The Judiciary is tasked with unraveling a labyrinthine case of organized crime
Sofia Spingou
October 20, 2025
It was a routine phone call concerning the provision of his company’s services that K.S. received one midday in May 2022. A short time later, he realized that €78,690 had vanished from his bank account. Earlier, he had sent the IBAN number of the account he held at a bank so that his telephone interlocutor could pay him. He received an SMS, ostensibly from his bank, clicked the link, and the rest became part of a criminal case file.
As it turned out, however, this was not an isolated case of bank fraud, but the largest criminal organization in this field ever investigated by the Greek Judiciary. Since 2023, the Prosecutor’s Office has been investigating a fraud story involving 1,298 suspects and defendants. In the 750 pages of the referral document, 129 pages contain only the names of the organization’s members, who operated from Corfu to Crete and from Thessaloniki to Messolonghi, Naxos, Amorgos, and Santorini, targeting shopkeepers, businessmen, media outlets, churches, and monasteries.
This organization bears no resemblance to the crude telephone scams of the past. It possesses structure, hierarchy, and a headquarters—an operational call center, a department for collecting bank details, and even a network of "mules" (money mules), as the organization's "external" accomplices were characterized by the police. Without these mules, the criminal enterprise could not have been executed. Solving the case required judicial assistance from the United States and "support" from Google to locate the electronic traces, domains, and accounts used in the phishing attacks.
The organization’s activity has been accurately mapped from February 2022 to the present, counting 669 confirmed cases of fraud and financial gain exceeding €6 million. The complexity of the case is such that the prosecutor handling it issued detailed instructions to the Cybercrime Division. "Due to the staggering number of defendants (1,298), please ensure order is maintained in the case file, the numbering of the defendants is preserved, a separate sub-folder is created for each defendant containing all relevant documents, and a table format is used to depict their participation in the criminal acts for which prosecution was initiated, including the time, place, and other circumstances of their commission, and their connection to the 'main' defendants who 'remained' in the primary case file." Furthermore, a few months later, in a new order, she requested that "for the sake of economy of time and resources, and due to the peculiar nature and specific characteristics of the case, the defendants be summoned for apology by the locally competent Police Authority."
From Zefyri to Examileia
The core of the organization developed into sub-groups, the strongest of which operated in Zefyri, Zeugolatio, and Examileia. There, within Roma settlements, the operational and call centers were established, from which hundreds of calls were made daily. The geographical relocation of the centers was part of the strategy. Every few weeks, they moved from Zefyri to Menidi or Aspropyrgos, from Zeugolatio to Examileia or Vrachati, and from there to Solomos. The core members were connected by kinship and family ties and communicated daily.
The headquarters of each sub-group consisted of the leader and a small number of individuals—administrators and coordinators of the criminal activity—most of whom belonged to the immediate family circle. Following in the organization’s pyramid was the operational call center, consisting of at least one coordinator and a small number of trusted members, usually from the close family circle, who were fluent, technically skilled in using electronic devices, and had excellent knowledge of the electronic banking operations of Greek banking institutions.
The primary goal of the members operating the call center was to "fish" for potential victims and communicate with them by phone. To achieve their goal, they used open internet sources or professional details of individuals, such as classified ad websites or Facebook Marketplace, where private individuals post sales listings along with their personal and contact information. They also found data by searching public announcements on the "Diavgeia" program website, and through simple searches on various websites and search engines using criteria like geographical area and professional status.
A section of the criminal organization was also the center for collecting bank details and proceeds of crime. This section was composed of three parts, the main one being the card collection and preparation department, which was responsible for collecting and checking the functionality of the "mules'" bank cards.
The cash withdrawal department was responsible for traveling to and staying near ATMs so that, after the criminal act was completed, they could proceed with the... withdrawal of the stolen funds. Meanwhile, the department for receiving and reselling the proceeds of crime was responsible for tracking and receiving technology products purchased using the victims' bank details, as well as reselling them to third parties. This department's scope of action also included recruiting new members, even outside the Roma community.
The "Mules"
The lowest hierarchical section was that of the "mules" (money mules). Its members provided their banking data, such as their cards, electronic account login credentials, and the SIM card of the phone connection linked to their e-banking, in exchange for a fee ranging between €200 and €600. This made it possible for the organization's "revenue" to be transferred immediately and protected the identity of its members, as the "mules" were used as "fronts." In fact, the "mules," strictly following the organization's instructions, immediately after the completion of the fraud and the successful withdrawal of the funds, reported the cards lost to the respective banking institutions.
"One of the largest case files we have ever seen in criminal history has been formed, with more than a thousand suspects, making handling objectively extremely difficult. This makes the handling challenging for the prosecutorial and preliminary investigation authorities. However, the suspects face the same problem, as in such a voluminous case file, the role of each person must be ascertained, since the criminal prosecution concerns each individual personally. The same applies to the alleged victims, because a trial with so many involved parties will take a very long time to be scheduled, and just as long until the appropriate infrastructure—courtroom, correct summonses, indictments—is in place for justice to be served," states Konstantinos Gogos, a lawyer for some of the suspects in the case.
How they defrauded individuals, businesses, and metropolises
In May 2022 in Argyroupoli, a private individual who had posted a sales ad on the electronic marketplace xe.gr received an SMS that seemingly originated from the bank. The message contained a hyperlink (link) that redirected to a fake bank website, through which the perpetrators extracted the victim's personal e-banking codes and proceeded to transfer €15,000 to third-party accounts.
A similar incident was recorded in July of the same year in Folegandros, where the perpetrators sent a message via Viber under the pretext of a supposed tax refund from AADE (the Independent Authority for Public Revenue). The victim, following the misleading link, entered their access details for the bank's e-banking, resulting in a financial loss of €12,000.
A similar methodology was used in a case in Lamia, where the fraudsters did not target an individual but a commercial business. Through successive Viber messages where they "impersonated" banks, they led the company's accountant to fake banking websites, extracting security codes and executing transfers totaling €32,700.
A characteristic element of the cases during this period is the systematic use of the godaddysites.com domain to create fake websites mimicking banks. Such a case was identified on August 30, 2022, in Paleo Psychiko, where sending an SMS with a "suspicious" link led to a loss of €19,808.
A similar technique was used against the Metropolis of Fthiotida, from which, through the controversial link, the perpetrators, posing as donors, extracted €21,400. A similar donation scam occurred at a monastery in Rethymno with a loss of €3,020, and at the Holy Church of the Catholic Church of the Dormition of the Theotokos, with the damage reaching €53,000.
In Naxos, a woman was convinced she would receive a refund from the Fuel Pass platform, only to find herself with €14,500 less in her bank account. Approximately €86,275 was extracted from a home equipment business by the perpetrators who contacted them to purchase a gift card. They stole about €18,000 from a car dealership in Thessaloniki by pretending to an employee that they were customers with money owed to the company, and in the same way, they "emptied" €138,640 from a transport company.
Furthermore, an employee of a website and magazine company received a call regarding a payment. Immediately afterward, she received an email in the company's electronic mailbox, followed the link, and was led to a website that resembled the e-banking site of the National Bank. She filled in the access codes, resulting in the perpetrators gaining access and transferring the sum of €27,980.
The Numbers
- 669 cases
- 750 pages in the case file
- 1,298 defendants
- €6 million "loot"
No comments:
Post a Comment