SMS Blaster Ring Busted in Greece After Mobile Banking Phishing Attacks

Greek authorities have dismantled a sophisticated fraud operation that used portable fake cell towers to conduct mass phishing attacks against mobile banking users, revealing how cybercriminals are exploiting fundamental vulnerabilities in mobile networks to steal financial credentials.

The Northeast Attica Crime Investigation and Detection Sub-Directorate announced the arrest of two foreign nationals, aged 29 and 31, on January 15, 2026, in the Athens suburb of Spata. The suspects face multiple charges including forgery of documents, fraud, and repeated illegal access to information systems as part of an organized criminal group.

Background and Context

The case highlights the growing global threat of "SMS blaster" technology—portable devices that mimic legitimate mobile base stations to intercept communications and broadcast messages without going through telecommunications providers. These tools have become increasingly favored by sophisticated fraud rings seeking to bypass carrier security filters and deliver phishing messages directly to victims' devices.

Such attacks exploit the architectural design of mobile networks, where phones automatically connect to the strongest available signal. Criminals leverage this behavior by creating fake base stations that force nearby smartphones to connect to them instead of legitimate towers.

Key Figures and Entities

The investigation began when police conducted a routine check in Spata and discovered the suspects were presenting fake identification documents. According to the police announcement, a search of their modified vehicle revealed a sophisticated mobile operation center with a portable computer system connected to a roof-mounted "shark fin" antenna designed to replicate legitimate cellular infrastructure.

Alongside the blaster equipment, authorities seized five mobile phones and the vehicle itself. The arrested men were subsequently brought before a prosecutor for formal charging. The Northeast Attica Crime Investigation and Detection Sub-Directorate led the operation, continuing to investigate potential additional victims and accomplices.

Legal and Financial Mechanisms

The SMS blaster operation functioned by creating counterfeit mobile base stations that forced nearby smartphones to downgrade from secure 4G/5G networks to the less secure 2G standard. This network downgrade exploited well-documented vulnerabilities that allowed the attackers to capture subscriber identification data, including phone numbers, without alerting users.

Once they obtained this information, the criminals sent mass phishing SMS messages impersonating banks, courier services, and other trusted entities. These messages contained malicious links that directed victims to fake login pages where they entered banking credentials, card details, and passwords. The stolen information was then used to make unauthorized purchases and transfer funds from victims' accounts.

The preliminary investigation has confirmed at least three fraud cases in Maroussi, Spata, and central Athens, with financial losses reaching thousands of euros. Authorities described the operation as professional and ongoing, suggesting the scale of the criminal enterprise may be larger than currently documented.

International Implications and Policy Response

The Greek case represents part of a broader pattern of cybercriminals using IMSI catchers—devices more commonly associated with government surveillance—for financial fraud. The accessibility of this technology, combined with the fundamental design vulnerabilities in mobile networks, creates significant challenges for telecommunications regulators and law enforcement worldwide.

Security experts recommend that mobile users disable 2G connectivity on their devices where possible and maintain vigilance against unsolicited messages requesting personal or financial information, regardless of the apparent sender. The incident underscores the need for enhanced mobile network security standards and international cooperation to combat cross-border digital fraud operations that exploit telecommunications infrastructure.

Sources

This report draws on the official announcement from the Northeast Attica Crime Investigation and Detection Sub-Directorate regarding the January 15, 2026 operation in Spata, Greece.