Tenerife Phishing Ring Jailed 6 Years, Ordered €2.5M Compensation

For two years, between May 2019 and May 2021, a criminal group operating from Arona, in the south of Tenerife, ran a sophisticated and organized scam. This wasn't a series of random attacks; it was a dedicated operation to steal money from thousands of unsuspecting people.

Eventually, the leaders of this network were caught, jailed, and put on trial by the Provincial Court of Santa Cruz de Tenerife. The evidence against them was so strong that they agreed to a deal with the public prosecutor. They admitted to all the charges in exchange for a lighter sentence than initially requested. The six defendants were sentenced to six years in prison and ordered to pay 1.7 million euros in compensation. This included four years for fraud and two years for being part of a criminal organization.

The court's ruling described a stable group with a clear hierarchy and specific roles for each member. Their only goal was to steal money through unauthorized bank transfers and then make it disappear from the regular banking system.

The organization had several layers. At the top were the defendants, who planned and directed the operations. Below them were hackers who found victims, and a large network of over 114 financial intermediaries, often called "bank mules." These individuals knowingly lent their bank accounts to receive the stolen money. This allowed the funds to be deposited without immediate suspicion and made it easier to withdraw the cash or move it elsewhere.

The scam usually started the same way: victims received a text message pretending to be from their bank, warning them about a security issue or suspicious activity. The message contained a link. Clicking it led users to a fake website, which looked exactly like their bank's official site, where they would enter their login details. Sometimes, the criminals would follow up with a phone call, pretending to be a bank manager, asking for a verification code sent by the bank. With this information, the organization could access the victim's online banking and make unauthorized transfers.

To ensure success, the group also duplicated SIM cards. By activating a second SIM card linked to the victim's phone number, they disabled the original card and received the bank's transfer confirmation messages themselves. During this time, the victim would only notice that their phone had lost signal.

Once the money was transferred, it began a complicated journey. It moved through the mule accounts, was split into many smaller transfers, withdrawn from ATMs, or converted into cryptocurrencies using online platforms. The court's ruling detailed how they used digital wallets and hard-to-trace "cold wallets" (physical devices for storing cryptocurrency). Some of the funds were sent outside Spain, particularly to Italy, where other members of the organization were located but could not be identified during the initial investigations.

The court's detailed record included dates, amounts, account numbers, successful and failed operations, cash withdrawals, and cryptocurrency purchases. From this thorough analysis, the first key figure emerged: 1.70 million euros. This was the amount directly stolen from the accounts of Spanish and Italian victims.

However, the case didn't end there. The Provincial Court also considered the civil responsibility for the crime, which required a broader view. It wasn't enough to identify the fraud; all victims needed to be compensated. This calculation included individual amounts for many victims, specific incidents like a company whose e-commerce account was manipulated, and the relevant legal interest. The total compensation ordered was over 2.53 million euros. These two figures represent different aspects of the case: the first is the direct financial damage from the fraud, and the second is the total cost required to make amends.

Given the public prosecutor's extensive evidence, the defendants chose to accept a plea agreement. They admitted to the facts, the legal charges, and the sentences: four years in prison for serious, ongoing fraud and two years for being part of a criminal organization, plus personal fines based on their involvement. Despite the agreement, the convicted individuals appealed the sentence, but the High Court of Justice of the Canary Islands upheld the original ruling.

The convicted individuals then appealed to the Supreme Court. They did not dispute the facts or the financial figures, as these were already settled by the plea agreement. Instead, their appeal focused on legal technicalities: whether the legal process was followed correctly, if their consent to the plea deal was valid, and if their right to a fair legal process had been violated. The scope of the civil compensation was also debated from a purely legal standpoint.

The Supreme Court rejected all grounds of the appeal. It confirmed that the plea agreement was made freely, that there was no lack of legal defense, and that both the sentences and the compensation were in line with the law.