade, ARA Auto Parts Trading, Data Services, New York Enterprizes, and SMI Imports, among others.

The scammers then purchased domain names and set up phone numbers and virtual office addresses for the front companies through services such as Regus. They used this information – along with federal tax ID numbers stolen from legitimate companies with similar names – to apply for more than 100 merchant accounts with credit card processors, such as First Data.

According to IDG,

They used another legitimate virtual business service – United World Telecom's CallMe800 – to have phone calls forwarded overseas. To further make it seem as though their companies were legitimate, the scammers would set up fake retail Web sites. And when credit card processors asked them to provide information about company executives, they handed over legitimate names and social security numbers, stolen from ID theft victims. When they had to log into payment processor Web sites, they would do this from IP addresses that were located near their virtual offices, again evading payment processor fraud detection services.

Once approved by the card processors, the front companies were able to charge consumer credit and debit cards. Money charged to the cards was directed into the bank accounts set up by the money mules, who then transferred it to accounts overseas.

The charges showed up on consumer credit and debit card statements with a merchant name and toll-free phone number. But consumers who called the numbers to question the charges generally encountered an automated voicemail recording saying the number had been disconnected or instructing them to leave a detailed message. The calls, of course, were never returned.

More than 1.35 million cards were used to make fraudulent charges, according to IDG, but 90 percent of the charges went uncontested by consumers.

The FTC has been unable to identify the scammers so far, though finding the money mules was much easier. One of the mules, James P. Smith of Brownwood, Texas, wrote the judge in the case that he worked for a scammer named "Alex Moore" for four years, never realizing that he was involved in anything illegal.