The security firm Group-IB said the victims had been relieved of the equivalent of between US$1500 and US$8000 daily and the funds had been converted into cryptocurrencies for laundering.
The group tricked Russian bank customers into downloading malicious mobile apps, with one called "banks at your fingertips" claiming to be an aggregator of all the country's leading banking systems.
It promised users "one-click" access to all bank cards to view balances, transfer money from card to card and pay for online purchases. The app, first seen in 2016, was distributed through spam.
After this, the money from the victim's account would be transferred out in small amounts, like US$200 to US$500, to accounts that had been set up for this precise purpose. SMS confirmation codes were intercepted from the victim's phone and any SMS confirmations of transactions were blocked.
One member of the group, an unemployed Russian man, who had previous convictions for arms trafficking, was identified and SIM cards and fraudulent bank cards were found in his possession.
Group-IB said the investigation was continuing.