Turkish banking customers are currently experiencing an extensive and rapidly growing fraud operation. This campaign is built on fraudulent websites and deceptive social media ads, targeting unsuspecting individuals for their personal credentials and financial information.
Escalating Phishing Operations
Criminals are exploiting well-known financial brands to carry out scams, including credential theft and fake loan offers, with the intent of quickly siphoning money from victims. A staggering number of over 8,400 phishing domains have been identified, targeting Turkish banks with malicious intent.
Within a single month, over 6,600 scam ads were displayed on Facebook and Instagram, offering multiple opportunities for criminals to reach potential victims before these ads were removed. The fraud operation is characterized by its scale and the speed at which it is executed.
Group-IB’s Findings on Scam Networks
Analysts from Group-IB uncovered five interconnected schemes impersonating numerous Turkish banks, utilizing various channels to reach victims. These campaigns are not isolated incidents but part of a cohesive criminal network.
The report, shared with Cyber Security News (CSN), highlights that these scams have been active from November 2025 to April 2026, with origins as far back as August 2023. Over 23,000 complaints have been recorded, indicating significant financial and psychological impact on the Turkish population.
The Mechanics Behind Phishing and Scam Ads
The fraudulent infrastructure has been designed to mimic legitimate banking and governmental online services. Phishing domains were used to capture sensitive information such as login credentials, card details, and personal identification numbers.
A commercially available phishing kit, costing approximately $250, was instrumental in supporting these fraudulent activities. This kit enabled the creation of more than 6,700 domains that pretended to be government services, significantly lowering the entry barrier for cybercriminals.
Multiple campaign clusters used the same infrastructure, suggesting collaboration among different criminal groups. This setup allowed for rapid deployment of new phishing sites as older ones were blocked or removed.
Social Media’s Role in Scam Propagation
Social media platforms, particularly Facebook and Instagram, have been heavily utilized in these scams, with over 80 percent of activities occurring there. Scam ads could be posted and removed within 30 minutes, complicating efforts to track and shut them down.
Once victims’ credentials or funds were obtained, the criminals engaged in laundering activities. Advertisements recruited individuals willing to ‘rent’ their bank accounts for 30,000 to 50,000 Turkish lira, establishing a network for money laundering.
Stolen funds were dispersed across multiple accounts and eventually converted into cryptocurrency, with some involved individuals facing up to 10 years in prison, according to court records.
Protective Measures and Future Implications
Consumers are advised to be cautious of unsolicited loan offers, urgent banking requests, and ads leading to unfamiliar websites. It is safest to use official banking apps or manually entered web addresses and verify any offers directly with banks.
Financial institutions must remain vigilant against brand impersonation and swiftly changing ad campaigns, while ensuring rapid reporting and customer alerts to mitigate the impact of these fraudulent activities.
To enhance security measures, tools like ANY.RUN Threat Intelligence Feeds can be employed to automate threat detection and improve response efficiency.
