The National Police disrupted a fraud network that relied on phishing tactics to harvest personal and banking details from hundreds of victims. In total, 146 individuals across Spain had their credentials exposed, which the suspects then used to request unauthorized credits or purchases. Law enforcement described the scheme as a large-scale theft operation that exploited victims by stealing sensitive information and transferring it through various financial channels.
According to the Police Headquarters, the Paris operation unfolded in multiple phases and culminated last spring with the arrest of 13 suspects. The breakdown of arrests included five in Córdoba, two in Madrid, and one each in A Coruña, Huelva, Malaga, Murcia, Palma de Mallorca, and Terrassa (near Barcelona). In addition, seven more individuals were placed under investigation, with suspects located in Madrid, Bilbao, Córdoba, Murcia, Pola de Siero in Asturias, and Seville.
Authorities allege that the group used fraudulent emails to impersonate a well-known bank, thereby obtaining the identity information of their targets. The operation yielded an economic gain of 443,600 euros, which was laundered through a network of bank accounts and primarily circulated by money mules connected to online dating platforms.
The inquiry traces the crimes back to late 2018, when police received a flood of complaints from across the nation. Victims reported receiving emails that claimed to trigger bank security alerts and required users to click on a link to rectify issues with their cards or accounts. Those who clicked the link were redirected to a page where they entered login details, which the criminals immediately captured and exploited.
After obtaining the credentials, the fraudsters changed the phone numbers associated with the accounts to numbers controlled by accomplices, enabling them to stay ahead of standard verification checks and to maintain access for ongoing misuse. This allowed them to complete online transactions and even attempt to pass strict security verifications that banks often require during online shopping or loan requests.
Investigators found that the fraudulent activities spanned multiple countries as criminals accessed victims’ accounts through internet connections located abroad. Spain, Morocco, France, the United States, Mauritania, and Germany appeared in the case through the use of virtual private networks that obscured the true source of the transactions. The cross-border nature of the investigation highlighted how internet commerce could be manipulated when a victim and the point of purchase are in different jurisdictions. In several cases, products purchased online were used or consumed in another country, illustrating the global reach of the scheme.
In addition to direct fraud, money mules recruited on dating sites played a crucial role. These individuals were contacted by a person posing as an emotional partner who instructed them to move funds through money transfer services, following commands from the criminal organization. This tactic enabled the theft to spread across borders, effectively bypassing some financial controls and complicating investigative efforts.
Overall, the Paris operation underscores the evolving threat landscape of phishing-centered fraud, where criminals blend social engineering with online banking exploits and cross-border logistics. The case demonstrates how a carefully coordinated network can harvest sensitive data, convert it into financial gains, and disperse proceeds through a web of accounts and intermediaries, often leveraging legitimate digital platforms to appear trustworthy. The authorities emphasize the need for robust authentication, vigilant monitoring of unusual account activity, and continued public awareness to prevent similar incidents in the future. Cited authorities indicate that ongoing investigations may reveal additional victims and connections, reinforcing the importance of timely reporting and coordinated international cooperation in cybercrime enforcement.