Suspects of Clop ransomware gang have been detained in Ukraine after a joint operation from law enforcement agencies in Ukraine, South Korea and the United States.

Ukraine police detained six after searches in the capital Kyiv and nearby regions. While it’s unclear whether the defendants are affiliates or core developers of the ransomware operation, they are accused of running a “double extortion” scheme, in which victims who refuse to pay the ransom are threatened with the leak of data stolen from their networks prior to their files being encrypted.

The police also seized equipment from the alleged Clop ransomware gang, said to behind total financial damages of about $500 million.Law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrency

Clop is also linked to the ransomware attack and data breach at Accellion, hackers exploit flaws in the IT provider’s FTA software to steal data from dozens of its customers. Victims of this breach include Singaporean telecom Singtel, law firm Jones Day, grocery store chain Kroger and cybersecurity firm Qualys.

The dark web portal that Clop uses to share stolen data is still up and running, although it hasn’t been updated for several weeks. But law enforcement typically replaces the targets’ website with their own logo in the event of a successful takedown, which suggests that members of the gang could still be active.

News of the arrests comes as international law enforcement turns up the heat on ransomware gangs. This comes after Dark side raid which played a major role in Colonial pipeline attack .