US crime-fighters are closing in on a gang behind a huge botnet after taking control of the criminals' servers.
It is the first time FBI investigators have used such a method.
The US Justice Department had to seek court permission from a judge to carry out the sting.
It enabled the authorities to issue its own commands, effectively ordering the malware to shut down. It also logged the IP addresses of compromised machines.
It means the authorities will be able to notify ISPs about which machines have been infected and ISPs in turn can let victims know that their machines had been taken over.
A similar approach was used last year by Dutch police as part of its shutdown of the Bredolab botnet.
At the time, privacy experts questioned the legality of such a move.
A botnet is a network of infected computers, also known as zombie PCs.
Coreflood, the malware program prompting the FBI investigation, has been around for at least a decade and can record key strokes, allowing criminals to take over unsuspecting computers and steal passwords, banking and credit card information.
It is believed to have recruited around 2.3 million machines and raked in millions for those behind it.
Officials have not said where the attacks came although it appears consistent with cybercrime activity in Eastern Europe.
Investigators seized five of the botnet's servers that were controlling hundreds of thousands of infected machines.
They also seized 29 domain names used by the botnet.
"As a result the zombie machines in the Coreflood network are being re-routed to communicate with the server controlled by law enforcement agencies," explained Noa Bar Yosef, a senior strategist at security firm Imperva.
"The 'good' server can then issue commands to stop the malware execution on the compromised machines."