After a three-year investigation, law enforcement in nine countries has dismantled a global credit card theft scheme. The operation, codenamed “Chargeback,” led to 18 arrests, 60 searches and the identification of 4.3 million victims in 193 countries. The losses exceed €300 million ($344 million).
Europol said the fraudsters operated from 2016 to 2021, using stolen credit card details to create more than 19 million fake subscriptions to websites purporting to offer dating, streaming video or pornographic content.
Most of the sites were not indexed by search engines and could only be accessed via direct links. Payments of up to €50 appeared legitimate, and the descriptions on the statements were masked to avoid arousing suspicion.
The investigation was led by the German Federal Criminal Police (BKA) and the prosecutor’s office, with support from Europol, the US, Canada, Singapore, Italy, the Netherlands and other countries. The suspects include German financial service providers, risk managers and senior executives who allowed the fraudsters to process fictitious payments through their systems.
Investigators froze assets worth €35 million and estimated the scale of the attempted losses at more than €750 million ($861 million). According to Europol, to hide their tracks, the perpetrators created dozens of shell companies in the UK and Cyprus, which distributed transactions between different legal entities to avoid detection.
Operation Chargeback is further evidence of the effectiveness of international coordination in combating “crime-as-a-service” schemes, where the IT infrastructure of the crime is sold or rented as a service. The participants in the scheme not only stole data, but also offered intermediaries platforms for money laundering through shell companies.
Europol highlighted that criminals skillfully exploited weaknesses in payment systems and transaction checks, as well as the fact that small payments under €50 are often not subject to automatic checks. Europol management noted: “Thanks to analytical tools and international cooperation, we managed to dismantle a network that was defrauding millions of bank card users around the world.”
This case is a reminder: fraudsters are moving from crude attacks to long-term business models that work for years. For users, it is a call to regularly check bank statements, block small unknown payments and use cost control tools. For states, it is a signal to strengthen the audit of fintech companies and interstate cooperation in cyberspace.
