Yeah. I'm thinking the real issue with using a single set of probably bought/stolen ID and infecting a few hundred thousand PCs is that you attract just enough attention for the authorities to be motivated to track you down. And unlike cybercriminals attacking mostly Western targets, I doubt they're safely overseas.
