How a Spanish Cybercrime Gang Stole €140 Million and Almost Got Away With It

Spanish police, working with partners across Europe and beyond, dismantled a fraud network that used fake boss emails, phony investment sites, and nearly a thousand bank accounts to steal the equivalent of $161 million from ordinary people and businesses.

ThreatVectr Newsdesk· 3 min read
A high-resolution 16:9 editorial photograph of a dimly lit developer workstation at night, multiple monitors glowing with terminal windows and code editors, a m
Share

Key points

  • Spanish national police announced on 13 July 2025 the arrest of four core members of a cybercrime gang that stole at least €140 million ($161 million).
  • The network used more than 70 people, 19 shell companies, and roughly 1,000 bank accounts to hide and move stolen money.
  • Criminals linked to the group stole €61 million through CEO impersonation scams in 2024 alone.
  • Police froze €3 million in stolen funds in time to return the money to victims.
  • Spanish cybercrime fell 1.6 percent in 2024 according to Spain's Ministry of the Interior, but experts warn arrests alone will not solve the problem.

Spain's national police did not announce a routine bust on 13 July. They announced the takedown of a criminal machine: 70-plus members, nearly 1,000 bank accounts, 19 registered companies, and a haul that reached at least €140 million ($161 million) before anyone intervened.

The gang ran two central hubs where the actual hacking happened. From those locations, criminals carried out several types of scams. One was CEO impersonation, where fraudsters send emails pretending to be a company's chief executive and instruct staff to wire money urgently to a new account. Another was a man-in-the-middle attack, meaning criminals secretly insert themselves between two parties who think they are communicating with each other, swapping in a fake bank account number on a real invoice. They also built entirely fake investment websites to lure victims into depositing savings.

How did criminals hide $161 million in stolen money?

Stealing money is only half the problem for a fraud gang. Getting it out without police noticing is the other half.

This group solved that problem with layers. Money moved from the hackers into a web of shell companies (businesses set up purely on paper, with no real product or service), then through 120 merchant accounts and 800 bank accounts spread across multiple countries, before anyone finally withdrew cash. Each layer made it harder for investigators to trace.

The people doing the withdrawing were recruited specifically for the role. These so-called money mules, individuals paid to move funds on behalf of the real criminals, were often foreign nationals brought into Spain on purpose. As security researcher Matt Burch of Atredis Partners told Dark Reading, if mules are arrested they are frequently deported before police can interview them, which protects the people running the operation.

Four leaders were caught. One was arrested in Panama. Another, who reportedly managed the mule network, was picked up alongside a partner in Portugal.

Police seized 15 computers and 170 smartphones. They also froze €3 million before it could disappear, and returned that money to victims.

The bad news, according to Louis Eichenbaum, federal chief technology officer at ColorTokens, is that the gang's money infrastructure was more valuable to them than any server. Hackers can buy a new server in minutes. Rebuilding a trusted network of shell companies and cooperating banks takes years.

If your company receives an unexpected email from a senior executive asking for an urgent bank transfer, that is the exact scenario this gang exploited repeatedly. Call the executive directly on a number you already have before moving a single euro.

Operational takeaway: Financial controls that require two people to approve any new payment destination cost almost nothing to implement and would have stopped the majority of this gang's attacks cold.

© 2026 Threat Vectr