Spain Dismantles €140M BEC Ring; 800 Accounts, 67 Mules
Spanish National Police dismantle a €140M BEC and investment fraud network using 800 bank accounts, 120 companies, and 67 mules; four arrested across three countries.
Spanish National Police confirmed on 2026-07-14 the dismantling of a business email compromise (BEC) and investment fraud network that moved €140 million ($160 million) through 800+ bank accounts, 120 business accounts, and 67 money mules in third countries. Four people were arrested; per BleepingComputer, arrests spanned Spain, Portugal, and Panama, with raids in Barcelona, Girona, Tarragona (Spain) and Porto (Portugal). €3 million ($3.4M) was frozen for victim restitution.
The account substrate
The interesting number here is not €140 million. It is the ratio of 800 bank accounts to four arrests. That is the actual shape of BEC and investment-fraud infrastructure — thin at the top, wide at the base. Four operators can direct thousands of transfers because the account layer under them is doing all the routing work, and that layer is deliberately spread across dozens of banks and jurisdictions specifically so no single institution sees enough of the pattern to flag it.
The physical inventory the raids seized — 15 computers, 170+ smartphones — is the second tell. Smartphones are how mule accounts get opened and operated at scale: one phone per SIM, per KYC document, per fake identity. 170 devices is not a laptop-based fraud operation; it is a phone-farm operation, which is what you build when you need to hold hundreds of accounts open across banks whose fraud teams are all watching for the same shared-device signals.
What the takedown actually got
- Fraud volume proven. €94 million ($107M) confirmed channeled through the network, of which €61 million ($69.5M) tied to BEC operations in 2024, per BleepingComputer relaying the Spanish police release. Confidence: as-reported.
- Physical seizure. 15 computers, 170+ smartphones. Confidence: as-reported.
- Arrests. Four total, across Spain, Portugal, and Panama. Confidence: as-reported; the country-by-country breakdown of the four arrests is not enumerated in the reporting.
- Frozen for victims. €3M ($3.4M). That is roughly 2% of the €140M gross — the number to remember when discussing “clawback” in these operations.
- Coordinating bodies. Spanish National Police lead, Europol and Interpol supporting.
- Techniques. BEC (CEO impersonation, false-invoice fraud) and investment fraud on the front end; multi-account layering on the laundering side. Confidence: as-reported.
What the takedown did not get
The 67 money mules are described as being “in third countries.” Those are not the people who take the top-level €61 million BEC hit. They are the layer that catches the transfer, holds it briefly, breaks it into smaller pieces, and passes it on. That layer reconstitutes quickly — recruitment for mule accounts is not tied to the arrested operators and is unaffected by four arrests in Iberia. Expect the same class of operation to be running through fresh mule pools within weeks.
The investment-fraud side — the front-end websites, the fake broker platforms, the customer-service infrastructure that keeps victims sending more money for “tax clearance” fees on paper profits — is not accounted for in the disclosed seizure list. Whether it was taken down alongside the account-side infrastructure or continues under new hosting is not stated. Confidence: unconfirmed, treat as still live.
What to actually do
Fraud and AFC teams — the number to internalise is 800 accounts per four operators. If your BEC controls are keyed to spotting the four operators, they are pointed at the wrong layer. The account-mule substrate is what leaves detectable patterns: new-account velocity from a small set of KYC document sources, small-value probe transactions clustering across accounts opened within a fortnight of each other, and mule-account behaviour that stops looking retail within 30 days of opening. Those signals live at the receiving bank, not the corporate victim.
Corporate finance controls — nothing in this operation is technically novel. The €61M BEC take in 2024 came from CEO-impersonation wire requests and false-invoice fraud, both of which are defeated by an out-of-band verification step for any wire above a threshold. If your organisation does not have that step, put it in this week. If it does, verify — with a spot-check — that finance staff are actually performing it, not initialling the confirmation box.
Cross-border investigators — the case is a functional demonstration of the Spain-Portugal-Panama-Interpol path working end-to-end. If your national fraud unit does not have an established referral relationship with its Interpol NCB for BEC transfers in flight, that gap is now the one to close. Our earlier coverage of INTERPOL Operation First Light 2026 called out the same I-GRIP mechanism as underused for exactly this class of case.
Sourcing
- BleepingComputer: Spanish Police take down €140 million cyber fraud ring, arrest four, 2026-07-14.
- Related coverage: INTERPOL First Light 2026 — 5,811 arrests, $293M seized, 2026-07-09.
- Related coverage: Forg365 PhaaS targets M365 with device-code and AiTM session theft, 2026-07-09.
Found this useful? Share it.


