The three suspects allegedly hijacked more than 100,000 computers worldwide and connected those in a botnet.
The three individuals, whose names were not disclosed, allegedly commandeered the computers using malicious code known as a Trojan horse, Dutch prosecutors said in a statement Friday. The investigation is ongoing and more arrests are expected, prosecutors said.
The main suspect is a 19-year-old male; the other two suspects are 22 and 27. Police confiscated computers, documents, cash and a sports car in searches of the suspects' residences. Investigators also took control of a bank account, prosecutors said.
The Trojan horse, called W32.Toxbot, was first spotted early this year. It was surreptitiously installed on computers and let the attackers remotely control infected systems and steal confidential information by logging keyboard entries, prosecutors said.
Antivirus software does detect the Trojan, but the suspects, in a race with the antivirus software makers, kept tweaking their malicious code to hide it, prosecutors said.
Investigators accuse the suspects of hacking into computers, destroying computer networks and installing adware and spyware. The suspects are also thought to have sold their services to others, writing viruses that were designed to steal login data for online banking, prosecutors said.
The investigation also suggests that the suspects hacked into accounts at payment service PayPal and online auction giant eBay.
Furthermore, the suspects allegedly used their network of hijacked computers, known as a botnet, in an extortion scheme against an unidentified U.S. business. The "bot herders," as insiders call them, are thought to have threatened to bring down the company's Web site by launching a denial-of-service attack, prosecutors said.
"With 100,000 infected computers, the now dismantled botnet is one of the largest ever seen," Dutch prosecutors said in their statement. The network of hijacked, or zombie, PCs, consisted of home PCs worldwide, they said.
Botnets are considered one of the most serious security threats on the Internet. These botnets are typically rented out to relay spam and launch phishing scams, which attempt to steal sensitive personal data for fraud. Botnets have also been used in blackmail schemes against targeted online businesses.
While a significant botnet was taken down, the arrests won't make a dent in the overall online criminal activity, said Craig Schmugar, a virus research manager at McAfee. "There are other bot commanders who will take the place of the ones arrested. These attackers have been pulled out of the mix, but their absence won't be missed," he said.