Spanish National Police, in coordination with Europol, Interpol, and law enforcement authorities in Portugal and Panama, have dismantled a sophisticated cybercriminal organization responsible for at least €140 million ($160 million USD) in fraud losses across Europe. The operation concluded with the arrest of four individuals and raids on six premises across three countries.
The investigation reveals a multi-faceted criminal enterprise combining social engineering, business email compromise, fake investment platforms, and an elaborate money laundering network spanning multiple continents.
The Operation
The arrests targeted individuals across three countries:
- Two arrests in Portugal (Porto area)
- One arrest in Spain (Barcelona/Catalonia region)
- One arrest in Panama — identified as the ringleader responsible for managing the organization's financial infrastructure
Raids were conducted across six premises in Barcelona, Girona, and Tarragona (Spain) and Porto (Portugal). Evidence seized during the operation included:
| Item | Quantity |
|---|---|
| Computers | 15 |
| Smartphones | 170+ |
| Frozen funds | €3 million ($3.4M) |
The 170+ smartphones are particularly significant — investigators believe they were used to execute thousands of fraudulent wire transfers to victim accounts.
How the Fraud Worked
The organization operated across multiple criminal disciplines simultaneously, attacking both individuals and businesses:
Fraudulent Investment Platforms
The group created fake online investment platforms that lured victims with promises of high returns. Victims were shown falsified dashboards showing growing "investments" before being blocked from withdrawing funds, often after making additional deposits to "unlock" their returns.
Business Email Compromise (BEC)
€61 million ($69.5M) in BEC losses were documented in 2024 alone. The group impersonated executives (CEO impersonation) and hijacked business email conversations to redirect wire transfers. Finance staff at victim organizations received emails appearing to come from their own executives or known vendors, authorizing large transfers to fraudster-controlled accounts.
Fake Invoice Fraud
The ring substituted legitimate vendor invoices with fraudulent ones bearing attacker-controlled bank account details. In many cases, the fraudulent invoices were near-perfect replicas of legitimate ones, differing only in the payment destination.
Man-in-the-Middle Email Interception
In more sophisticated attacks, the group used Man-in-the-Middle (MitM) techniques to intercept genuine business email communications and alter payment details undetected — so both the sender and recipient believed they were continuing a legitimate conversation while the payment destination had been silently changed.
The Money Laundering Network
The sophistication of the laundering operation matched the scale of the fraud. To obscure the money trail and place proceeds beyond recovery, the organization:
- Opened more than 800 bank accounts across multiple jurisdictions
- Incorporated 120 shell companies to receive and rapidly disperse stolen funds
- Recruited European nationals specifically to travel to Spain, establish companies, and act as money mules — providing a layer of legitimate-appearing corporate structure
- Used a network of mule accounts to layer funds through multiple financial institutions before moving money offshore
At the time of the operation, investigators managed to freeze €3 million of crime proceeds to make available for victim restitution — a fraction of total losses, but a meaningful signal that international coordination can reach funds before they fully disperse.
Investigative Partners
The operation required significant international law enforcement coordination:
- Spanish National Police (Policía Nacional) — lead investigative authority
- Europol — coordination and analytical support
- Interpol — international liaison for Panama arrest
- Portuguese Judicial Police (Polícia Judiciária) — arrests and raids in Porto
- Panamanian authorities — arrest of the financial ringleader
Defensive Recommendations
This operation highlights the continuing threat of BEC and related social engineering attacks. Organizations should:
Verify before transferring:
- Implement out-of-band verification (phone call to a known number — not one provided in the suspicious email) for any wire transfer, invoice change, or payment detail modification received by email
- Never rely solely on email to authorize financial transactions above a set threshold
Secure your email infrastructure:
- Implement DMARC, DKIM, and SPF on all corporate email domains to reduce spoofing risk
- Deploy email security gateways capable of detecting lookalike domains and header anomalies
- Enable MFA on all corporate email accounts to limit the impact of credential compromise
Train finance and executive staff:
- Run regular training on CEO impersonation and BEC patterns
- Establish clear internal escalation procedures when unusual payment requests arrive
- Create a culture where staff feel comfortable challenging suspicious requests — even from apparent executives
Technical controls:
- Deploy email authentication warnings for external senders impersonating internal users
- Implement invoice matching controls in accounts payable systems
- Monitor for logins from unusual geographic locations or devices on executive email accounts
Context: BEC Remains the Costliest Cybercrime Category
Business Email Compromise consistently ranks as the highest-dollar cybercrime category in annual FBI Internet Crime Complaint Center (IC3) reports. Unlike ransomware — which requires deploying malware and technical infrastructure — BEC attacks exploit human trust and process weaknesses, making them accessible to criminal groups without advanced technical capabilities. The €61 million in BEC losses attributed to this single organization in 2024 alone illustrates why the technique remains so prevalent.
Sources: BleepingComputer, Newsroom Panama