A company receives an email, from an address that only has a letter different from the real sender's, where large quantities of telephones or computers are ordered from several companies.
The customer then asks the company to send the products to another address.
It is a move that the league behind the data breach has used many times, according to the preliminary investigation.
According to SVT Nyheter's experience, the league has since resold the products in its own online stores in Poland and Sweden.
Cheated goods for hundreds of thousands of kronor
A perpetrator sent an email to Webhallen from an email address disappearing like the one belonging to a purchasing manager at Philip Morris - only that the address was instead @ philipmoris.se - that is, an R too little.
The person ordered 65 Iphones to a value of SEK 325,000.
The goods were delivered to a different address than Philip Morris - straight into the hands of the league.
The web hall was also subjected to a data breach where the league copied a large amount of files from an employee's computer.
- It's very boring.
It has meant a lot of time and effort for our IT department to ensure that our IT systems are in order.
We have now done that and they did not come across any customer information, says Fredrik Rosenvik, communications manager at Webhallen.
Fake address @ svenskaskykan.se
The IT company Atea received an order for 45 laptops from a person who pretended to be Apoteksgruppen's customer.
The email address contained the person's correct name but ended with @ apotekasgruppen.se - that is, with an extra A. In that case, the fraud was discovered before the computers went live, but the preliminary investigation contains many similar cases.
READ MORE: The hackers may have gained access to SD's member register
Among other things, the league hacked into Office IT-Partners Väst's IT system and ordered and acknowledged 20 Ipads and 50 Iphones for what would appear to be the Church of Sweden.
The email address ended with @ svenskaskykan.se.
SVT Nyheter has been in contact with Office IT-Partner who do not want to comment that they have been affected.
- It is an ongoing legal process and we await it before we speak, says Stefan Nilsson, marketing manager at Office IT-Partner Sweden.
Tried to launder money for gold
Another way the league is suspected of having used is to hack into companies' financial systems and change account numbers on payments.
Subsequently, false invoices have been created which are then paid out by the affected company to false companies owned by the members of the league.
Among other things, banks and credit companies are suspected of having been exposed to this type of fraud.
READ MORE: This is the hacker league
The league is also suspected of having engaged in money laundering.
They first tricked a credit company into paying out almost SEK 100,000 in false invoices to one of the suspects' savings accounts.
Then the suspect retrieved a new bank box, created a new bank ID and spent more than SEK 35,000 to buy 100 grams of gold.
The fraud was discovered when the bank suspected that it could be suspected money laundering and the credit company could get its money back.