Previously undetected MoneyTaker gang is likely to strike again.

A previously undetected hacker group has netted around $10 million in heists on at least 20 companies, in some cases by targeting the transfer networks banks use to transfer money, a Moscow-based security firm said Monday.

Members of the MoneyTaker group, named after a piece of custom malware it uses, started its heist spree no later than May 2016. That’s when it penetrated an unnamed US bank, according to researchers with Group-IB in a report titled MoneyTaker: 1.5 Years of Silent Operations. The hackers then used their unauthorized access to control a workstation the bank used to connect to the First Data STAR Network, which more than 5,000 banks use to transact payments involving debit cards.

MoneyTaker members also targeted an interbank network known as AWS CBR which interfaces with Russia’s central bank. The hackers also stole internal documents related to the SWIFT banking system, although there’s no evidence they have successfully carried out attacks over it.

Last year, online criminals used stolen SWIFT account credentials to steal $81 million from a bank in Bangladesh. Group-IB said the amount of information MoneyTaker has amassed on the Star, SWIFT, and AWS CBR networks raised the possibility the group may be planning more heists that target the interbank payment systems.

“A number of incidents with copied documents that describe how to make transfers through SWIFT are being investigated by Group-IB,” company officials said in a statement. “Their contents and geography indicate that banks in Latin America may be targeted next by MoneyTaker.”

Over the past 18 months, Group-IB has uncovered evidence that MoneyTaker has successfully breached 18 banks or credit unions, two financial services businesses, and one law firm. Two of the targets were located in Russia, one target was in the UK, and the rest were in the US. The average amount stolen in each hack was $500,000.

The hackers use malware that’s stored almost entirely in computer memory, a feature that makes them extremely hard to detect by antivirus defenses. The in-memory malware also makes it hard for targets to know they were hacked since all traces are destroyed as soon as a computer is rebooted. Group-IB said a programming error that allowed some of the code to remain ultimately blew MoneyTaker’s carefully constructed cover. The group’s attacks also rely on the Metasploit framework to work. After gaining initial access to a targeted network, the attackers perform reconnaissance to gain domain administrator privileges and eventually consolidate control over the network. They also encrypt communications using certificates that have names such as Bank of America, Federal Reserve Bank, Microsoft, and Yahoo.