Hundreds of thousands of accounts have been compromised, as a Trojan started running around loose thanks to an online crime group, a report by RSA FraudAction Research revealed on Friday. RSA has been tracking the Trojan for the past three years, in which time 500,000 credit cards, debit cards, and online bank accounts have been compromised or stolen login credentials, but other information such as email, FTP accounts data was also compromised.

The report describes the Trojan as “one of the most pervasive and advanced pieces of crimeware ever created by fraudsters.” In the past, a Russian online gang with ties to the Russian Business Network (RBN) was believed to have been behind the Trojan, however now, the ties with RBN seems to have been changed or removed.

The major advantage of the Trojan, and disadvantage for the ones trying to stop it, is that it is untraceable, which has clearly helped the online criminal organization to keep the “business” alive for the past three years.

“Almost three years is a very, very long time for just one online gang to maintain the lifecycle and operations in order to effectively utilize just one Trojan,” the report writes.

Furthermore, it is not only its longevity that worries analysts, but also its upward trend that has been manifesting in the last months. As it appears, just like other Trojans, this one also injects web pages or information fields into the victim’s internet browser, making them look legit, and prompting them for personal information, which some people actually give, although they have been warned not to by their bank.

The victims targeted are from all over the world, and not at all surprisingly, except Russia. The findings prompted RSA FraudAction Research Lab to disseminate the information among law enforcement agencies and the affected financial institutions, hoping the Trojan will be stopped at some point.