Kaspersky said in a report released on Monday that losses of $300 million had been confirmed, but forecast that up to $100 billion could have been taken.
"These attacks constitute a new level of sophistication in the techniques used against financial establishments," Kapersky Lab expert Sergey Lozhkin, who has worked with Interpol and Europol on an investigation into the crime, said in a television interview.
He said the identity of the hacker was not yet known but, according to the report, evidence pointed to a cybercriminal gang with members from Russia, Ukraine and China.
The report said the gang, referred to by the name of the hacking software it uses - Carbanak - came to the attention of authorities after an A.T.M. in the Ukrainian capital of Kiev started dispensing cash at random times of day in 2013, even though no customer had touched the machine.
Cameras showed that the piles of money which came out were taken by whoever was walking by at the moment.
Kaspersky was called in to investigate the incidents.
Perpetrators used a variety of means to get money out of the computer systems of banks in more than 30 countries around the world, he said.
One method used fake emails from genuine financial institutions, including the Central Bank, using Microsoft Word attachments.
“If a bank employee who received the email had old software, then the system’s vulnerability allowed the malware to infect the computer,” Lozhkin said.
After that, a number of sophisticated means would let the hackers first learn how a particular employee was working with the bank’s internal programs.
The malware would move from one computer to another and eventually gain full access to the bank’s entire system.
- 'Weaponized' files
In some cases it was then able to transfer money from the banks' accounts to those of gang members, or even able to tell cash machines to dispense cash at a pre-determined time of day.
Kaspersky said each bank robbery took between two and four months on average, with up to $10 million being stolen each time.
According to the report, spear-phishing emails were used containing attachments with "weaponized" Microsoft Word 97 – 2003 and Control Panel Applet files.
The malicious files exploit Microsoft Office and Microsoft Word to execute the Carbanak hacking software.
Sergey Golovanov, Principal Security Researcher at Kaspersky Lab’s Global Research and Analysis Team, said: "These bank heists were surprising because it made no difference to the criminals what software the banks were using.
"So, even if its software is unique, a bank cannot get complacent."
"The attackers didn’t even need to hack into the banks’ services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery," he said.
- Stolen money
When the time came to cash in on their activities, the criminals used online banking or international e-payment systems to transfer money from the banks’ accounts to their own.
In the latter case, the stolen money was deposited with banks in China or the United States.
Experts do not rule out the possibility that banks in other countries were used as receivers.
Cybercriminals penetrated right into the very heart of the accounting systems in other cases, inflating account balances before pocketing the extra funds via fraudulent transactions.
For example: if an account had $1,000 in it, the criminals would change its value so it appeared to have $10,000 and then transferred $9,000 to themselves.
The account holder would not suspect a problem as the original $1,000 was still there.
The cyber thieves also seized control of banks’ ATMs and ordered them to dispense cash at a pre-determined time.
When the payment was due, one of the gang’s henchmen would be waiting beside the machine to collect the "voluntary" payment.
While the majority of about 100 robbed banks were in Russia, financial institutions were also targeted in Japan, Europe and the U.S.
Turkish banks have so far not been indicated to have been targets, but that is not certain.
Banks that have been hit try to keep knowledge of the attacks from becoming public, as it hurts their reputation.
Sanjay Virmani, director of Interpol Digital Crime Center, said in the report: "These attacks again underline the fact that criminals will exploit any vulnerability in any system.
"It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures."