Three alleged members of a prolific Nigerian cybercrime ring have been arrested in Lagos, part of a larger group that’s distributed malware, phishing campaigns and business email compromise scams affecting some 500,000 companies around the world.

The hackers, identified only as OC, 32, IO, 34, and OI, 35 and linked to a gang dubbed TMT, were brought in after an investigation by Singapore-based cybersecurity firm Group-IB, Interpol and the Nigerian police.

The suspects are alleged to have used phishing links and mass emailing campaigns under the guise of purchasing orders, product inquiries and even Covid-19 aid, infecting organizations and siphoning funds from businesses and individuals.

Group-IB said in a statement that the group is suspected of compromising  government and private sector companies in more than 150 countries since 2017, including the U.S., Japan and the U.K..

Group-IB has been tracking the group since 2019 and is still investigating how the hackers monetized the data, though it’s common among criminals to sell such data in underground markets, the cybersecurity firm said.

The  security firm discovered that the group is divided into subgroups and says that a number of individuals who are members of the ring remain at large.

“The analysis of their operations revealed that the gang focuses on mass email phishing campaigns distributing popular malware strains under the guise of purchasing orders, product inquiries, and even COVID-19 aid impersonating legitimate companies,” Group-IB said.

Phishing emails were sent using Gammadyne Mailer and Turbo-Mailer, while MailChimp was employed to track whether recipients did open a message. Compromised email accounts were also used to send phishing messages.