MADRID — Europol, the European police agency, said Wednesday that it had dismantled one of the most efficient cybercrime organizations to date, led by Russians who had managed to extort millions of euros from online users across more than 30 countries — mostly European — by persuading them to pay spurious police fines for abusive use of the Internet. The Russian head of the crime network was arrested in Dubai, United Arab Emirates, in December. This month, the Spanish police arrested 10 other people — six Russians, two Ukrainians and two Georgians — along the Costa del Sol, a popular vacation destination in southern Spain, where the criminals are believed to have had their main base of operations.
The search continues, however, for other possible cells operated by the criminal network outside of Europe, investigators said.
The criminal threat, essentially a form of online extortion called ransomware, relied on malware that authorities believe was developed by the Russian-led gang. It locked a user’s computer, and send a message in the form of a fake police warning, demanding 100 euros ($134) to unlock it.
“This is the first major success of its kind against a very new phenomenon that we have only identified in the last two years,” Rob Wainwright, the director of Europol, said at a news conference at the Interior Ministry in Madrid. “This is a mass marketing scam to distribute this thousands of times and rely on the fact that even if only 2 percent fall victim to the scam, it is still a very good pickup rate.”
Mr. Wainwright estimated that 3 percent of those victimized had paid the fake fines. Europol did not give an overall estimate of how much money the criminals might have gained, but in Spain alone they are believed to have collected more than 1 million euros ($1.3 million), said Francisco Martínez, Spain’s secretary of state for security.
Computer security experts in the United States recently estimated that computer criminals make more than $5 million a year on ransomware, though many say that is too conservative.
Investigators suggested on Wednesday that the software used by the criminals could also be aimed at online users who were actually likely to have made unlawful use of the Internet, by picking up key words linked to illegal activities like child pornography or illicit file swapping. That would make the threat of a fine for abusive use of the Web more believable for the user.
Mr. Wainwright emphasized the complexity of the software, with as many as 48 mutations of the virus detected.
“It used the idiom and logo of each specific police service,” he said. “Even Europol and my own name have been used to defraud citizens.”
In most cases of ransomware, victims do not regain access to their computer unless they hire a technician to remove the virus manually. In Spain, after thousands of complaints, the Interior Ministry set up a Web site to help users uninstall the virus. The Web site received about 750,000 visits last year.
The Spanish police received 1,200 official complaints about the virus since it was first detected in Spain in May 2011.
“What is clear is that the organization had a very well-structured and complex infrastructure developed from Russia,” said José Rodríguez, a chief inspector in Spain who handled the investigation.
But he said that it also allowed them to “keep track of victims in Spain, Europe, the U.S. and elsewhere” from their base in southern Spain. “These people could have operated from anywhere but somehow found it more convenient to do so from Spain,” Mr. Rodríguez said.
The Spanish police said six of the 10 people arrested this month had already been detained, charged with money laundering, fraud and involvement in a criminal organization. The four others remain under investigation. Europol offered no details on the Russian who was suspected of leading of the gang who was arrested in December.
The Spanish police also seized several computers and more than 200 credit cards. They said the suspects also had 26,000 euros ($35,000) in cash, which they were planning to transfer to Russia on the day of their arrest.
Europol and other police agencies are still trying to determine just how much money the criminals gained and what it was used for. The gang laundered the money in Spain and elsewhere and sent it to Russia via electronic payments.
Europol started its investigation in December 2011 from its operational center in The Hague, after six countries reported more than 20,000 victims of the virus. While the virus generally came with a police warning, the gang is believed to have used different versions to deceive more users, including one fraudulent message that was designed to look as if it had been sent by the Spanish association that defends artists’ copyrights.