Cybersecurity firm Group-IB has uncovered a sprawling phishing operation using more than 8,400 malicious domains to impersonate Turkish banks and government services, tracking activity between November 2025 and April 2026 across five connected scam schemes. The investigation found the campaigns were not isolated phishing attempts but functioned as a coordinated criminal value chain, spanning victim acquisition, credential theft and money laundering through cryptocurrency exchanges.
A Meta Advertising Blitz Built to Vanish
More than 80 percent of the observed scam activity was distributed through Facebook and Instagram, where threat actors used Meta advertisements to push victims toward fraudulent banking, investment, loan, gambling and government-service pages. The advertisements were deliberately short-lived, sometimes active for only 30 minutes before operators removed or replaced them, a rotation speed that made conventional ad-review and takedown processes largely ineffective against the campaign.
The underlying phishing infrastructure moved just as quickly, changing on a roughly weekly basis and allowing operators to shift entire campaigns between domains while retaining the same templates, credential-collection panels and backend services. This combination, fast-rotating ads paired with fast-rotating domains, meant that by the time any single advertisement or website was reported and removed, the operation had typically already moved on to its next iteration.
A $250 Phishing Kit and a Fragmented Mule Network
A major component of the operation relied on commercially sold phishing kits rather than custom-built infrastructure. Group-IB found that one kit, advertised in underground channels for roughly $250, was used to support more than 6,700 domains impersonating Turkey’s e-Devlet government services portal alongside a broad range of Turkish banks, illustrating how a relatively cheap, off-the-shelf tool can scale into thousands of fraudulent websites in the hands of an organised network.
The laundering phase began with recruitment advertisements offering Turkish citizens between 30,000 and 50,000 lira, roughly ₹67,000 to ₹1.1 lakh, for “renting” out their bank accounts or IBANs, the now-familiar money mule model that has become central to cyber fraud economies well beyond Turkey. Operators then fragmented stolen transfers across groups of three to five accounts, complicating tracing efforts and reducing the odds that any single mule account would expose the full flow of funds, before moving the money through cryptocurrency exchanges for final conversion and onward transfer. Court records reviewed in the investigation show participants in these mule networks can face prison sentences of up to ten years in Turkey, though recruitment campaigns continue targeting people seeking quick income by presenting account rental as a low-risk or even legitimate arrangement.
A Pattern With Clear Parallels Elsewhere
The investigation drew on Group-IB’s Digital Risk Protection platform, CERT-GIB threat intelligence, Meta Ad Library analysis, phishing-kit technical analysis, honeypot domain registrations, Turkish court records, and more than 23,000 complaints published on the consumer platform Şikayetvar. Reported individual victim losses reached as high as $16,000, roughly ₹13.4 lakh, in some cases.
The structure Group-IB describes, short-lived social media ads funnelling victims to cloned banking portals, followed by mule accounts recruited through “easy income” offers and cryptocurrency-based cash-out, closely mirrors patterns Indian cyber cells have documented repeatedly in mule account and phishing investigations over the past year, from Gujarat’s Operation Mule Hunt to Uttar Pradesh’s Cy-Vajra campaign. Group-IB’s researchers said Turkish banks now need to monitor scam advertisements, phishing domains, cloned mobile and web interfaces, mule-account recruitment and cryptocurrency cash-out patterns as parts of a single connected threat model, rather than as separate, unrelated problems. Customers were advised to avoid banking links delivered through advertisements or unsolicited messages, verify domains carefully before entering credentials, and never provide bank accounts for third-party payments, guidance that applies just as directly to users navigating the same fraud template in India and elsewhere.
