Threat Intelligence Report

Fake Investment Scams.
The Scheme and the Criminal Infrastructure.

How the scheme works and who runs it. A full CTI analysis from ad to call center. how criminal corporations operate and scale across Europe.

The first comprehensive report of its kind on the European market, by RIFFSEC threat intelligence experts alongside cybersecurity and financial investment specialists.

Authors: Agata Ślusarek & Adam Lange · riffsec.com
Pobierz raport po polsku Download in English (coming soon)
Fake investment scam illustration
Attack model

5 stages of the criminal scheme.

The report breaks down each stage. from the first ad click to the "recovery" of stolen funds.

01
Ad campaign
Deepfakes, stolen identities, Facebook / TikTok / Google Ads
02
Pre-landing page
Fake articles, AI-generated "employees", comment templates
03
Data form
Name, phone, email. enough to start full financial manipulation
04
Criminal call center
Scripts, TeamViewer, fake platform with 2FA, psychological manipulation
05
Recovery scam
Promise of fund recovery. the same scheme starts again
What's inside

Intelligence straight from the criminal world.

The report draws on CTI data collected directly from criminal group channels, the dark web and closed Telegram groups. with translations and analytical commentary.

For analysts & SOC teams: The report includes screenshots from criminal channels, deepfake ad examples and translated internal messages and job listings. as analytical material for recognising attack patterns.
Threat Intel
Anatomy of a lead corporation
How a criminal firm selling victim data operates. structure, subscription CRM, job listings with requirements and benefits. Screenshots from criminal channels with translations.
OSINT
Inside the criminal call center
Hierarchy, shifts, Pizza Day for the top team, paid sick leave, career paths. Criminal group job ads and what they reveal about the scale of the operation.
AI Threats
Deepfake evolution in attacks
Real deepfake examples from campaigns. quality improving month by month. Analysis of multi-language production scale and targeting across age groups.
RMM Abuse
Abuse of legitimate tools
TeamViewer, AnyDesk, WhatsApp screen share. how criminals take control of victims' devices. Context from CISA and FBI warnings on RMM tool abuse.
CaaS / Dark Web
The lead sales market
Crime-as-a-Service in practice. listings of victim data packages from multiple markets, real-time subscription CRM, lead quality "complaints" and technical support between criminals.
Legal
Legal aspects & DSA
Art. 286, 267, 279, 299 of the Polish Criminal Code. how to classify the crime, DSA and its Polish implementation, platform liability. Commentary by Prof. Agnieszka Gryszczyńska, UKSW.
Free download

Report available
in two languages.

47 pages of CTI analysis with evidence material, expert commentary and practical knowledge for security teams, fraud analysts and legal professionals.

Pobierz raport po polsku Download in English (coming soon)