An investigation into leaked data exposes scam call centers whose employees convinced thousands of people to make “investments” on fake trading platforms. A call center in Cyprus was part of an operation based in Israel that appears to have targeted 26,810 individuals around the world.
“They took everything from me,” said a Spanish architect in her 40s, one of 26,810 people targeted by an organized network selling investment opportunities to individuals around the globe. The operation is estimated to have netted at least €230 million between 2021 and 2024.
Choosing to publicly use only her initials, IGP confirmed to reporters that she “invested” €400,000 – mostly money from selling the land she inherited from her mother. She lost her life savings within a month to what she acknowledges was an intricate scam.
The network operated mainly from Cyprus, Israel, Bulgaria, Ukraine, Spain and North Macedonia, targeting would-be investors from call centers, and convincing them to make more and more deposits. IGP thought she was watching her investments in crypto grow on a trading platform she now believes was fake.
More than half a million leaked internal documents and communications from the vast operation to allegedly scam thousands of victims were shared with media partners in dozens of countries, including the Cyprus Investigative Reporting Network (CIReN). Until last year, the network appears to have had a “Cyprus HQ,” and a call centre in Limassol.
No Cypriots appear to have been targeted – most victims were located in Canada, UK, South Africa, and Western Europe.
Scam Empire is a collaborative investigation by OCCRP, Swedish Television (SVT), and 30 other media partners from multiple countries. Based on 1.9 terabytes of leaked data, the project exposes two groups of call centers, based mostly in Israel, Europe, and the country of Georgia, whose employees have convinced at least 32,000 people across the world to make “investments” totalling at least €263 million using fake trading platforms. The group that had operations in Cyprus appears to have targeted 26,810 individuals. Reporters spoke with 161 of the victims, 150 of which confirmed that they had been allegedly scammed a combined total of €19.7 million. One person told reporters he was happy with his investment experience on the unlicensed trading platform.
Cyprus police did not reply to questions in time for publication.
Netting the victims
“I was diagnosed with cancer at the end of 2021, two breast cancers. I was on chemo and got divorced at the same time,” IGP told reporters from Spanish media partner InfoLibre. “I have two girls [and] I thought [it was] a good idea, selling the land and investing in another way. But now I don’t have any plan.”
It was late October 2023 when IGP saw an online post featuring a popular Spanish TV host Pablo Motos who “let it slip” during an interview “that there were some ways to get money: if you invested €250 in a platform, little by little you would generate more money.”
The clip was fake. Similar ads on social media platforms used the likeness of tech billionaire-turned-Trump administration advisor Elon Musk and celebrity actor Ryan Reynolds, touting investment opportunities.
Clicking on an ad directs the victim to a landing page, where they’re prompted to enter their personal information. This generates an instant lead for affiliate marketers, who sell information about potential customers to paying clients, including call centers who target victims.
In IGP’s case, the affiliate marketer was Zeus Media, an apparent brand operated by a company called Sierra Media Ltd, based in the Bulgarian capital Sofia. According to leaked accounting records, Zeus Media was paid at least €1000 for IGP’s details.
The marketers signed contracts with EM Develop, which appears to be the scam center’s marketing company. It operates under the brand name Opulent Allies, has a Ukrainian address, and company records list its owner as Daryna Reznik. When reached by reporters, Reznik’s mother confirmed that her daughter had passed away in 2023, and claimed that she didn’t run any companies.
Though EM Develop is in Ukraine, it’s unclear where the marketing managers are based. Telegram conversations between the team members are conducted in Hebrew and English, suggesting they may be from, or based in, Israel.
IGP said her phone rang seconds after she submitted her email and phone number. On the other end of the call was a Spanish-speaking “broker” who told her his name was Álvaro Enrique Álvarez and that he was based in Geneva. “Don’t worry because we are going to help you,” IGP recalls him saying.
At first she made a payment of €250 by credit card, then she was instructed to open an account on the cryptocurrency platform Binance, and to convert the money in her bank into Bitcoin, which could easily be sent to another wallet.
Revolut told reporters in an email that it has “a sophisticated suite of financial crime detection systems, including customer due diligence and transaction monitoring,” and “a proven track record uncovering instances of financial crime.” Wise said its verification processes, transaction monitoring, and account deactivations “help us prevent, detect and stop potential instances of financial crime and abuse of our services.”
IGP watched her investment grow on what appeared to be a legitimate trading platform, TIG Capital. It listed stocks, forex, crypto, currencies and commodities as options. Higher deposit accounts showed better returns, so IGP made eight deposits. But when she asked for documentation they just sent her what she saw on the platform.
TIGCap was named in a criminal complaint submitted by a Spanish lawyer on behalf of more than 70 victims, which was admitted by the nation’s High Court and is being investigated by prosecutors. The complaint calls the network a “criminal organization,” states that it “defrauded thousands of Spanish citizens,” and alleges that it “maintains a stable infrastructure for money laundering through an international corporate network.”
TIGCap is now the subject of warnings issued by securities commissions in Canada, Australia and Spain
Alvaro Enrique Alvarez also instructed IGP to install AnyDesk, a commercial software that allowed them to access her laptop remotely and see what’s on her screen.
AnyDesk, which is typically used to assist with technical problems remotely, has installed warnings for first time connections, which require authorization, but the scammers are adept at guiding their victims past the safeguards, according to Matthew Caldwell, the company’s director of brand strategy.
“We take this [fraud scams] very seriously and are in contact with law enforcement constantly to prevent these types of attacks,” he said in an email, adding that the company terminates suspicious accounts almost immediately.
When the platform showed IGP’s investments falling, she said Alvarez pressured her to take out a €50,000 loan from her bank.
“If not, I would lose all the money,” she recounted. “I went through all this on my own, as I was recently divorced. If I had consulted with someone… but it all happened very quickly.”
Over a period of two weeks, in November 2023, IGP had sent some €400,000 to the alleged scammers.
Lithuanian psychotherapist Kamilė Butkevičiūtė-Astrauskienė says scammers look for a vulnerability to exploit, and apply a feeling of urgency that can lead people who typically make good decisions into poor decision-making.
“They might say ‘I’m not pressuring you,’ but their actions and messages do create pressure. It’s a push to act quickly. The scammer likely knows that if the person steps back, takes time to think, or—better yet—talks to someone else about it, they will notice inconsistencies and realize something is wrong,” said Butkevičiūtė-Astrauskienė.
The amount IGP lost is confirmed by records from a leaked database internally referred to as Predator, which the alleged scammers used to track victim details, including names, contacts, deposits, last successful call, IP address, and last online status. IGP was just one among 26,810 people tracked by the alleged scammers.
“Once I realized that it was all a scam, which is also difficult to assume, I went to the police and reported it,” she said. This was December 2023, just two months after she clicked on the ad with the Spanish TV host.
IGP said the police told her that as a professional she doesn’t fit the profile of someone who would get swindled, but reporters have found victims of all backgrounds, including a surgeon, a former police officer, and a retired accountant.
The police also told IGP that there didn’t appear to be a natural person for them to go after, but they’re investigating the Binance account that the alleged scammers had her open, which appears to still be in use.
A Binance spokesperson told reporters that the cryptocurrency platform responded to nearly 65,000 law enforcement requests in 2024, preventing $4.2 billion in potential losses for 2.8 million users from scams and frauds.
“We work hard to keep bad actors off our platform, including extensive KYC requirements for all users. We also use sophisticated internal and third party tools to spot illicit activity. When we learn of illicit behavior, we intervene and take appropriate action, including freezing funds and working with law enforcement to return funds to their rightful owner,” the spokesperson said over email.
But IGP says she hasn’t recovered any losses.
“I try not to talk too much about it, not to remember it too much, because it doesn’t feel good,” said IGP, adding that she is currently on sick leave and disability.
“Cyprus HQ”
It’s unclear where Alvaro Enrique Alvarez, IGP’s “broker,” was actually calling from, as the call centers use Voice over IP services that enable callers to disguise and even spoof numbers.
But leaked payroll spreadsheets and Telegram messages between staff members indicate there was a “Cyprus HQ” and a call centre nicknamed “Tesla,” which was likely located at the Victory House building in Limassol until at least mid-2024.
Expense records listed some €5,500 in relocation costs for “Moving of office from CY to Sofia” during that period. The call center is now believed to be operating from Bulgaria.
Economist Michalis Florendiades says that firms operating as call centres “should be under particularly close scrutiny because it is relatively easy for an experienced and well-trained call centre operator to manipulate and take advantage of an unsuspecting member of the public.” He added that call center conversations should be recorded and stored, so they can be inspected by regulators in the case of a complaint.
Leaked records also listed payments for utilities to a director of a Cypriot company, Erynnis Limited, which was registered in December 2023.
Creative Alliance was registered in Curacao in 2022, with a Cypriot national Theano Andreou as director. Leaked materials also identify her as the beneficial owner. Andreou could not be reached for comment.
According to expense records, the network spent €40,000 on a Curacao license to operate the online betting brand Betplays, €29,000 on affiliate marketer, and paid a monthly payroll of €70,000 in 2022.
Creative Alliance is now licensed in Anjouan, a tiny island in the southwestern Indian Ocean. Betplays has been blacklisted by authorities in Greece, Cyprus and Romania, and the brand has been the subject of many complaints online players claiming to have been scammed, and being unable to withdraw their deposits or winnings.
Another Cypriot company called Prorole Enterprises Limited, received at least €127,000 in 2023 and 2024 from North Macedonian companies operated by the network, according to leaked financial records. Prorole was set up in 2016 by Keith Ioakim, a South African with a track record of working for Cypriot trading firms that had been fined or banned by the Cyprus Securities and Exchanges Commission (SEC). In July 2021, he transferred ownership of Prorole to his Cypriot wife.
When contacted by reporters, Ioakim confirmed that Prorole had provided the companies with services related to obtaining South African financial licenses for operating trading platforms (two of the platforms were licensed in South Africa). He claimed that Prorole received a total of €202,552 from the companies, but denied any involvement in or knowledge of Prorole’s clients operations or links to fraudulent investment platforms. Ioakim also claimed that the firms he previously worked for were charged and fined for offences that happened prior to or after his employment and that he had never been personally charged or convicted of any crime.
None of the companies in the leak were licensed by CySEC, however multiple individuals connected to the network had previously worked for companies that had faced administrative fines from CySEC, and in some cases faced criminal investigations.
The regulator’s former chairman, Georgios Charalambous, told CIReN that problems in Cyprus’ financial sector can mainly be attributed to ineffective supervision. CySEC, he said, should stick to its supervision role rather be seen as a business development agency involved in promotional activities, or operating in a system of relaxed controls in order to attract foreign business.
Among CySEC’s duties is to provide appropriate protections for uninformed investors by ensuring those that participate in these markets appropriately explain the risks of such investments to their customers and don’t carry out aggressive marketing techniques or cold calling, he added.
Another former chairman, Marios Clerides, told CIReN that it is increasingly difficult to monitor activities of financial firms due to the increase in online scam networks using fake websites and credentials, adding that differences in priorities of specific countries’ regulators and law enforcement authorities cause additional difficulties in completing successful cross-border investigations.
In an emailed statement, a CySEC spokesperson told CIReN that the regulator “takes allegations of fraud, within the investment firms it supervises, extremely seriously.”
“We collaborate closely with other regulators and exchange data and information regarding market participants” the spokesperson said, adding that CySEC “takes responsibility for carrying out investigations under the law and has close collaboration with other competent authorities in Cyprus and abroad.,” the spokesperson added.
CySEC did not comment on the Cypriot entities identified by reporters.