When a Latvian pensioner picked up a call from what appeared to be the State Police, the voice on the other end knew her bank, her account, and exactly what to say to make her afraid — because the people on the other end of the line had done this hundreds of times before.
Latvian and Ukrainian law enforcement agencies, on Wednesday, jointly announced the dismantling of an organized criminal network that used vishing — voice-based phishing, where callers impersonate trusted authorities over the phone — to defraud citizens across the European Union.
The joint operation, exposed the full machinery of a modern social engineering fraud which included call center operators in Ukraine, money mules across Latvia and illicit cryptocurrency exchangers laundering the proceeds through Riga’s streets.
Vishing is a variant of phishing where attackers manipulate victims verbally rather than through malicious links or attachments. The technique exploits trust in authority figures — police officers, bank staff — rather than technical vulnerabilities.
Also read: Smishing and Vishing in 2025: How Cybercriminals Are Using AI to Fool You
Latvia’s State Police Cybercrime Unit, which consolidated 35 separate criminal cases involving fraud committed in 2023 and 2024, estimates the network defrauded Latvian residents of approximately €2 million.
Investigators identified more than 170 money mules — people used to receive and move stolen funds — of whom 90 have been designated as suspects. Thirteen call center operators have been detained, including Latvian-speaking participants in the scheme.
The Vishing Ring’s Playbook
The operational playbook was precise and repeatable. Callers impersonated Latvian State Police officers and bank employees, informing victims that loans had been fraudulently taken out in their names or that suspicious financial activity had been detected on their accounts. They then invited victims to “help expose the fraudsters” — a social engineering technique that shifts the victim into an active, cooperative role and suppresses skepticism.
To facilitate this, operators instructed victims to install AnyDesk — a remote desktop access tool — on their computers or mobile devices, and to log in to their online banking. AnyDesk is a legitimate IT support tool that, once installed by a victim, gives a remote operator full visual and interactive access to the device.
On the Ukrainian side, the Cyber Police Department of the National Police of Ukraine disclosed that two Ukrainian nationals — residents of Ivano-Frankivsk in their early 20s — traveled to Latvia where they recruited local individuals to open bank accounts across European countries. Those account holders transferred control of their cards to the criminal group for a small fee, creating the drop account infrastructure through which stolen funds were moved.
Drop accounts are bank accounts controlled by third parties and used to receive and launder illicit transfers, deliberately creating distance between the fraudsters and the money.
More than 20 Latvian victims sustained confirmed financial losses exceeding €300,000 in connection with the Ukraine-linked component of the network alone. Ukrainian investigators, alongside the Latvian Cybercrime Department, conducted searches at the suspects’ residences in Ivano-Frankivsk, seizing mobile phones and computer equipment as evidence. Europol’s liaison officers coordinated information exchange between the two countries throughout the investigation.
Beyond the call center operators and money mules, investigators in Latvia identified illicit cryptocurrency exchangers — unlicensed operators in Riga who converted the stolen funds into digital assets, further distancing the proceeds from their origin. One such exchanger received a custodial sentence exceeding six years. Three members of the broader criminal group received three-year custodial sentences each in Latvia.
The group’s leader was apprehended in Germany in 2024 through joint action with Estonian law enforcement and was subsequently convicted in Estonia. Two other members fled to Ukraine following arrests elsewhere in the EU — and were detained in Ivano-Frankivsk on March 12, 2026, following cross-border coordination between Latvian, Ukrainian, and Eurojust authorities.
Assets subject to financial restraint in Latvia now total €829,650.
The operation fits a well-documented regional pattern. Previous Eurojust-coordinated enforcement actions uncovered Ukrainian call centers recruiting participants from Latvia, Lithuania, and the Czech Republic, compensating operators with up to 7% of proceeds and offering bonuses of cash, vehicles, or apartments to high performers who exceeded €100,000 in stolen funds.
Also read: Authorities Shutter €100M Crypto-Fraud Ring that Ran Across Europe
What makes this case technically significant for enterprise security teams is not the sophistication of the malware — there was none. The attack surface was entirely human. Remote access tools like AnyDesk are present in countless corporate environments as legitimate support software. When a caller with authoritative framing persuades an employee — or an employee’s family member — to grant remote access to a device connected to corporate infrastructure, the consequences can extend well beyond the individual victim’s bank account.
Latvia’s State Police urged residents never to install remote access software at the instruction of an unsolicited caller and never to disclose banking credentials or one-time authentication codes under any circumstances, noting that methods used by these fraudsters are sophisticated and cynical.
