Hackers looted $10 million from an ATM network, affecting financial institutions throughout the United States and overseas.

The MoneyTaker group, named after malware used in the crime spree, started siphoning accounts no later than May 2016. After penetrating one U.S. bank, they raided at least 20 other companies—including one law firm.

So it’s not just about looking over your shoulder when you use an ATM; better check out who is handling your money.

ATM Network

A Moscow-based security firm discovered the previously unknown hackers. According to reports, they are “likely to strike again.”

“A number of incidents with copied documents that describe how to make transfers through SWIFT are being investigated by Group-IB,” the company said. “Their contents and geography indicate that banks in Latin America may be targeted next by MoneyTaker.”

Last year, cybercriminals acquired stolen SWIFT credentials and nearly got away with $1 billion from a bank in Bangladesh. Police told Reuters that the bank lacked firewalls and used a $10 second-hand network.

In the Group-IB report, the security firm identifies techniques the hackers used to enter the ATM network. It also offers an analysis of the cybercriminal infrastructure and indicators of compromise to any network.

In-Memory Malware

Ars Technica said the hackers used malware that is stored in computer memory, “a feature that makes them extremely hard to detect by antivirus defenses.”

“The in-memory malware also makes it hard for targets to know they were hacked since all traces are destroyed as soon as a computer is rebooted,” the ezine said.