Global scam empire exposed: dozens of firms help fraud rings operate smoothly

Professional scammers call upon a global network of service providers to execute their work in a sophisticated, streamlined fashion. Here are some of their names.

Global scam empire exposed: dozens of firms help fraud rings operate smoothly

Global scam empire exposed: dozens of firms help fraud rings operate smoothly

At the heart of many modern-day scams is the call center: sleek offices staffed by manipulative, multilingual agents who spend their days trying to convince victims from around the world to pour funds into fake investment opportunities.

These call centers, however, do not operate in a vacuum. They draw upon an entire ecosystem of service providers who help facilitate each step of the process — and get a cut of the profits.

Here, we present dozens of companies from around the world whose services were used by the two large-scale fraud operations exposed by Scam Empire, one based in Israel and Europe and the other in the country of Georgia.

was not always possible to determine the extent to which these companies were aware of the scams their services helped facilitate.

From external marketers who harvest victims’ data to money transfer services used to extract their cash, these players range from legitimate businesses exploited by the scammers to entities that appear purpose-built to help them carry out their nefarious work.

Below we have organized these providers by their role in the three major phases of a scam: catching victimswinning their trust, and taking the money.

Affiliate marketing companies

To catch their victims, the call centers rely on external marketers who post online phishing ads. Promoting snazzy investment opportunities that promise big returns, the ads target specific audiences and often feature fabricated endorsements from local celebrities or media outlets. 

Rather than advertise a real product, the goal of the marketers is to collect data: Potential victims who click on their links are brought to landing pages where they are asked to enter their contact information. This data is then funneled to the call centers, who compensate the marketers for every individual who goes on to make a deposit. 

While the extent to which these marketers are aware of who they are servicing could not be confirmed, many go to great lengths to conceal the nature of their work by operating through anonymous shell companies, using aliases in encrypted chats, and receiving their payments in cryptocurrencies.

MGA Team

MGA Team, whose LinkedIn page says it is headquartered in Moscow, earned at least $556,850 for marketing services from one of the scam operations in 2024, according to an internal expense report. The company has sponsored several networking events for marketers in Bangkok and Dubai. MGA Team did not respond to requests for comment.

CRYP

An affiliate marketer referred to as CRYP received almost $850,000 from one of the scam operations in the first nine months of 2023, according to an internal expense report. CRYP did not respond to requests for comment and reporters could not find reliable information about its ownership or jurisdiction.  

Sierra Media

Bulgaria-registered Sierra Media owns at least three affiliate marketing brands and was paid more than $260,000 by one of the scam operations in the first nine months of 2023, according to an internal expense report. One of Sierra’s brands pushed a well-known scam trading platform called Quantum AI even after it was widely debunked and warnings about it were issued by regulators in multiple countries. The company’s Israeli co-directors did not respond to requests to comment.

Oray Ads

Oray Ads, which appears to be U.S.-based, worked with both call center operations featured in Scam Empire. In 2023 and 2024, it was paid $146,000 for providing more than 160 marketing leads to the Israeli/European operation, according to leaked records and chats. Oray Ads also earned between $20,000 and $30,000 some months for its work with the Georgia-based call center, which started in October 2023. The company did not respond to requests for comment.

Tech platforms and websites

Social media platforms and other websites are the public bulletin boards where scam ads are plastered across the internet. They also receive a cut of the profits, as marketers pay to place advertisements on their platforms.

While these tech companies tout policies barring such fraudulent content, their moderation efforts have failed to prevent billions of scam ads from proliferating across their platforms.

Meta

Meta, the parent company of Facebook, Instagram, and WhatsApp, allows marketers to post and manage ads on its platforms for a price via Meta Ads. The company has long faced criticism for not doing enough to screen this content for scams. An analysis cited by Australia’s consumer regulator found that 58 percent of the cryptocurrency advertisements and landing pages on Facebook involved scams or violated the company’s own advertising policies. 

Among the victims interviewed for Scam Empire, a third of those who could recall where they encountered the ads that led them to scammers named Facebook. Facebook was also often described as the “source” in the scammers’ internal chats about advertising campaigns, and frequently named in internal records that tracked how they acquired the data of each potential victim. 

One affiliate marketing firm charged the Israeli/European scam operation more than $105,000 in the first seven months of 2024 for its “Facebook Advertising Budget.”

When reached for comment, a Meta spokesperson said: “It is against our policies to run ads that promote or facilitate scams. These criminals target people and services across industries using sophisticated schemes — and addressing this requires cross-industry collaboration of banks, governments, law enforcement, and telecoms. While we were not provided specific details about this network, we stand ready to review and take action if we find violations of our policies.”

Google

Marketers can pay to display advertisements on Google’s search engine results page, websites that use Google as an ad provider, and other Google-owned platforms such as YouTube or Gmail. Like Facebook, the scammers in the Israeli-European operation frequently referred to the use of Google’s platforms to carry out their ad campaigns and ensnare potential victims.

When reached for comment, Google said it has strict policies that ban scam advertising. The company said that it suspends offending accounts, but that scammers had begun to “operate with more sophistication and at a greater scale, using a variety of tactics to evade our detection.” 

The company said it had “removed over 5.5 billion ads, restricted over 6.9 billion ads and suspended over 12.7 million advertiser accounts” in 2023

Taboola

Taboola is an Israel-registered advertising platform headquartered in the U.S. that positions its advertising program as an alternative to those offered by Meta and Google. It was frequently mentioned in chats between the scammers and marketers as a “source” for the scam network’s ad campaigns. 

The company generates revenue from the number of clicks, views, and purchases made from the ads, which it says will appear on thousands of “top websites,” including Yahoo, Business Insider, USA Today, and MSN. 

Taboola did not respond to requests to comment

2. Managing a Scam

Software

After clicking on an online ad and entering their contact details, victims frequently hear from a call center agent within minutes. This is thanks to technology that directly integrates the personal data collected by affiliate marketers into databases of “leads” maintained by the call centers. 

From there, the call centers utilize a range of software to streamline their work, including “customer relationship management” software, or CRM, which is used by sales operations worldwide. This software provides a space for the scammers to store information about each “client,” such as notes on their background and investment experience, the content of their phone conversations, the amount the victims have deposited, and how much they believe they have “earned.” Screen recordings in the leak showed how agents were in some cases able to control the client-facing side of some of the software, where victims would view figures detailing the status of their fictitious investments. 

Getlinked.io

Getlinked.io, which advertises itself as a “solution to easily and efficiently manage affiliates, partners, and traffic sources,” was used by call centers associated with the Israeli/European operation, according to the leaked data. Records of Skype conversations show call center staff bringing an account named “Getlinked support” into a chat with affiliate marketers, where they then provided API documentation to enable data to flow between the two sides.

When reached for comment, Getlinked’s Co-Founder Gal Friedman said the company was not legally required to run background checks on customers, and that “we do not have the tools or ability to verify our customers’ businesses or their affiliates’ advertisements on third-party platforms such as Google and Facebook, as these activities fall outside the scope of our services.” Interactions with clients are “strictly limited to providing technical support for the Getlinked platform,” Friedman added

PumaTS

The Georgian call center used a CRM software called PumaTS to track its engagement with potential victims. The leaked files show how the call center agents were trained to use an integrated feature in PumaTS to add fake deposits to victims’ accounts and manipulate the outcome of their “trades” by changing prices.

Evidence in the leak suggests PumaTS is the same CRM software that was designed under the orders of Mikheil Biniashvili, a Georgian-Israeli businessman who is in detention in Germany after his arrest as part of an investigation into another notorious scam call center operation known as Milton Group. Two programmers who helped design that software were found guilty of “computer fraud” in December 2024 in Albania as part of the same crossborder investigation. They plan to appeal the decision. Biniashvili did not respond to our request for comment, but according to court paperwork from the Albanian trial, he denies any wrongdoing.

AnyDesk

AnyDesk is a remote access software that the scammers used to gain access to their victims’ personal information and monitor their behavior. In its legitimate uses, the software can, for instance, allow IT staff to assist with technical problems remotely or enable employees to access their work computers from home. But in the thousands of screen recordings reviewed by OCCRP, it was common to see scammers keep AnyDesk open on one side of their screens in order to keep an eye on their victims. 

AnyDesk told OCCRP that it was “tirelessly working to prevent” the use of its software by scammers and worked closely with law enforcement to fight against scam call centers. 

“We even have a warning in place for first-time connections from suspicious accounts where the end user has to type, ‘I read this,’” said spokesman Matthew Caldwell. “Unfortunately, a large portion of these attacks involve social engineering where a victim is coached around these automated countermeasures we put in place.”

Connectivity

The scammers’ work rests on their ability to make large volumes of calls on a daily basis. To do so, they pay for Voice-over-IP (VoIP) services that allow them to make international calls over the internet. In addition to saving costs, VoIP enables the scammers to choose the country codes of their phone numbers, bolstering the ruse that they are calling from prestigious financial centers like the U.K. or Switzerland. The VoIP firms also provide a steady flow of new phone numbers to call center agents whose numbers are frequently blacklisted as spam.

Coperato

Scammers from both operations exposed in the leak used VoIP services from the Israeli firm Coperato. The firm received more than $1 million for its services from the Israeli/European operation alone over a roughly 3.5-year period. 

The leaked files include chats over Skype between employees of the scam operation and an account named “Coperato” that bears the company’s logo. In the chats, the Coperato-branded account responded to requests to replace phone numbers after previous ones had been flagged as spam, and to block incoming calls from specific numbers. 

There is no evidence Coperato was aware of the scams its clients were running. A law firm representing the company said it “categorically denies any involvement in any illegal or improper activities and underscores the fact that it has never been accused of conducting such activities.” While Coperato comprehensively vets all clients, it is ultimately “not responsible” for any actions taken by third parties on its systems, the lawyers added.

Squaretalk

Squaretalk, which says it is based in the EU and Israel, was used by both scam operations exposed in the leak for VoIP services. According to internal payment spreadsheets, the Georgia-based call center recorded paying at least $150,000 to Squaretalk between August 2023 and March 2025. 

Leaked internal records have shown that 14 of the Georgian call center’s agents continued to actively make calls using Squaretalk even after the center was exposed by the Scam Empire investigation. 

When reached for comment, a lawyer acting for Squaretalk said the company had been “engaged in active cooperation with law enforcement authorities” since January 2025 over accounts associated with the call center, and that the company had been officially instructed to “not disconnect” them so as not to jeopardize the investigation.

“Squaretalk is fully committed to the responsible use of its communications platform and remains dedicated to combating fraudulent activity in cooperation with law enforcement agencies worldwide,” the lawyer added.

HR and administrative

The call centers require the same administrative upkeep as any normal company: Someone needs to pay for rent, internet, utilities, and parking spaces, plus handle HR tasks such as payroll. In many cases, these payments were made by external firms that helped shield the identity of the real companies and individuals behind the call centers.

Za Traiding Company

Rent for the Georgian call center’s main office space in Tbilisi, which amounted to more than $20,000 a month, was paid for by a company called Za Traiding. Its on-paper owner, Zaza Izoria, is an internally-displaced person (IDP) from Abkhazia, an impoverished breakaway region. Za Traiding is registered at the IDP resettlement center in Zugdidi, a city four hours west of Tbilisi. Izoria, whose registered address is also at the resettlement center, did not respond to requests to comment.

Saberoni LLC

A company called Saberoni LLC paid rental fees for the Georgian call center’s auxiliary office space in Tbilisi. Its on-paper owner is a 71-year-old woman named Nazo Pertaia who lives in Zugdidi, a city four hours west of Tbilisi, and has no other known business interests or property holdings. She is the mother-in-law of Zaza Izoria, an internally displaced person who is listed as the  owner of a separate proxy company, Za Traiding, that paid rent for the call center’s main Tbilisi office. Pertaia did not respond to requests to comment.

Roserit

Roserit, a company registered in Bulgaria, doled out salaries to employees for the Israeli/European scam operation. Internal records show the salary payments ran up to $6,000 per month for the most senior manager of the Bulgaria-based staff. Some employees would then go on to make up to $10,000 in bonuses. The company, which has no online presence, listed a Ukrainian woman as its owner in registry documents but no contact information. A lawyer who was listed as registering the company did not respond to requests to comment.

Amapola

Amapola, a company registered in Bulgaria, paid rent, utilities, and internet for Bulgaria-based offices that belonged to the Israeli/European scam operation. Internal records list Amapola as paying nearly 19,000 euros in monthly rent in 2024, plus a 50,000-euro deposit for a new office in February 2024. 

The company, which has no online presence, listed a Ukrainian woman as its owner in registry documents but no contact information. A lawyer who registered the company did not respond to requests to comment. 

Maximateam

Maximateam, a company registered in Bulgaria, made several payments on a popular Bulgarian job-seeking platform, where another company connected to the Israeli/European scam operation was still actively advertising “call center representative” positions in December 2024. It also paid around 7,000 euros a month for rent, utilities, and parking. 

The company did not respond to requests to comment. When reporters visited an office building in Sofia that bore the company’s sign in the lobby, they were told by the building’s manager that Maximateam was no longer renting that space.

Clear IT

Clear IT, a company registered in Bulgaria, paid salaries, social security, and rental fees amounting to 14,000 euros per month for the Bulgarian arm of the Israeli/European scam operation. The company did not respond to requests to comment over email.

3. Getting the Money

Banks and money transfer companies

Once a victim is ready to “invest,” the next challenge for scammers is to get ahold of their cash without alerting compliance officers at banks or leaving a paper trail that would allow authorities to track them down. In the cases reviewed by reporters, the scammers would often advise victims on how to answer questions from their banks as they sought to transfer funds out of their accounts.

The scammers would also frequently push victims to open accounts at specific institutions.

Revolut

The U.K.-registered fintech company Revolut offers digital banking services through an app, including the ability to move money between borders and currencies. According to the leaked data, it was the most common financial institution used by English-speaking victims to transfer funds to scammers at the Georgia-based call center. Out of nearly 5,000 transactions involving a single identified bank, 598 went through Revolut.

In response to reporters’ questions, Revolut said it “takes fraud and the industry-wide risk of organised and sophisticated crime incredibly seriously” and has “robust procedures in place to prevent the misuse of Revolut for illicit purposes.” 

Chase UK

Chase UK, an online-only offering from the U.S. bank Chase, opened in 2021. Out of some 100 banks that were used to transfer the funds of English-speaking victims of the Georgia-based call center, Chase was the 20th most commonly used, according to nearly 5,000 transactions involving a single identified bank. In one conversation reviewed by reporters, a scammer openly recommended its services, writing: “It’s much easier to do it with Chase.”

The bank declined to answer questions about its compliance procedures.

Wise

Wise is an online banking and international money transfer service that touts the ability to move money across borders and currencies for lower fees than offered at traditional banks. According to the leaked data, it was the 12th most common means by which money was transferred by English-speaking victims of the Georgia-based call center, based on some 5,000 transactions involving a single identified bank. 

When reached for comment, a Wise spokesperson said the company has a “robust compliance and controls framework” aimed at stopping bad actors from abusing its services for financial crime. “When we identify potential financial crime or any other misuse of our service, we take immediate steps to investigate the case, including suspensions or freezing of the transactions and customer accounts.”

Wirex

Wirex is a digital payment platform that allows customers to make payments and exchanges in cryptocurrencies as well as traditional currencies.

According to the leaked data, it was the 14th most common means by which money was transferred from English-speaking victims to scammers at the Georgia-based call center, based on some 5,000 transactions involving a single identified bank.

Wirex did not respond to requests to comment.

Santander

Santander, Spain’s largest bank, held five accounts belonging to Spanish companies that were were used as part of a money-moving scheme referred to by the scammers as "LWires."

The scheme moved more than 4.9 million euros (around $5.4 million) from 600 people who sent money to the Israeli/European call center operation in the space of less than two years.

Santander declined to comment on individual cases but said it is "confident that we have met our obligations as a responsible financial institution."

BBVA

BBVA, Spain’s second-largest bank, held five accounts belonging to Spanish companies that were used as part of a money-moving scheme referred to by the scammers as "LWires."

The scheme moved more than 4.9 million euros (around $5.4 million) from 600 people who sent money to the Israeli/European call center operation in the space of less than two years.

BBVA declined to comment on specific business relationships. It said: “our commitment to financial integrity is reflected in the numerous control measures we implement to prevent our products and services from being used for illicit purposes.”

Payment service providers

The scammers don’t receive the funds directly from their clients — that would make it too easy for investigators to hunt them down. Instead, they were found to move the money through other bank accounts, often belonging to shell companies, to obscure the final destination.

The leaked files reveal how a sprawling ecosystem of unregulated service providers were called upon to facilitate this process. When the scammers requested help moving funds from a victim, these providers would match them to the most suitable company and produce phoney paperwork to help satisfy questions from banks. Internal documents show these providers charged fees of 10 to 17 percent, significantly more than a legitimate mainstream payment service.

Bankio / Anywires

Bankio and Anywires are two underground service providers — who appear to be connected — that provided scammers with the details of dozens of proxy companies in countries like Estonia, Hungary, Bulgaria, and the U.K. 

In a Telegram chat, scammers would supply information about their victims and the amount of money they wanted to send, and wait for Bankio representatives to reply with a plan, including the details of a bank account that would receive the money, invoices to justify the transfer, and additional instructions such as warnings against using the words “investment” or “crypto.”

While Bankio has a rudimentary website and distributed branded documents to call centers, there is no corporate entity registered under that name, and reporters could not determine who was behind it. Evidence from the leak suggests it is connected to a similar service provider, Anywires, which was widely used by the Israeli/European operation. Bankio and Anywires were referred to interchangeably in internal call center documents, and they shared a U.K. cell phone number and street address in Edinburgh. 

There was no response to questions sent to a contact address for Anywires found in the leaked materials. A U.K. cell phone number previously advertised by both Anywires and Bankio no longer operates

Britain Local

A service provider known to scammers as “Britain Local” supplied the numbers of U.K. bank accounts of companies owned by apparent proxies. In exchanges that took place in a Telegram chat group called “Britain Local Solution,” the scammers would provide information about their victims and how much money they wanted to transfer, and then receive the details of an appropriate bank account to send the funds to. 

Britain Local earned a 13-percent commission, according to the leaked data. It has no online presence, and reporters were unable to determine if it corresponded to a genuine company, or to identify who controlled the system

Shell companies

To bring the money to its final destination, the scammers need a steady supply of shell companies to help obscure the ultimate recipients of the funds. The leak revealed the existence of dozens of such companies that were used to funnel victims’ money around the globe. Some of them also served as intermediary firms who paid the call centers bills for other services, such as software.  

Selterico SL

Spain-registered Selterico SL, which officially operates as an “advertising agency,” received over 390,000 euros from clients of the Israeli/Europe operation between October and December 2023. The company’s bank statements show that these funds were then transferred to companies in the U.K., Hungary and Spain.

Selterico was registered just three months prior to the transfers by a woman with an Eastern European surname. While it lists an address at a trendy co-working space in Madrid, one of the co-working space’s founders told reporters it had never been a client.

Greencode Connection Limited

Greencode Connection Limited, registered in the U.K. in early 2023, received over 400,000 euros from would-be “investors” in finance brands run by the Israeli/European scam operation, either directly or through intermediary companies such as Selterico. 

Until February 2025, the company’s listed address sat above a Thai spa in London that belongs to rental mailbox service in the U.K. When contacted by reporters, the mailbox service said it had been made aware of concerns about Greencode Connection through police and that it had “fully cooperated with the authorities” and “taken immediate action.”

On paper, Greencode is owned by a Hungarian man who lists his address in the small village of Tiszanagyfalu. Its website, which is no longer operative, said it offered consultancy services to help companies “succeed, win big, keep their customers happy, and foster a positive workplace.” 

Earlier this year, a U.K. court ordered Greencode Connection and several other entities to pay more than five million dollars in compensation to a victim of the Israeli/Europe operation. 

The company did not respond to requests to comment

Purplesun Limited

Greencode Connection Limited, registered in the U.K. in early 2023, received over 400,000 euros from would-be “investors” in finance brands run by the Israeli/European scam operation, either directly or through intermediary companies such as Selterico. 

Until February 2025, the company’s listed address sat above a Thai spa in London that belongs to rental mailbox service in the U.K. When contacted by reporters, the mailbox service said it had been made aware of concerns about Greencode Connection through police and that it had “fully cooperated with the authorities” and “taken immediate action.”

On paper, Greencode is owned by a Hungarian man who lists his address in the small village of Tiszanagyfalu. Its website, which is no longer operative, said it offered consultancy services to help companies “succeed, win big, keep their customers happy, and foster a positive workplace.” 

Earlier this year, a U.K. court ordered Greencode Connection and several other entities to pay more than five million dollars in compensation to a victim of the Israeli/Europe operation. 

The company did not respond to requests to comment.

Intek Systems Limited 

The U.K.-registered company Intek Systems Limited was used by the Georgian call center to arrange payments from victims, as well as pay for VoIP services, according to leaked invoices and documents.

The company, which operated from 2019 until January 2025, was formally owned by a Lithuanian man, Jevgenij Roscenkov. Leaked data suggests that the scammers may have used the company to facilitate aspects of their operations. 

Screenshots of the scammers’ computer desktops show that one of the scam center’s finance managers had a digital file containing Roscenkov’s handwritten initials. The image was used in agreements with payment providers that received funds from victims before sending them on to the call center.

The scammers also received external emails directed to Intek Systems, leaked screenshots show.

Roscenkov, the formal owner of the company, said the firm had nothing to do with the scam center and was involved in “web development.”

Регион:

Распечатать

Все статьи