"It's probably an individual who set it up," said Eschelbeck. However, it is unlikely that the individuals running the Web site or hosting the FTP server have any direct knowledge of the scam, he said.

Rebery is still "running wild" on the Internet, Webroot said. The company believes there are more than 12,000 systems infected with the Trojan, 1,200 of them in the U.S.

The stash of stolen identities is just one of many that have been uncovered in recent months, as identity theft has evolved into a lucrative operation for online criminal groups.

Researchers at antispyware firm Sunbelt Software have also uncovered stashes of stolen information harvested by keyloggers on more than one occasion, and company employees have, in the past, informed some consumers that their identities have been stolen.

Catching the perpetrators is a different matter, however. Often, criminals conduct their affairs from afar, connecting to their servers through one or more compromised machines, which are often scattered around the globe, making criminal investigation and enforcement difficult, experts say.