Spanish Civil Guard authorities have taken 22 individuals into custody in connection with a widespread phishing operation that targeted at least 61 victims across various regions, including Oviedo. Investigators report that the group managed to extract more than 108,000 euros by cloning banking sites and using those replicas to deceive unsuspecting users.
The detainees, aged between 22 and 63, comprise roughly equal numbers of men and women. They were arrested in Palma de Mallorca (8), Barcelona (6), San Sebastián (3), Oviedo (2), Tarragona (1), Seville (1), and Pamplona (1), according to informed sources on Tuesday. The suspects include individuals of Spanish, Cuban, Moroccan, Portuguese, and Senegalese nationality, all facing charges linked to ongoing fraud, the production of forged documents, and the unlawful disclosure of secrets tied to organized criminal activity.
Officials described the operation as part of the MUZİB initiative that began the prior year. A complaint filed by personnel from the Tavernes de la Valldigna division in Valencia triggered the investigation into suspicions of fraud carried out through a mobile payment platform.
The gang’s tactic involved duplicating the online portals of several financial institutions. They distributed counterfeit links via phishing emails, luring victims to enter their banking credentials, passwords, and digital signatures. With these stolen credentials, the criminals gained access to authentic accounts and executed unauthorized transfers, often slipping the scam past initial defenses for extended periods. The pattern of activity indicates a deliberate effort to remain undetected while siphoning funds from accounts in a series of rapid transactions.
As the investigation progressed, multiple law enforcement agencies—including the Civil Guard, the National Police, Mossos d’Esquadra, the Navarre Regional Police, the Ertzaintza, and the Madrid Municipal Police—collaborated to track the network. Investigators identified more than 500 repeated transfers linked to the group and noted attempts to obscure activity by coordinating actions under false identities and by using money-moving routes designed to evade scrutiny. In certain cases, attempts to drain a single account reached about 8,000 euros across 16 separate transfers.
The operation also relied on the use of so-called banking mules—individuals who allowed others to use their accounts in exchange for financial gain. The network reportedly operated through 34 bank accounts and 48 telephone lines, all used either by the suspects or on their behalf, complicating investigative efforts and complicating attribution.
Authorities report that 29 bank accounts have been blocked by judicial order, along with seizures totaling around 20,500 euros. In addition, investigators say 56 criminal acts have been clarified through the ongoing inquiry. While significant progress has been made, officials caution that the criminal network has not been completely dismantled and additional arrests may follow as the case continues to unfold. The matter has been referred to the Sueca Court of First Instance and the corresponding Order No. 1 for further proceedings.
Sources describe the MUZİB operation as a sustained, cross-regional effort that leveraged both cyber-enabled techniques and traditional fraud channels. The authorities emphasize the importance of public awareness about phishing and the need for stringent verification of financial requests, especially when prompted by email or through unfamiliar links. The case underlines the ongoing risk posed by online banking fraud and the coordinated response required to identify, pursue, and disrupt such networks. This summary reflects information provided by the involved security services at the time of reporting and is subject to updates as investigations continue. [Cited by authorities]