The FBI has arrested 13 people on charges that they participated in a gang that stole more than $1 million via cash-advance kiosks at 11 casinos and resorts, according to an article in InformationWeek.

The related indictment, unsealed Friday, says the gang “stole the money by exploiting a gap—which required multiple withdrawals all within 60 seconds—in Citibank’s electronic transaction security protocols.” The gang primarily targeted casinos and resorts in Las Vegas and Southern California, the article says.

According to court documents, accused ringleader Ara Keshishyan, 29, recruited other member of the gang to open multiple Citibank checking accounts, which were filled with seed money. “When inside the casino, the conspirators, including Keshishyan, used cash advance kiosks at casinos in California and Nevada to withdraw – all within 60 seconds – several times the amount of money deposited into the accounts, by exploiting the Citibank security gap they discovered.”

The gang also reportedly kept each individual withdrawal below $10,000, which is at the threshold at which casinos must report the transaction to federal authorities.

According to InformationWeek, these attacks are notable for highlighting how motivated attackers might benefit from even the tiniest information security misstep. The loophole exploited by attackers has reportedly now been fixed.