The UK National Crime Agency (NCA) has arrested fourteen individuals suspected of laundering more than £11 million stolen through the use of malware.

The money was stolen after the victims were infected with Dridex and Dyre malware, which collected their bank details and allowed the criminals to access their bank accounts.

The money in those accounts would be dispersed in smaller amounts to other bank accounts in the UK and in Eastern Europe.

The thirteen men and a woman were arrested last Wednesday, in London, Daventry and West Bromwich. Some of them are foreign nationals.

“[They] are suspected to have laundered the criminal profits through hundreds of accounts at various UK banks, using false identity documents and ‘money mules’ recruited and controlled by the crime group,” the NCA noted.

During the arrests, the officers seized cash, electronic devices (that will be subjected to forensic analysis), and multiple false identity documents.

“The malware utilised in this case hits small and medium sized businesses particularly hard,” said Mike Hulett, Head of Operations at the NCA’s National Cyber Crime Unit.

“Those responsible for writing, developing and deploying malware code also rely heavily on other organised criminals like money launderers, and their fraudulent proceeds can then be used to fund other criminality.”

UK law enforcement was aided by Moldovan and Romanian authorities in this investigation, as well as the banking industry.

UK and US law enforcement agencies substantially disrupted the Dridex botnet in October 2015, after the arrest of Andrei Ghincu, a Moldovan administrator of the botnet.

A month later, Russian authorities arrested the gang behing the Dyre banking malware.

The disruption of the Dridex botnet was only temporary, as the botnet is segregated into a number of subnets, each likely operated by a different team of attackers.

Those that were not arrested continued pumping out malicious spam, and begun delivering ransomware. In May, the subnet delivering the Locky malware was compromised, and the malicious payload was swapped with an innocuous, dummy file.