Decoding the world of cybersecurity

Europe’s fraud machine ran like a multinational

Dutch police say an alleged investment-fraud network employed more than 700 people, operated approximately 20 call centres, and generated over €100 million a month.

Europe’s fraud machine ran like a multinational
Summary
  • Arrests have taken place in Poland, Cyprus, Belgium, and Greece as part of a Dutch-led investigation into a large investment-fraud network.
  • The alleged organisation combined call centres, fabricated trading platforms, cryptocurrency payments, and centrally managed digital infrastructure.
  • Commercial providers helped disable parts of the operation, exposing the service dependencies that allow cyber-enabled fraud to function at corporate scale.

Dutch police have disrupted parts of an alleged international investment-fraud organisation that authorities say employed more than 700 people, operated approximately 20 call centres, and generated more than €100 million a month.

Arrests have taken place in Poland, Cyprus, Belgium, and Greece, including the detention and extradition of a 46-year-old dual Israeli and Polish national suspected of occupying a central technical and organisational role. He was arrested at a Polish airport on 26 May while travelling from Dubai and has since been transferred to the Netherlands, where a judge ordered an initial 14-day period of detention.

Further suspects were detained during July. Two Dutch nationals and a Belgian national were arrested in Cyprus, another suspect was held in Belgium, and a Dutch national was detained in Athens. Belgian police separately arrested five people accused of working in the organisation’s call centres. The allegations have not been tested in court, and Dutch police said further arrests remain possible.

Investigators believe the organisation had operated since at least 2021 and was structured much like an international company, with a central office directing regional call centres and teams assigned to particular countries. Workers allegedly presented themselves as financial advisers or account managers, maintained contact with victims over extended periods, and followed established procedures for encouraging larger investments.

Victims were initially invited to transfer relatively small sums through apparently convincing online trading platforms. The platforms displayed fabricated investment returns, while the money — often transferred as cryptocurrency — was not invested. Once trust had been established, callers pressed victims to commit increasingly large amounts.

Approximately 550 Dutch complaints have been linked to the organisation, representing almost €25 million in reported losses. Belgian authorities have identified around 200 complaints, while police estimate that the global victim count could reach tens of thousands. Many Dutch victims reported losing more than €10,000.

Financial investigators are attempting to locate, freeze, and seize alleged criminal proceeds. Payment records, IP addresses, communications data, and other digital evidence helped identify offices and suspects, while equipment recovered during the investigation provided a fuller view of the operation.

Dutch police also approached commercial organisations that hosted elements of the group’s infrastructure. Those providers helped take important systems offline, while Europol supported the exchange of information between participating countries. The police account of the operation does not identify the hosting, telecoms, domain, advertising, or payment providers involved.

The alleged organisation’s scale reflects an industrial model of cyber-enabled fraud rather than a collection of improvised phishing campaigns. Recruitment, multilingual call centres, workforce management, digital trading platforms, cryptocurrency conversion, hosting services, and procedures for concealing employee identities were combined into a repeatable commercial process.

Each dependency also created a potential point of intervention. Hosting businesses, communications providers, domain registrars, advertising networks, banks, cryptocurrency services, and identity platforms can hold fragments of activity that appear ordinary in isolation. Disrupting an operation spread across several jurisdictions depends on those fragments being assembled before infrastructure, funds, and personnel can be moved.

Awareness training alone is poorly matched to fraud built around sustained personal relationships. Victims were allegedly shown convincing account information and kept in contact with trained operators over several weeks or months, allowing trust to develop gradually rather than through a single suspicious message.

Police have also warned about recovery fraud, in which victims who stop investing are approached by purported specialists offering to retrieve lost funds in return for an advance payment. Some recovery services are suspected of belonging to the same networks, allowing victim data gathered during the original fraud to support a second attempt.

The infrastructure takedowns and arrests remove important parts of the alleged operation, although the financial investigation and prosecution process remain active. Authorities have not established the complete victim count, recovered all alleged proceeds, or publicly identified the service providers whose platforms supported a criminal organisation operating across several European markets.

×