The attacks use a combination of phishing, malicious links and modified Trojans, according to Uri Rivner, senior researcher at RSA, the security division of EMC.
The gang impersonated employees responsible for buying and selling carbon emission permits, he told RSA Conference 2011 in San Francisco.
They gathered intelligence about the carbon registries in 25 nations and then used the information to craft targeted e-mails containing links to documents infected with the Nimkey banking Trojan.
The criminals used the Trojan to steal account credentials, which were then used to carry out transactions and divert the proceeds into accounts controlled by accomplices.
Using this technique, the gang stole $31m (£19.1m) from a Romanian cement company and $25.6m from the Czech Republic registry.
The European Commission shut down all the registries in mid-January and although some have been allowed to reopen, most remain closed.
This story was first published by Computer Weekly