European Police Dismantle €50 Million Crypto Investment Fraud Call-Center Network
Austrian and Albanian authorities, supported by Europol and Eurojust, dismantled a large online investment fraud operation that allegedly stole at least €50 million from victims across Europe and other regions. The network operated from call centers in Tirana, Albania, where investigators said it was run like a legitimate business with up to 450 employees spanning management, finance, IT, HR, customer acquisition, and retention roles. Victims were lured through fake broker and cryptocurrency investment platforms promoted on search engines, websites, and social media, then pressured by multilingual operators posing as brokers or advisers to transfer more money.
A coordinated action on 17 April led to 10 arrests, searches of three call centers and nine homes, and the seizure of €891,735 in cash along with hundreds of computers and phones. Investigators said the group used remote access software and an international money-laundering scheme to divert funds rather than invest them, and in some cases targeted victims a second time with a bogus recovery service that demanded a €500 cryptocurrency payment. Authorities said the seized infrastructure and data are expected to support additional investigations in other affected countries.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
South Korean police probe possible North Korean role in golf club hack
South Korean police said they had not ruled out North Korean involvement in the Lee & Lee Country Club breach, citing similarities to past incidents. The update framed the ongoing investigation as examining possible North Korean ties to the October attack and subsequent data leak.
Europol announces dismantling of EUR 50 million fraud network
Europol publicly disclosed the takedown of the online investment fraud ring, describing a criminal organization with up to 450 employees that used fake broker platforms, deceptive ads, remote access tools, and a follow-up fake fund-recovery scam. Authorities said seized infrastructure and data may support further investigations in other countries.
Police investigate leak of 100,000 Lee & Lee customer records
South Korea's Korean National Police Agency opened an investigation after personal data from about 100,000 Lee & Lee Country Club customers was leaked from the club's website. Reported exposed fields included names, birth dates, gender, user IDs, passwords, phone numbers, email addresses, and home addresses.
Tibetan parliament-in-exile elections targeted by Spamouflage campaign
A China-linked influence operation tied to the Spamouflage network sought to undermine the Tibetan parliament-in-exile elections using inauthentic Facebook and Instagram accounts, criticism of Tibetan leaders, and AI-generated imagery. Researchers said the campaign showed little measurable authentic engagement or impact.
Austrian and Albanian authorities raid fraud call centers and arrest suspects
On a coordinated action day, Austrian and Albanian authorities, supported by Europol and Eurojust, searched three call centers and nine homes in Tirana and arrested 10 suspects. Investigators also seized EUR 891,735 in cash and large quantities of IT equipment tied to the alleged fraud network.
Lee & Lee Country Club website compromised
South Korean authorities said the cyberattack on Lee & Lee Country Club occurred in October 2025, and additional reporting indicated malware may have been inserted at that time. The compromise later led to the exposure of customer data.
Authorities launch Vienna-based probe into investment fraud network
Austrian investigators began the case in Vienna in June 2023, starting a two-year investigation into a large online investment fraud operation centered on call centers in Tirana, Albania. The scheme ultimately was linked to at least EUR 50 million in victim losses.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
After Big Albania Bust, Experts Warn Scam Centers Are Hard to Stop | OCCRP
occrp.org
Open sourceAustrian and Albanian authorities dismantle €50 million cryptocurrency fraud ring | brief | SC Media
scworld.com
Open sourceEuropol Busts €50 Million Online Fraud Network Running Corporate-Style Scam Call Centres
cybersecuritynews.com
Open sourceSouth Korean police probe for North Korean ties in golf course data hack | NK News
nknews.org
Open sourceEuropean police dismantles €50 million crypto investment fraud ring
bleepingcomputer.com
Open sourceCall centres dismantled and ten arrested in EUR 50 million online fraud case - Europol, Eurojust, Austrian, and Albanian authorities seize nearly EUR 900 000 in cash and large amounts of IT infrastructure | Europol
europol.europa.eu
Open sourceDisinformation campaign targeted Tibetan parliament-in-exile elections | The Record from Recorded Future News
therecord.media
Open sourceKR: Data of 100,000 leaked from Lee & Lee Country golf club; N. Korean hacking suspected - DataBreaches.Net
databreaches.net
Open sourceChina-linked Spamouflage targets Tibetan parliament-in-exile elections - DFRLab
dfrlab.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
European Police Dismantle €600 Million Cryptocurrency Investment Fraud Network
European law enforcement agencies arrested nine individuals suspected of operating a large-scale cryptocurrency investment fraud network that defrauded victims of over €600 million. The suspects allegedly created dozens of fake cryptocurrency investment platforms, luring victims with promises of high returns through social media ads, cold calls, and fabricated celebrity endorsements. Once funds were transferred, victims were unable to recover their money, while the criminals laundered the stolen assets using blockchain technology. The coordinated operation, led by Eurojust and involving authorities from France, Belgium, Cyprus, Spain, and Germany, resulted in simultaneous arrests and searches in Cyprus, Spain, and Germany, with significant seizures of cash, cryptocurrencies, and bank assets. The investigation revealed that the network used sophisticated methods to conceal the origins of the stolen funds, cycling them through various wallets and exchanges. Authorities seized €800,000 in bank accounts, €415,000 in cryptocurrencies, and €300,000 in cash during the raids. The operation underscores the growing threat of organized cybercrime leveraging fake investment platforms to target individuals across Europe, and highlights the importance of international cooperation in combating large-scale financial fraud in the cryptocurrency sector.
Mar 21, 2026
European Law Enforcement Dismantles Ukrainian Call Center Fraud Network
European law enforcement agencies, supported by Eurojust, have dismantled a large-scale fraud network operating multiple call centers in Ukraine that targeted victims across Europe. Authorities from Ukraine, the Czech Republic, Latvia, and Lithuania arrested 12 suspects and identified 45 individuals involved in the operation, which defrauded over 400 victims of more than 10 million euros. The criminal group used various schemes, including impersonating police officers and bank employees, convincing victims their accounts were compromised, and instructing them to transfer funds to "safe" accounts controlled by the network. In some cases, victims were persuaded to install remote access software, allowing the criminals to hijack their bank accounts, and some fraudsters even met victims in person to collect cash using stolen card details. The call centers, located in Dnipro, Ivano-Frankivsk, and Kyiv, employed around 100 people recruited from several European countries. Employees were paid commissions of up to 7% of the stolen funds and were promised bonuses such as cash, cars, or apartments for exceeding certain fraud targets, though these rewards were never distributed. During coordinated raids on December 9, 2025, authorities conducted 72 searches, seizing vehicles, weapons, computers, cash, and forged identification documents. The operation highlights the transnational nature of organized fraud and the effectiveness of coordinated law enforcement action across European borders.
Mar 21, 2026
European Law Enforcement Takedowns of Phishing and Investment-Fraud Networks
European law enforcement reported multiple cyber-enabled fraud disruptions, including a Eurojust-supported operation that dismantled a **fraudulent call-centre network** operating from three offices in Dnipro. Authorities from Latvia, Lithuania, and Ukraine arrested **11 suspects**, seized **more than €400,000** in cash, and collected electronic evidence (computers, SIM cards, documents) during searches at **32 locations**. The group allegedly ran a fake cryptocurrency investment platform and used **remote access software** to gain access to victims’ online banking and move funds to accounts and crypto wallets under their control. Separately, Poland’s Central Bureau for Combating Cybercrime (CBZC) dismantled an organized group operating in Poland and Germany that used **phishing** to hijack Facebook accounts and extract **BLIK** payment codes. Investigators identified **11 group members**, placed **six** in pretrial detention, and seized **over 100,000** stolen Facebook credentials; prosecutors filed **400+ charges** including unauthorized access, online fraud, and money laundering. A South Korean case involving the breach of Seoul’s bike-hire service *Ttareungyi* (4.62 million users affected) is a distinct incident and not part of the European takedown actions described above.
Mar 21, 2026