Cybercriminals are operating an industrial-scale fraud ecosystem targeting Turkey’s financial sector, using more than 8,400 phishing domains, thousands of social media advertisements, fake loan offers, illicit gambling services, and money-mule recruitment to steal credentials.
Group-IB’s investigation links these operations into five interconnected schemes targeting dozens of Turkish banking brands.
Group-IB recorded more than 6,600 scam advertisements on Facebook and Instagram in a single month, while more than 23,000 victim complaints were identified across Turkey.
The researchers found that more than 80% of the observed malicious activity was distributed through Facebook and Instagram between November 2025 and March 2026.
Threat actors used sponsored advertisements impersonating legitimate banks and promoting fraudulent loan offers, directing targets to credential-harvesting pages and scam services.
Ad infrastructure was deliberately short-lived: campaigns could run for as little as 30 minutes before operators replaced creatives, landing pages and associated domains.
Weekly rotation of hosting and phishing infrastructure complicates conventional blocklisting, while the use of legitimate advertising platforms gives campaigns a high-volume delivery mechanism and a degree of perceived credibility.
The investigation covered activity through April 2026 and traced earlier malicious operations back to August 2023.
Its data sources included Group-IB’s Digital Risk Protection platform, CERT-GIB, threat-intelligence telemetry, Meta Ad Library analysis, victim reports published on Şikayetvar, court records, honeypot registrations and phishing-kit source-code analysis.
A commercially distributed phishing kit is a central enabler of the activity. Sold through underground channels for $250 in cryptocurrency, the toolkit supports impersonation of the majority of Turkish banks and Turkey’s government services portal, e-Devlet.
GroupIB Researchers said that, the campaign demonstrates how online financial fraud has shifted from isolated phishing pages to a rapidly refreshed, multi-platform criminal supply chain.
Turkish Banks With 8,400 Phishing Domains
Group-IB attributed more than 6,700 domains to this single kit and identified at least four distinct campaign clusters sharing its infrastructure.
This phishing-as-a-service model lowers the technical barrier for fraud actors: affiliates can deploy prebuilt templates, capture banking credentials and one-time passwords, and rotate domains without developing bespoke tooling.
The scale also suggests that takedown work must focus on shared artifacts rather than individual URLs alone.
Banking fraud teams should track phishing-kit fingerprints, page assets, redirection patterns, registrar activity, DNS overlaps and payment-wallet infrastructure to identify related campaigns before they accumulate victims.
The report describes a connected monetization chain that begins with a social-media advert and ends with cryptocurrency conversion.
Housing phishing and fake-loan scams capture credentials, while age-based payout schemes feed voice-phishing, or vishing, activity; unlicensed gambling platforms extract direct payments.
Stolen funds are then moved through rented bank accounts, commonly referred to as IBAN mule accounts.
Recruitment advertisements offer individuals 30,000 to 50,000 Turkish lira for allowing criminals to use their accounts, after which operators fragment proceeds across groups of three to five accounts before converting funds via crypto exchanges.
Court records reviewed by Group-IB documented penalties of up to 10 years in prison in cases associated with this financial-crime ecosystem.
The firm also cited victim losses reaching $16,000, underscoring that the campaigns affect both retail customers and the reputational, fraud-loss and compliance exposure of targeted banks.
For financial institutions, the priority is continuous external attack-surface monitoring rather than reactive domain blocking.
Banks should correlate brand-abuse detection across Meta advertisements, phishing domains, cloned mobile interfaces, social-media accounts, SMS lures and mule-account indicators, then accelerate takedown requests through established platform, registrar and hosting-provider channels.
Fraud teams should also identify anomalous account behavior consistent with mule networks, including rapid fund fragmentation, unusual device or IP reuse, account credential changes followed by high-risk transfers, and immediate exchange-bound transactions.
User education remains important, but it cannot substitute for controls that detect the infrastructure and money movement behind the lure.
For customers, bank offers should be verified only through official applications, bookmarked websites or authenticated support channels.
Unexpected adverts, loan approvals and requests for login credentials, card data or one-time codes should be treated as hostile until independently verified.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide

