On Tuesday, the U.S. Department of Justice said that it was seeking the extradition of a Moldovan named Andrey Ghinkul, who was arrested in Cyprus in August and is allegedly part of the heist. Criminals in Eastern Europe created the malware, which is also known as Bugot, to collect online banking information, according to the Guardian. The theft has affected American bank accounts as well.

“The indictment alleges that Ghinkul and his co-conspirators used the malware to steal banking credentials and then, using the stolen credentials, to initiate fraudulent electronic funds transfers of millions of dollars from the victims’ bank accounts into the accounts of money mules, who further transferred the stolen funds to other members of the conspiracy,” according to a release from the Justice Department. “Specifically, according to the indictment, on Dec. 16, 2011, Ghinkul and others allegedly attempted to cause the electronic transfer of $999,000 from the Sharon, Pennsylvania, City School District’s account at First National Bank to an account in Kiev, Ukraine, using account information obtained through a phishing email.” The Department of Justice also alleges that Ghinkul attempted to transfer money from Penneco Oil to Eastern European bank accounts.