Over 20 suspected hackers were arrested by U.S. law enforcement Tuesday after a massive sting operation by the FBI uncovering online financial fraud using stolen credit card and bank information. The sting spanned four continents.

FBI agents posed as hackers on various forums on the Internet observing the other hackers. During this two year investigation, the FBI uncovered how hackers exchanged different ways to breach date security and how they created fake credit cards for purchases on the internet and in person.

According to U.S. authorities, the FBI was able to prevent “$205 million in possible losses on over 411,000 compromised consumer credit and debit cards.” During the investigation, FBI contacted people and companies attacked by the hackers and helped them fix the security reaches and showed them how to protect themselves from future attacks.

The FBI’s sting focused on a forum they created called “Carder Profit.” The forum served as an online market for hackers to exchange stolen account numbers.

The ages of the men arrested range from 18 to 25. Some of the men have been charged with a “conspiracy to commit wire fraud charges and access device fraud charges.” If convicted of the crimes, they could face up to 40 years or more in prison. Of the 24 people arrested, eleven people were United States; thirteen others were arrested in countries from Britain to Japan.

Mir Islam, an 18 year-old New York resident and also known as “JoshTheGod” online, has been charged with “trafficking in 50,000 stolen credit card numbers.” According to the story on Yahoo.com, authorities have said Islam has “admitted to helping emerging hacker outfit UgNazi, which said it had launched a cyber attack against the microblogging platform Twitter last week.”

Also on Tuesday, a complaint was filed against filed a complaint Wyndham Worldwide Corp and three of its subsidiaries by the U.S. Federal Trade Commission. In the complaint, the FTC alleges that the hotel company failed to secure their customers personal information which resulted in the “theft of hundreds of thousands of consumers payment card numbers, which were sent to an Internet address registered in Russia and $10.6 million in fraudulent charges.”