What happened
Austrian and Albanian authorities, supported by Europol and Eurojust, dismantled a large-scale investment fraud network that stole more than €50 million from victims across Europe and beyond, following a joint investigation spanning more than two years. The coordinated action day on April 17, 2026 resulted in ten arrests in Tirana, Albania, searches of three call centers and nine private homes, and seizure of nearly €900,000 in cash along with 443 computers, 238 mobile phones, six laptops, and multiple storage devices.
The criminal network operated out of Tirana with up to 450 employees organized into departments mirroring a legitimate company structure, including customer acquisition, customer service, finance, IT, human resources, and back-office support. Operators received a monthly salary of approximately €800 plus commissions on successful frauds. Language-specific teams of six to eight members covered German, English, Italian, Greek, and Spanish, allowing the network to target victims across multiple countries in their native languages.
Victims first encountered the scheme through fraudulent investment advertisements on social media and search results. Once registered on fake platforms, they were assigned retention agents posing as personal investment advisors. Over time, agents used remote access software to take control of victims’ computers and applied psychological pressure to extract further deposits. None of the money was ever invested.
In a particularly calculated secondary operation, the network then targeted previous victims again, offering to help recover their lost funds. Victims were told to open cryptocurrency accounts and deposit €500 to initiate the supposed recovery process, with operators using different usernames to avoid recognition.
The investigation began in June 2023 when Austrian authorities in Vienna received a high volume of fraud reports. Digital evidence from the raids will be shared with authorities in Italy, Germany, Greece, Spain, Canada, and the United Kingdom.
Who is affected
Victims across multiple European countries and beyond lost money through both the initial investment fraud and the secondary recovery scam targeting the same individuals. The multinational digital evidence sharing suggests the victim and suspect pool extends well beyond Austria and Albania.
Why CISOs should care
The corporate structure of this operation is the detail most relevant to enterprise security leaders. A 450-person organization with dedicated IT, HR, finance, and management functions running a sustained fraud operation at scale is qualitatively different from opportunistic cybercrime. It represents an industrialized approach to social engineering that produces consistent, repeatable outcomes across language groups and geographies.
The use of remote access software to take full control of victim computers is also directly relevant to enterprise environments. Employees targeted through personal investment fraud can have their work devices or credentials compromised through the same remote access tools used in this scheme.
3 practical actions
- Brief employees on investment fraud schemes using social media advertising and fake platforms as entry points: The initial lure in this campaign was fraudulent investment ads served through social media and search results. Employees who engage with these outside work hours can become entry points for remote access compromise that extends into corporate environments.
- Flag unsolicited investment recovery offers as a known secondary fraud vector: The recovery scam targeting prior victims is a documented and growing pattern. Security awareness training should explicitly cover the tactic of approaching fraud victims with fake recovery services requiring cryptocurrency deposits, as this represents a targeted secondary attack on already-compromised individuals.
- Review acceptable use policies and controls around remote access software on managed devices: The network used remote access tools to take complete control of victim computers. Assess whether your endpoint controls would detect or block unauthorized remote access software installations on managed devices and whether employees are trained to recognize when remote access is being solicited under false pretenses.
Also in the news:
- cPanel and WHM Emergency Update Fixes Critical Authentication Bypass Bug
- Amtrak Data Breach Exposes Millions of Customer Records
- UK Biobank Health Data Breach Continues as New Listings Appear on Chinese Platform
- Europol Busts €50 Million Online Fraud Network Running Corporate-Style Scam Call Centers
