Civil Guards carried out a wide-reaching cybercrime crackdown that led to 13 arrests across several Spanish cities. The operation exposed a network of seventeen offenses connected to online fraud, smishing campaigns, and Business Email Compromise. Several loosely affiliated groups operated with activities spanning Malaga, Alicante, Madrid, Murcia, and Logroño, with the total fraud amounting to more than one million euros before authorities intervened.
The macro operation was coordinated by the Organic Judicial Police Unit and began after eight formal complaints filed by the Burgos Command Team and residents who fell victim to digital fraud. Official channels within the armed forces released the information on a Monday, underscoring the seriousness of the coordinated endeavor and the breadth of the investigation as investigators linked disparate incidents into a broader pattern of criminal behavior.
In the early phase of the case, prosecutors and investigators treated each complaint as a separate inquiry. As case files accumulated, it became clear that several independent gangs were using the same criminal playbook and orchestrating activities over a large portion of the country. Investigations in Malaga and Alicante, along with those in Madrid, Murcia, and Logroño, were later consolidated into a macro operation designed to map the full scale of the network and disrupt its financial channels.
Across all identified schemes, the criminal techniques were well known to law enforcement: Business Email Compromise, which exploits compromised organizational accounts to reroute legitimate funds; a form of phishing known as smishing that uses text messages to harvest sensitive data or prompt fraudulent transfers; and the so-called “son in distress” scam, where perpetrators manipulate emotions to extract money or personal information from victims.
Assets amassed by the criminals included multiple bank accounts and intricate money movement schemes spanning national borders in Europe. These efforts aimed to obscure the origin and destination of illicit funds. The operational model involved splitting proceeds across several accounts and jurisdictions to reduce risk, complicate tracing, and slow investigators as they work to halt the flow of stolen funds.
During the operation, authorities detained 13 suspects and pursued additional leads related to an eighth individual who remained at large at the time of the announcement. The charges under review encompassed fraud, damage to and unauthorized access of computer systems, money laundering, identity theft, and membership in criminal organizations. These charges reflect the varied and intertwined nature of the activity uncovered during the inquiry.
Agents uncovered a total of 17 distinct criminal actions, all tied to information and communication technology. The common thread across these cases was the reliance on digital networks and device-centric techniques to execute, conceal, and propagate illicit activities. The scale of the operation highlighted how cybercrime networks can coordinate across geographically dispersed regions, leveraging online infrastructure to sustain their criminal enterprises.
The aggregate economic impact of these events was estimated at around one million euros, with 452,000 euros already accounted for in investigations and designated for restitution. The rapid mobilization of investigative resources enabled the interception of funds and the preservation of assets before they dissipated further. A notable portion of the recovered amount, totaling 451,000 euros, has been returned to victims, including individuals, small businesses, and local enterprises spread across Spain, illustrating the tangible relief provided to those affected by the fraud schemes.
Officials attributed the success of the operation to a swift, cross-jurisdictional response and the collaborative efforts of investigative teams. Timely exchanges of intelligence and near-immediate action to freeze accounts helped halt ongoing fraud. The case demonstrates how coordinated law enforcement strategies can disrupt criminal networks that rely on remote access and digital financial channels, safeguarding the public and reinforcing trust in cybercrime response capabilities.