An Albanian hacker accused of being involved in a $14m cyber attack pleaded guilty to bank fraud in a New York hearing on Friday.
Qendrim Dobruna, 27, stole card data from a US payment service working with American Red Cross, using the information to withdraw money from cash points worldwide.
US attorney Loretta Lynch said: "The defendant and his associates hacked into the global financial system and helped themselves to funds using prepaid debit cards meant for the needy and vulnerable."
More than 15,000 cash point transactions took place in around 18 states, with the attack taking place over two days in February 2011, according to Information Week.
The attack pattern was named an "unlimited operation" by prosecutors in similar cases, due to the potential for limitless withdrawal from debit accounts affected.
Dobruna, who went by the aliases "cl0sEd" and "cL0z", was arrested in Stuttgart, Germany in March 2012 before being extradited to the US.
Secret service special agent in charge Robert Sica said: "The Secret Service worked closely with the Department of Justice and Interpol to share information and resources that ultimately brought Qendrim Dobruna to justice.
"This case demonstrates there is no such thing as anonymity for those engaging in data theft and fraudulent schemes."