Skip to content
feed: live
>_ 0dayNews
threat intel
● Breaking

Dutch bust €100M fraud ring, 20 call centers, 700 shills

Dutch Politie takedown of a 2021-active investment-fraud ring — 20 call centers, ~700 fake advisers, five-country arrests, €100M+ estimated peak monthly.

Dutch bust €100M fraud ring, 20 call centers, 700 shills
Photo: Edo Dijkgraaf / Wikimedia Commons · CC BY 2.0
airgap airgap · Published · 3 min read

Confirmed: Dutch Politie announced on July 15, 2026 the takedown of an international investment-fraud operation active since at least 2021. Lead suspect: a 46-year-old Israeli-Polish national arrested in Poland on May 26, extradited to the Netherlands. Additional Dutch and Belgian nationals arrested in Cyprus, Greece, and Belgium between July 7 and July 10. Confidence: as-reported by Dutch Politie via BleepingComputer.

Scale

Per the Politie release, relayed by BleepingComputer:

  • 20 call centers. Distributed across an unspecified set of countries. Confidence: as-reported.
  • ~700 people posing as financial advisers across those centers. Confidence: as-reported.
  • €100M+/month at peak. Police estimate, not audited. Treat as directional. Confidence: police estimate — unaudited.
  • 550+ confirmed fraud reports tied to the organisation, $28.6M in documented losses across those reports. Confidence: as-reported.
  • Authorities estimate tens of thousands of victims worldwide. Confidence: police estimate.
  • Most confirmed victims lost over €10,000 (~$11.4K). Confidence: as-reported.

The delta between $28.6M in documented losses and the €100M+ monthly estimate is the shape to notice. 550 reports is what victims filed. The gap is either victims who did not file, months of activity outside the reporting window, or an inflated peak-month figure. Which of those three is doing the work: not stated.

Method

Confidence scheme, standard shape:

  1. Contact. Cold outreach via call center. 700 people dialling means the recruitment funnel was industrial, not artisanal.
  2. Trust build. Extended contact, “financial adviser” persona, no immediate ask.
  3. Platform. Victim is walked onto a fake investment portal — realistic dashboard, fictitious returns visible on login. Confidence: as-reported.
  4. Transfer. Funds moved in cryptocurrency — the layer that decouples the withdrawal from the depositor’s bank fraud team. Confidence: as-reported.
  5. Maintenance. Dashboards continue to show gains after the transfer lands. This is the phase that produces the “top-up” flows — additional deposits chasing paper profits — which is where the volume comes from, not the initial hit.

No IOCs published. No named phishing kit or platform-as-a-service branding. No claim that this cluster overlaps with a previously-tracked actor. Unconfirmed — treat accordingly.

Attribution and operator hygiene

Per BleepingComputer relaying the Politie release, the lead suspect used pseudonyms and technical means to conceal identity, and his “hacking expertise” is credited with the group’s evasion of law enforcement for the operation’s multi-year run. Politie says the breakthrough came through IP address tracing and financial route analysis. Confidence: as-reported.

No further technical detail on infrastructure, hosting, or the identity substrate is disclosed in the reporting. Unconfirmed — treat accordingly.

Where this sits in the current takedown run

Second major EU investment-fraud takedown announced in 24 hours. Yesterday: Spanish National Police dismantled a €140M BEC-plus-investment ring — four arrests, 800 bank accounts, 67 mules across Spain, Portugal, Panama. Today: Dutch Politie announces this one — arrests across five countries, 20 call centers, 700 shills.

Different networks. Same product. The call-center layer sits above the mule-account layer the Spanish case exposed; a takedown at either level does not automatically hit the other. Recruitment for both regenerates outside the arrested jurisdictions within weeks — see INTERPOL Operation First Light 2026 coverage for the wider pattern.

What is not in this announcement

  • Recovery figure. Not stated. Compare to the Spanish takedown’s disclosed €3M frozen for restitution (~2% of gross). No Dutch equivalent given.
  • Fake-platform infrastructure. Whether the investment-portal front end is offline or continues under new hosting: not stated. Assume live until confirmed otherwise.
  • Crypto trace. Whether Chainalysis, TRM, or an equivalent supported the financial route analysis: not stated.
  • Charges filed. Announcement covers arrests and extradition. Formal charges and jurisdiction of prosecution: not detailed.

For fraud teams and consumer-facing platforms

The audience for this piece is not sysadmins. It is fraud, AML, and trust-and-safety teams at banks, crypto exchanges, and the ad networks these operations buy on.

  • Ad-buy signals. 20 call centers with 700 people need a lead-generation pipeline. Facebook, Google, and native-ad placements are the usual routes for “guaranteed returns” ad creative. Trust-and-safety teams: the takedown does not stop the ad-buy operators, whose accounts are downstream.
  • Crypto exchange KYC. The withdrawal side of every one of these operations sits at an exchange somewhere. If your KYC-refresh cadence is annual and your victim-file cadence is quarterly, the accounts washing this money are open by design.
  • Consumer bank fraud teams. €10K+ average loss is above the threshold where retail-side fraud detection should be looking hard at outbound transfers to first-time-payee crypto onramps. If those transfers are not surfacing for a callback confirmation, the callback control is either missing or being bypassed by the confidence build.

Sources

Found this useful? Share it.