Cyber criminals in Russia targeted domestic bank customers with malware designed to infect Android devices, and were planning to expand the attack to European leaders before being arrested, Reuters reported.

The attack on Russian banking customers netted the hackers just short of $1 million—about $892,000 in total. It is believed the group responsible for the attack had obtained a more powerful piece of malware that it was using to target clients of banks in France and other western countries.

Read: North Korean Hackers Accused Of Sony Pictures Attack Linked To $81M Bangladesh Bank Heist

The hacking group—which was known as Cron, named after the malware they used—carried out the attack by creating fake mobile banking applications that looked and behaved like the bank’s real app. The fake apps containing the malware would appear in searches for the genuine apps and users would be tricked into downloading the phony version.

The malware was also inserted into fake versions of apps for popular ecommerce and pornography services.

Customers of state-run banks Sberbank were the primary targets of the attack, but the hackers were also able to steal money from accounts at Alfa Bank and online payments company Qiwi by exploiting a flaw in the company’s text message transfer service.

Once a user’s device was infected, the group was able to send an SMS message from those devices to the banks. Those messages would request the bank transfer money from the compromised user’s account into an account belonging to the hacking collective.

Because of limitations on the text-based transfers, the hackers had to move the money in small increments—$120 at a time. They created a network of bank accounts, about 6,000 in total, to which they would send the stolen funds.

Read: Hackers Pull Off Largest Bank Heist Ever, Steal $1B From 100 Banks In 30 Nations: Report

The attack was able to bypass two-factor authentication features that would require a user to enter a secondary code—often sent via text message—to confirm their identity. The malware would intercept the authentication code sent by the bank and prevent the victim from receiving a message notifying them of the transaction.

The group began targeting European banks as well, including large French firms Credit Agricole, BNP Paribas and Societe General. No funds were stolen from customers of the French financial institutions.

A total of 16 people have been arrested thus far in relation to the case, including a 30-year old man who is believed to be the leader of the group of 20 members operating across six different regions of Russia. The hackers operated for nearly a year before their arrest.

Four people arrested in relation to the case remain in detention while the rest are under house arrest, according to the Russian Interior Ministry. Computers, bank cards and SIM cards registered under fake names have been collected during police raids related to the hack.