The Cyber Police of Ukraine has arrested three individuals on suspicion of hijacking more than 100 million emails and Instagram accounts from users across the world.

The suspects, aged between 20 and 40, are said to be part of an organized criminal group living in different parts of the country. If convicted, they face up to 15 years in prison.

The accounts, authorities said, were taken over by carrying out brute-force attacks, which employ trial-and-error methods to guess login credentials. The group operated under the direction of a leader, who distributed the hacking tasks to other members.

The cybercrime group subsequently monetized their ill-gotten credentials by putting them up for sale on dark web forums.

Other threat actors who purchased the information used the compromised accounts to conduct a variety of fraudulent schemes, including those in which scammers reach out to the victim’s friends to urgently transfer money to their bank account.

“You can protect your account from this method of hacking by setting up two-factor authentication and using strong passwords,” the agency said.

As part of the operation, officials conducted seven searches in Kyiv, Odesa, Vinnytsia, Ivano-Frankivsk, Donetsk, and Kirovohrad, confiscating 70 computers, 14 phones, bank cards, and cash worth more than $3,000.

The development comes as a U.S. national pleaded guilty to breaching over a dozen entities in the U.S., including a medical clinic in Griffin, and exfiltrating the personal information of more than 132,000 individuals. He is scheduled for sentencing on June 18, 2024.

Robert Purbeck (aka Lifelock or Studmaster) “aggravated his crimes by weaponizing sensitive data in an egregious attempt to extort his victims,” U.S. Attorney Ryan K. Buchanan said.

According to the U.S. Department of Justice (DoJ), Purbeck, who pleaded guilty to federal charges of computer fraud and abuse, purchased access to the clinic’s computer server from the darknet in 2017, leveraging it to siphon medical records and other documents that contained data pertaining to over 43,000 individuals, such as names, addresses, birthdates, and social security numbers.

The defendant also acquired credentials from an underground marketplace that granted unauthorized access to a server used by the police department of the City of Newnan in Georgia. He then plundered records consisting of police reports and documents that had information belonging to no less than 14,000 people.

As part of the plea agreement, Purbeck agreed to pay more than $1 million in restitution to the impacted 19 victims. He was indicted by a federal jury in March 2021.