A key break in the case came from a compromised computer server in the United Kingdom that FBI agents at first believed served as a communications hub for the hackers. British police secretly copied the contents of the server.
On the server, FBI agents found a password-protected site visitcoastweekend.com that included a detailed ledger of hundreds of financial transactions with dates, company names and amounts, court papers say. Among them was the Pennsylvania plastics company and an entry noting a $198,000 wire transfer stolen Oct. 20, 2011. Ultimately, agents found that every transaction matched bank fraud reports.
A confidential informant tipped the FBI off to the syndicate administrator's email address, court papers say. From the emails, obtained through a search warrant served on a U.S. online provider, FBI agents linked the address to Bogachev and the server logs that hosted the website where agents found the ledger.
"We had to back track the computer traffic from server to server, from country to country," says FBI Special Agent Tim Gallagher, special agent in charge of the cyber crime division at the Washington Field Office, which led the investigation into CryptoLocker. "As we unwound this case, we needed and enlisted the help of numerous foreign countries."
Read MoreUS companies seek cyber experts for top jobs, board seats
Gallagher said Russian authorities are cooperating on the case.
Once the FBI understood the network's structure, the cyber squad devised a massive technical plan to take it down. Analysis of the network found the hackers need just 24 hours to completely update their system and respond to private industry attempts to block them, court papers say.
In addition to severing the network's communication channels with the infected computers, the FBI also needed to dismantle a computer algorithm that generated more than 1,000 complicated web domain names every week. The network used the names, usually complicated, nonsensical combinations of letters ending in .com, .net or .biz, to create the check-in website for the infected computers to deliver their stolen credentials.
Private security researchers reverse engineered the algorithm so the FBI could accurately predict which names would be generated each week.
As part of the take down, the FBI seized the domain names so when the infected computers began their weekly check-in they were routed instead to a safe FBI-controlled computer.
"Blocking the malware isn't enough. That will just delay them for a day," says Shawn Henry, a former assistant executive director at the FBI and now chief security officer at CrowdStrike, which helped reverse decode the algorithm. "Disrupting the infrastructure is a big, big step."
When the take down began early Friday morning, the cyber criminals responded with countermeasures to regain control of the network, the senior law enforcement official said..
—By Donna Leinwand Leger, USA Today