Inside the €2M Cross-Border Vishing Operation That Targeted EU Citizens
When a Latvian pensioner picked up a call from what appeared to be the State Police, the voice on the other end knew her bank, her account, and exactly what to say to make her afraid — because the people on the other end of the line had done this hundreds of times before.
Latvian and Ukrainian law enforcement agencies have now announced the dismantling of an organized criminal network that used vishing — voice-based phishing where callers impersonate trusted authorities — to defraud citizens across the European Union. The joint operation has exposed the full machinery of a modern social engineering fraud, including call center operators in Ukraine, money mules across Latvia, and illicit cryptocurrency exchangers laundering the proceeds through Riga.
Background and Context
Vishing is a variant of phishing that exploits trust in authority figures — police officers or bank staff — rather than technical vulnerabilities. The Latvian State Police Cybercrime Unit, which consolidated 35 separate criminal cases involving fraud committed in 2023 and 2024, estimates the network defrauded residents of approximately €2 million. The attack surface in this case was entirely human, bypassing traditional cybersecurity defenses by manipulating victims into granting access to their own devices.
Key Figures and Entities
Investigators identified more than 170 money mules — people used to receive and move stolen funds — of whom 90 have been designated as suspects. According to the Cyber Police Department of the National Police of Ukraine, two Ukrainian nationals from Ivano-Frankivsk in their early 20s traveled to Latvia to recruit local individuals. These recruits opened bank accounts across European countries and transferred control of their cards to the criminal group for a small fee. Thirteen call center operators have been detained, including Latvian-speaking participants.
Legal and Financial Mechanisms
The operational playbook was precise and repeatable. Callers impersonated Latvian State Police officers and bank employees, informing victims that loans had been fraudulently taken out in their names. To "help expose the fraudsters," victims were instructed to install AnyDesk, a legitimate remote desktop access tool, granting operators full visual and interactive access to their devices. The stolen funds were then moved through "drop accounts" and converted into digital assets by unlicensed cryptocurrency exchangers in Riga. One such exchanger received a custodial sentence exceeding six years.
International Implications and Policy Response
The operation fits a well-documented regional pattern of cross-border crime. Europol’s liaison officers coordinated the information exchange, highlighting how recruitment networks span multiple EU states. The group’s leader was apprehended in Germany in 2024 and subsequently convicted in Estonia. Following cross-border coordination with Eurojust, two members who fled to Ukraine were detained in Ivano-Frankivsk on March 12, 2026. Assets subject to financial restraint in Latvia currently total €829,650.
Sources
This report draws on statements from the Latvian State Police, the Cyber Police Department of the National Police of Ukraine, and public records regarding enforcement actions by Europol and Eurojust.
