A web of fake online subscriptions, ranging from dating to streaming services, has been exposed as the front for one of the largest credit card fraud operations in recent years.
Discover how neo-banks become wealthtech in London at the fmls25
Coordinated by Eurojust, the investigation reportedly culminated this week with 18 arrests across Europe and North America, highlighting fake websites, shell companies, and compromised payment platforms siphoned hundreds of millions of euros from unsuspecting cardholders.
Targeting Digital Payments Systems
According to Europol, between 2016 and 2021, the criminal network ran a sophisticated scheme that preyed on digital payment systems. Fraudsters stole credit card data and created nearly 19 million fake user accounts across 193 countries.
They reportedly charged small, recurring payments—usually below €50—to avoid detection. Each charge appeared legitimate, labeled vaguely to discourage scrutiny.
- This New Crypto Scam Starts With “Congratulations, You’re Hired,” Kraken Warns
- $60 Billion in Crypto Fraud: How Pig Butchering and Rug Pulls Steal Millions
- U.S. Consumers Losing Trust as Identity Fraud Jumps 21%
Investigators estimate that the fraud generated at least €300 million in confirmed losses, with attempted fraud totaling more than €750 million. Authorities reportedly carried out more than 60 house searches and executed 18 arrest warrants. The criminal groups are accused of misusing credit card data belonging to over 4.3 million cardholders in 193 countries.
Europol provided critical support throughout the investigation, which focused on 44 suspects from Germany and abroad. Those targeted reportedly include individuals directly involved in the fraudulent schemes, executives of German payment service providers, intermediaries, and crime-as-a-service operators who supplied shell companies.
Read more: This New Crypto Scam Starts With “Congratulations, You’re Hired,” Kraken Warns
Authorities say the perpetrators relied heavily on corporate structures registered in Cyprus and the United Kingdom, designed to obscure ownership and frustrate refund efforts. These shell companies were often acquired through so-called “Crime-as-a-Service” providers, specialized outfits that sell operational tools for criminal schemes.
A Coordinated Global Effort
The breakthrough came from Luxembourg, where the Financial Intelligence Unit traced suspicious transfers linked to money laundering and misuse of company funds. Investigators searched several corporate offices and seized assets worth millions.
Luxembourg’s findings were later shared with Germany’s Koblenz Public Prosecutor’s Office, where the two cases merged into a broader European probe.
Crucially, information from a parallel investigation in the United States, led by the U.S. Attorney’s Office for the Southern District of New York, helped uncover the full scale of the fraud.
Authorities from more than ten countries—including Germany, Cyprus, Luxembourg, Spain, the Netherlands, Canada, the UK, and the United States—contributed to what officials describe as one of the most complex cybercrime investigations ever executed in Europe.
Amid rising cases of fraud, CySEC was recently forced to suspend public access to its certification registers after discovering that scammers were misusing the personal details of certified professionals to defraud investors.
The regulator explained that this precautionary measure is intended to protect the integrity of the capital market and shield the public from growing impersonation schemes targeting legitimate financial professionals.
“To safeguard investor protection and ensure the smooth functioning of the capital market, CySEC announces that it has temporarily suspended the publication of the Certification Registers and the announcements of certification examination results on its website,” the agency said
