The criminal gang behind the CryptoWall extortion malware has recently raked in a haul of Bitcoins worth hundreds of thousands of dollars from its unknown victims, security firm PhishMe has revealed.

The true scale of the gang’s campaign will probably run to millions in ransoms, but the firm gained an eye-opening insight into its success after taking a look at just two of the Bitoin wallets traced to the attacks.

The first used by ‘Leo1’ contained 710 Bitcoins worth around $710,000 (£420,000 as of 19 July),  while another traced to a phishing campaign detected by one of its customers had within it 38 Bitcoins, or $22,000 worth of takings.

CryptoWall was now attacking victims using phishing emails embedded with shortened Google URLs,  PhishMe said.

“Through the power of user reporting, we received the report, discovered the malicious nature of the shortened URL, and reported the issue to Google, all within a span of 30 minutes. Google reacted quickly and took the link down shortly after our report,” wrote PhishMe’s researchers in a blog describing the attack.

The short URL had been clicked on 281 times which meant that all of these people would have downloaded a malicious zip file containing a new variant of CryptoWall.  After running this through VirusTotal, as of last week, only a small minority of antivirus products could detect the new variant, PhishMe said.

CryptoWall’s victims are not only SMEs and home users; two weeks ago US brokerage Benjamin F. Edwards & Co admitted that suffered a potential data breach in May after an employee’s PC was infected by the malware.

In June a New Hampshire police department said it had no plans to pay the Bitcoin ransom after a CryptoWall infection briefly caused chaos inside its network.