Huge Ecosystem of Unregulated Payment Providers Helps Scammers Collect Victims’ Money

“Liliana Molina” was a scammer based in a call center in Tbilisi. Over the course of a few weeks in March and April 2024, she had spent hours on the phone with “Mark,” a cheerful British tradesman, convincing him to invest in what she insisted were can’t-lose cryptocurrency and stock opportunities. “If … you do what I say, believe me, we’re going to be very profitable,” she told him. Finally, he agreed. 

Payment needed to be arranged quickly. Liliana loaded up the messaging service Telegram and fired off a request to her call center’s finance department: “I need UK details for 7k please,” she wrote.

Within minutes, she received an invoice addressed to Mark, requesting payment of the 7,000 British pounds to a Bulgarian company with an account at the digital bank Revolut. Liliana forwarded it to Mark, and he sent the money. 

Mark — a pseudonym, since he did not want people in his life to know he had been scammed — says he eventually lost at least 25,000 British pounds (about $32,000 at today’s rates) to the scam. He wasn’t alone. 

Liliana and her colleagues raked in a total of over $35 million between 2022 and 2025, OCCRP and media partners around the world have discovered after receiving an unprecedented new leak of documents and audio files from inside their call center. A similar but larger operation based in Israel and Europe took in $240 million. 

But as Mark and Liliana’s interaction shows, pulling off a successful scam requires help moving money out of customers’ bank accounts, often at large commercial banks with anti-fraud controls. The call centers try to set themselves up for success by instructing their victims to open accounts at digital banks they think will be less tough on policing fraud. Then, to receive funds, scammers get help from an array of what they refer to internally as “payment service providers.” 

In a normal business setting, payment service providers are regulated financial companies that help legitimate firms receive electronic payments from their clients by providing links to the global banking system. 

Within the leaked Scam Empire records, we found the dark side of this business: A huge, shadowy ecosystem of unregulated payment service providers and other systems that used accounts at major banks held by proxy-owned companies to move money around the world, quickly and without detection. 

Financial documents from the leak show these underground payment systems named among hundreds of providers — which also included cryptocurrency exchanges, wire transfer companies, and others — in spreadsheets tracking victim payments.

Leaked screenshots from within the centers show them in constant communication with an army of payment providers, usually through Telegram. After reaching out to a provider with the name and nationality of a victim and the amount that needed to be sent, they would quickly receive the details of a bank account to send it to.

Some of these providers appeared to specialize in certain countries, like ones called Britain Local, Australia Local, and Canada EasyWires. Others had more generic names, like Anywires and Bankio. Most of those examined by reporters did not appear to correspond to real legal entities. Internal call-center documents show the providers charged fees of 10 to 17 percent — significantly more than a legitimate mainstream payment service. (By contrast, PayPal charges a 5 percent fee for international transfers.)

New service providers frequently popped up on encrypted chat apps like Telegram to pitch the call centers with promotional material laying out various “solutions” for moving money. But they also went out of service frequently, with providers warning the call centers to stop sending money through a particular “solution.” 

Kathryn Westmore, who leads the Royal United Services Institute’s (RUSI’s) work on financial crime policy, said it was common to see such services catering to drug smugglers, but less common “in the fraud space,” and experts still do not know a great deal about how they operate.

But Helena Wood, the head of public policy at Cifas, a fraud prevention organization in the U.K., said the payment service providers appeared to be allowing the scammers to essentially outsource their financial operations.

“This is basically a money laundering service for all intents and purposes,” Wood told OCCRP. 

Invoices and Bank Accounts on Demand

Once Liliana sent Mark the fake invoice, he sent the funds to the Bulgarian Revolut account the same day. (Revolut declined to answer specific questions about his case, citing customer confidentiality and data protection.)

“Thinking about it now, it’s so stupid of me, but I was transferring money to random accounts,” he said. 

Mark had initially been skeptical, but was ultimately convinced by the version of reality spun up by his scammer, in which he was shown a fake website that made it look like his money was being carefully invested for what Liliana said were “guaranteed profits.” 

“On the platform it all looks real, do you know what I mean? I was making good money.”

But behind the scenes, the invoice he received had been fabricated by a payment service provider called Bankio.

Leaked internal chats give an inside look at what was happening at the call center as Liliana tried to find a way for him to send the money:

All of this happened within the space of just nine minutes. 

Bankio has a rudimentary website, as well as branded documents it distributed to call centers. (One handout, setting out its “workflow,” explains that it will “choose the best available bank according to the amount and client’s country,” receive payment, then send on the money after it is paid for its services via a “settlement report.”)

But despite this branding, there is no corporate entity registered under the name Bankio, and reporters could not determine who was behind it.

Evidence from the leak strongly suggests it is connected to a similar service provider, Anywires, which was widely used by the Israeli/European operation. Internal documents show the operation referring to Bankio and Anywires interchangeably, and they shared a U.K. cell phone number and street address in Edinburgh, the Scottish capital. 

Between them, Bankio and Anywires provided details for dozens of proxy companies in European countries like Estonia, Hungary, Bulgaria and the U.K.

Until last month Anywires had a professional-looking website, on which it claimed to partner with Revolut and Wise, among others. (Revolut said it had never contracted with Anywires and that it was using Revolut’s logo without permission. It said it sent a cease and desist letter, after which Anywires’ website was taken offline. Wise said it had never engaged in any business partnership with Anywires.)

Anywires’ website also listed a contact address in the suburbs of Riga, Latvia’s capital, but it led only to a first-floor apartment of a tired-looking Soviet-era apartment block. A reporter visited twice to knock on the door, but no one answered.

Leaked promotional materials link Anywires to a now-liquidated Latvian company previously registered at that address: SIA VNV Group, officially claiming to operate in sales. VNV Group’s sole shareholder before its liquidation, Estonian Sergei Sidorenko, told Delfi Estonia he had never heard of Anywires. He said VNV Group never did any business and did not even have a bank account.

There was no response to questions sent to a contact address for Anywires found in the leaked materials. A U.K. cell phone number previously advertised by both Anywires and Bankio no longer operates.

A System Moving Money Out of Spain

The year before Mark was convinced to wire his life savings to Liliana, a Spanish doctor was making a similar decision 1,500 kilometers to the south. 

Dr. M, who asked to be referred to only by his last initial, is a prominent vascular specialist who runs his own clinic in Barcelona. In early 2023, after a series of phone conversations, he became convinced by two scam callers based in Bulgaria that there was a fortune to be made in oil and gas investments. “I had some savings there that were ‘doing nothing’, and I wanted to put it to work to see if I could make some profit,” he told OCCRP and its Spanish partner, InfoLibre. 

He agreed to send nearly 1 million euros to a Swiss brokerage, broken up into smaller payments. Or at least that’s what he thought. 

The scammers’ internal documents reveal a different reality: many of Dr. M’s payments went straight to a shell company, part of a payment system referred to internally as “LWires,” which involved at least 13 different companies and 18 bank accounts during the time period examined by OCCRP. 

Five of these accounts which were held at the country’s biggest bank, Santander, and another five at the second-biggest, BBVA. (Santander declined to comment on individual cases but said it was “confident that we have met our obligations as a responsible financial institution.” BBVA also declined to comment on specific cases, but said it had many control measures in place to prevent its services from being used for illicit activity.)

LWires moved more than 4.9 million euros (around $5.4 million) from 600 people who sent money to the Israeli/European call center operation in the space of less than two years, between January 2023 and November 2024.The Scam Empire leak contains bank account statements for a subset of the companies that made up the “LWires” system, giving us unusual insight into how it worked. Here’s how:

In other cases, funds were sent back and forth between the LWires firms in such complex ways that it was impossible to trace all of it to an end point.

Repeated attempts to reach Selterico and Greencode Connection for comment, or to speak to their on-paper owners, were unsuccessful.

‘Come and Take My Blood and Sell It’

While LWires moved money around the world through multiple layers of companies, another service provider, Britain Local, appears to have connected the scammers directly to British bank accounts through companies owned by at least five U.K. residents acting as proxies. These people all owned companies that held accounts at major U.K. banks, including HSBC and Lloyds.

Britain Local has no online presence, and reporters were unable to determine if it corresponded to a real-world company, or to identify who controlled the system. However, Britain Local earned a 13-percent commission for the money it processed — at least $650,000 between September 2023, when it appears to have started working with the Israeli/European scam operation, and May 2024.

The scammers would reach out to a Telegram chat group called “Britain Local Solution” with information about their victim and how much they wanted to send, and would be provided with bank account information. 

Nigel Sizer, 74, owns two companies registered at a residential address in Nottingham whose bank account details were sent to scammers on the Britain Local Telegram chat.

These two companies, Penta Pacific Group Limited and NRG Applied Sciences Limited, were both registered as wholesale trading firms — but they received thousands of pounds in wire transfers from victims of the scam call center operation who believed they were making investments through trading platforms with names like Equitiz, Equistak, and Saturn4u, according to internal spreadsheets and banking records. (All three of these supposed platforms are now subject to warning notices from the U.K.’s Financial Conduct Authority.)

One of these victims, a U.K.-based woman who lost around 250,000 euros to the Equitiz platform, said she was directed in December 2023 to send 25,000 British pounds payment to the bank account of one of Sizer’s companies in order to “unblock” her account — a frequent tactic of the scammers.

Desperate to regain access to the money she had already sent the scammers, she and her husband tried to pay these supposed “unblocking” fees in 5,000-pound tranches. After the first payment went through, the bank blocked subsequent transfers, so her "senior account manager" at the scam call center emailed her three invoices she could use to explain the payments — supposedly for the purchase of construction materials.

When this didn't work, she was given other bank accounts in which to make deposits, sending a further 22,000 pounds in the following weeks, but the scammers never released her funds. Instead, they kept asking her to send more money. 

Finally, she said, she couldn’t take any more.

“Just come and take my blood and sell it, because that is all I have left in my body now. You have taken everything off me,” she recalled telling her scammer. The woman reported the matter to police, but later received a letter saying that they would not proceed with an investigation.

Asked about this victim’s case and what had happened to her money, Sizer said, “I really don’t believe any of that money from those invoices actually came to my account.”

“I sincerely hope that the lady you mentioned can recover all her funds,” he added.

In another case in December 2023, a victim who also believed they were investing via Equitiz received an invoice from the Israeli/European operation asking for payment of 2,850 British pounds to Sizer’s company’s HSBC account, ostensibly for copper cathodes, a widely traded commodity. 

A leaked wire transfer record shows the victim transferred funds to the company’s account three days after the date of the invoice.

Sizer told OCCRP that he had nothing to do with the scam call centers, and that his company had been involved in a copper cathodes deal that ultimately collapsed.

He said he had been introduced to an Israeli man he knew only as “John,” who sent him the names and addresses of people he understood to be investors in the deal. Sizer said he prepared invoices addressed to those individuals and sent them to “John” via WhatsApp. 

He told reporters all invoices his company prepared were for copper cathode investments, and that he believed that any invoices itemizing construction materials had been doctored “for scamming purposes.” However, he said he couldn’t provide any documentation of this, because he had lost his laptop containing copies of the invoices. He also said that “John” had unilaterally deleted their WhatsApp chat. He provided no evidence of the purported copper deal.  

It's unclear whether the accounts associated with Sizer used by Britain Local are still active — Sizer told reporters that police had secured a court order over the account and forced him to forfeit 34,000 British pounds, but he did not provide corroboration. HSBC declined to comment, but said that it actively looks for “unusual activity and take[s] appropriate and timely action when customer accounts are being used to facilitate financial crime.”

Money Moving Through U.K. Accounts Should Have Been 'Red Flag'

Another apparent proxy for Britain Local was Timothy Griffiths, a 70-year-old Englishman who owns a company called Giricon Limited. 

Griffiths insists he has nothing to do with investment scams, but a December 2023 bank statement for Giricon shows how it received thousands of pounds from several people who believed they were investing via trading platforms that are now blacklisted by the U.K.’s Financial Conduct Authority. Soon after the funds arrived in Giricon’s accounts, they were sent to another U.K. company also owned by Griffiths, the statement shows.

Banking records obtained by OCCRP show that during a three-month period in late 2023 and early 2024, Giricon received transfers worth more than 162,000 pounds from at least 22 people. The money was paid to Giricon’s accounts at Lloyd’s, Revolut, and LHV Bank.

Yet, Griffiths approved accounts declaring that the company was “dormant” in 2023 and 2024 — meaning that it had no significant transactions during those years. 

He told reporters that the money came from property investors and that he “wasn’t aware they were fraudulent payments.” He said he’d never spoken to the investors, and declined to explain how their money came to be paid into his company’s bank accounts. He provided no evidence of the purported property deal.

Westmore, the financial crime expert from RUSI, said high-value transactions involving a supposedly dormant company should have been flagged as suspicious by banks.

“One of the things that you should look for when you're monitoring transactions is where you get debits and credits in quick succession, because that suggests there might be money laundering involved,” she said.

“I would expect the banks to have picked up sooner that these companies have no purpose other than receiving a lot of funds without any evidence that they were actually doing anything to justify it.”

"If it's that volume of [funds] just straight in and straight out again, that should be a red flag," said Wood, the fraud-prevention expert.

Lloyds said it could not comment on current or former clients. LHV Bank also declined to comment on specific clients, but added: “We take our responsibility to prevent and detect financial crime and fraud with the utmost seriousness.”

Revolut told reporters that it had restricted Giricon’s account and reported suspicions to the authorities after identifying “potential fraudulent activity” on its account in late 2023. It added: “all accounts undergo continuous monitoring for unusual activity. Our systems are designed to detect anomalies and trigger investigations as needed.”

One of the victims who paid money to Giricon was Stuart Daburn, a businessman living in rural England. Among the roughly 32,000 “investors” identified in the leaked data, none lost more money than Daburn, who sent huge sums to scammers from the Israeli/European operation, both in cryptocurrency and from his account at Chase Bank.

Unlike most victims of call center fraud, Daburn was able to take his scammers to court, suing a group of companies — including one that was part of LWires and two owned by Griffiths — cryptocurrency wallets, and ‘persons unknown’ for fraudulent misrepresentation in London’s High Court of Justice. (He declined to comment for this story, citing the ongoing court case.)

Griffiths called Daburn’s lawsuit “a load of rubbish,” but last month a judge ordered Griffiths’ Giricon and several other defendants, including another company owned by Griffiths, to pay more than 4 million pounds to Daburn.

For those without the resources to pursue their scammers in court, justice is more elusive. 

Mark, who lost his life savings to Liliana, reported the scam to the U.K. police’s dedicated Action Fraud service, but said they were unable to help. (He later recovered part of his money through Refundee, a private fraud recovery company, he said).

He said the ordeal had left him deeply anxious and stressed. He is now in debt, and said he has told no one what happened to him except his girlfriend and one other friend.

Still, he said, he was able to stay cheerful by reminding himself that his losses could have been much greater. But when asked what he would say to his scammers if he was ever able to confront them, Mark became angry. 

“Why do you think you deserve the right to destroy people’s lives?” he demanded to know.

Greete Palgi (Delfi Estonia), Inese Braže (Re:Baltica), Anastasiia Morozova (VSquare.org/Frontstory.pl), and Šarunas Černiauskas (Siena.lt) contributed reporting.