Spanish police dismantle €140 million fraud ring that drained company bank accounts
Four arrests across Spain, Portugal and Panama close down a laundering network that pushed nearly €100 million through 800 bank accounts, much of it stolen through fake CEO emails.

Key points
- Spanish police arrested four people in Spain, Portugal and Panama over a fraud and money-laundering ring that moved €140 million (about $160 million).
- Investigators traced €94 million through the network and linked a further €61 million to business email fraud carried out in 2024.
- The group ran more than 800 bank accounts, 120 business accounts and used 67 people as "money mules" to shuffle stolen cash.
- Officers seized 15 computers and over 170 phones, and froze €3 million that will be returned to victims.
Spanish police have taken apart a large criminal group that stole roughly €140 million (around $160 million) from businesses, mostly by tricking staff into wiring money to the wrong bank accounts.
Four people were arrested. The raids happened in Barcelona, Girona and Tarragona in Spain, in the city of Porto in Portugal, and one further arrest was made in Panama. The operation was coordinated with Interpol and Europol, and first reported in English by BleepingComputer.
What makes this case stand out is the sheer plumbing behind it. The gang ran more than 800 personal bank accounts and 120 business accounts. They also used 67 "money mules", people who agree to receive stolen money into their own accounts and pass it on for a cut.
Once stolen funds landed in one account, they were quickly split and pushed through long chains of transfers, often ending up in accounts abroad. The point of all that shuffling is simple. It makes the money very hard to follow, and even harder to claw back.
How did the criminals actually steal the money?
They used business email compromise, known as BEC, which is a scam where criminals send emails that look like they come from a company's boss or a trusted supplier, asking staff to move money or change payment details.
Spanish investigators describe two flavours of this. The first is "CEO fraud", where an employee in finance gets an urgent email that appears to be from the chief executive, telling them to send a payment right now and keep it quiet. The second is "false-invoice fraud", where the criminals pose as a real supplier and quietly change the bank details on an invoice so the next payment lands with them instead.
Both attacks lean on social engineering, which is the polite term for psychological manipulation: urgency, authority, and the desire to be helpful at work. No malware, no clever exploit, just a convincing email and a distracted human.
This is where I have to be honest about my usual beat. Multi-factor authentication, the extra login step that stops most password theft, would not have stopped this on its own. BEC is not really an authentication problem. Criminals do not always need to break into the CEO's mailbox. Often they just spoof the display name, or register a lookalike domain, and the finance team never checks the actual sending address.
What does help is boring, procedural, and unglamorous. Call-back verification on any change of bank details. A second human signature on payments above a threshold. Email rules that flag lookalike domains before the message reaches the inbox. And DMARC, an email authentication standard defined in RFC 7489, which lets a company tell the world's mail servers to reject messages that fake its domain.
What happens to the stolen money?
Police froze €3 million (about $3.4 million) immediately, and that pot will be made available to victims. The rest, realistically, is already gone, scattered through mule accounts in other countries.
Investigators also grabbed 15 computers and more than 170 phones, which they believe were used to run thousands of fraudulent transfers. The investigation began after suspicious money movements were spotted in 19 companies linked to the group.
Spanish police say the network's main operators are now all under arrest and the laundering pipeline has been shut down. That is a genuinely good day. It is also, given the scale of BEC globally, a very small dent.



