Authorities have uncovered that credit card data from consumers across 193 countries has been used to steal over an estimated $347m.
Remember when fraud used to mean a badly written email from a so-called Nigerian prince promising a share of his family’s diamond fortune? Those scams, which can be traced back to the 19-century, relied on correct grammar, misplaced trust and the occasional stroke of luck.
Unfortunately, in today’s world the modern scam is no longer a chancer behind a laptop but a global operation with layers of data, shell companies, and insiders embedded deep inside the financial system.
Europol highlighted this evolution of money fraud last week, with Operation Chargeback. The investigation exposed three criminal networks which allegedly tried to steal more than $860m, spanning across three continents and the payments industry itself.
On November 4, 2025, authorities across 10 countries launched coordinated raids under Europol’s direction. More than 60 properties were searched and five arrests were made in Germany alone, involving employees of major payment service providers.
Across the US, Canada, Singapore, Luxembourg, Cyprus, Spain, Italy and the Netherlands, investigators seized cryptocurrencies, luxury vehicles, data servers and $40m in assets.
A long way from diamond mines
Between 2016 and 2021, investigators say the networks created millions of fake subscriptions on purpose-built websites, spanning adult, dating, and streaming fronts which you could only reach by a direct link.
Charges were deliberately small, typically under €50 ($57) and hidden behind billing descriptions so cardholders would struggle to notice or contest them. This low-value, high-volume approach made the scheme hard to spot, with card issuers finding it easier to flag big spikes, not hundreds of tiny transactions spread across thousands of cards.
What really made the scam surgical, however, was access to the plumbing. Prosecutors allege insiders at several German payment providers allowed the fraudsters to route payments through legitimate processing channels in return for fees.
Inside access enabled the criminals to push fraudulent flows over regulated rails, giving them time and space to cash out while appearing to be ordinary merchant activity.
The networks masked any trail via shell companies registered in the UK and Cyprus, complete with fake directors and synthetic know-your-customer (KYC) documents purchased from crime-as-a-service brokers.
These front firms soaked up payments across multiple merchant accounts so chargebacks were diluted and detection delayed. By the time issuers and cardholders raised alarms, hundreds of thousands of transactions had already been authorised.
A wake-up call for payments compliance
This case should be a red flag for anyone who thinks fraud is solved by customer education or reimbursement rules.
In the UK, recent debate has centred on authorised push payment (APP) scams and the Payment Systems Regulator (PSR)’s reimbursement rule, which made sending and receiving firms share liability 50:50.
While the reform has shifted costs and encouraged banks and fintechs to bolster controls, the Operation Chargeback proves reimbursing victims is only part of the answer. When fraud runs through legitimate merchants and regulated processors, liability rules do nothing to stop the initial theft – a common criticism of the PSR’s rule last year.
It’s equally not about deterring fraudsters from committing the crimes either. Thailand’s recent punishments for scammers made headlines last week, but such measures have little reach when the criminal network spans jurisdictions and hides behind shell companies and crypto.
The lesson from Operation Chargeback should be that fraudsters have stopped trying to convince victims to send and have realised the most efficient theft is one that removes human behaviour from the equation and exploits weaknesses in the rails themselves.