Turkey’s financial sector is currently grappling with an unprecedented surge in sophisticated digital fraud, as a sprawling criminal network exploits trust in major banking institutions. According to a comprehensive investigation by Group-IB, this campaign is not a series of isolated incidents but a highly interconnected criminal machine. By leveraging more than 8,400 phishing domains and thousands of deceptive social media advertisements, attackers have successfully targeted tens of thousands of Turkish customers, resulting in over 23,000 formal complaints of financial theft and data compromise.
The scale of this operation is facilitated by the low cost and high accessibility of specialized criminal tools. The investigation revealed that a single, commercially distributed “phishing kit” is responsible for the majority of the attacks, powering over 6,700 domains that impersonate government portals and major banks. Available on underground markets for roughly $250, these kits allow even low-level cybercriminals to launch professional-grade scams with ease. By rotating these domains rapidly, the attackers ensure that their infrastructure remains elusive, quickly springing up new pages as soon as existing ones are identified and shuttered by security teams.
Social media platforms have become the primary battleground for these fraudsters, with Facebook and Instagram hosting over 6,600 identified scam advertisements in a single month. These ads serve as high-speed funnels, redirecting users within seconds to phishing sites designed to harvest banking credentials, credit card details, and one-time verification codes. Often disguised as legitimate loan offers, these advertisements prey on citizens seeking quick credit, creating a sense of urgency that causes victims to bypass standard security checks and hand over sensitive financial information directly to the perpetrators.
The sophistication of the operation extends well beyond the initial theft, incorporating a complex laundering chain that relies on a network of “money mules.” Fraudsters actively recruit individuals through social media, offering them substantial payments of up to 50,000 Turkish lira to “rent” their personal bank accounts. Once victims’ funds are funneled through these accounts, the criminals disperse the money across several intermediaries before converting it into untraceable cryptocurrency. This organized structure has proven so robust that it has led to significant legal consequences, with authorities handing down prison sentences of up to 10 years for those participating in the laundering process.
This ongoing crisis highlights a critical need for enhanced vigilance among both financial institutions and their customers. The report emphasizes that the primary defense remains user awareness: individuals are urged to ignore unsolicited loan offers, manually type banking URLs instead of clicking links, and never share verification codes with third parties. Simultaneously, researchers suggest that banks and social media platforms must improve their collaboration to expedite the takedown of impersonated brand profiles. Without faster reporting mechanisms and coordinated responses, the rapidly shifting nature of these campaigns will continue to challenge existing detection capabilities.
As this criminal ecosystem continues to evolve, security experts are calling for more automated, intelligence-driven defenses. By utilizing threat intelligence feeds—such as those from ANY.RUN—security teams can better monitor for brand impersonation and detect emerging phishing clusters before they reach the public. Ultimately, the battle against this widespread fraud requires a multi-layered approach that bridges the gap between individual user education, corporate brand protection, and aggressive law enforcement to dismantle the infrastructure that fuels these highly profitable criminal enterprises.

