B

BULGARIA – An EU scam and money laundering hub

sofia Bulgaria, Scam hub

The money laundering system of the Gal BARAK Cybercrime organization

On 1 September 2020, a first verdict was reached at the Vienna Criminal Court within the framework of the so-called Vienna Cybercrime Trials ( #VCT). The Israeli citizen Gal BARAK was found guilty of serious fraud and money laundering as operator and beneficial owner of the cybercrime organisation of E&G Bulgaria, which is based in Sofia, Bulgaria.

 During the investigation of these criminal proceedings, the European authorities opened the Bulgarian bank accounts of more than 46 companies of the criminal organizations.  

All these companies showed the following characteristics:

  • They were all shell companies except for the boiler room (call center) operators and two technology service providing companies.
  • Only three of these companies had employees.
  • Only 11 of these companies were registered in Bulgaria, most of the companies were registered in British Virgin Islands, Marshall Islands, Hong Kong, London, SAMOA, Serbia, etc.
  • These 46 (shell) companies had more than 82 bank accounts in Bulgarian banks, 50 of which were held with Investbank (IORTBGSF XXX – INVESTBANK PLC, Sofia) 10 with DKS Bank (STSABGSFXXX BIC/SWIFT code – DSK BANK AD Bulgaria )… and 11 with Eurobank (BPBIBGSFXXX BIC/SWIFT code – EUROBANK BULGARIA …) 
  • Between 01.01.2016 and 31.03.2019, a total of EUR 200 million in stolen funds flowed through the accounts of these companies.
  • All these shell companies had nominees – mostly Eastern European citizens – as managing directors and owners.
  • All managing directors of the shell companies granted the actual beneficial owners’ power of attorney for financial transactions (deposited with the banks (!)). In most cases, the power of attorney was granted to Gal BARAK’s wife, Marina Barak (formerly Marina ANDREEVA)
  • Marina BARAK’s telephone number was stored in the majority of these 82 bank accounts as a contact person for queries and for the execution of transfers in online banking.
  • From the analysis of the Austrian criminal authorities, it was clear from the analysis of the IP addresses that Marina BARAK administered most of the accounts and carried out the transactions[1].

In fact, only the beneficial owners of the cybercrime organisation were entitled to do the transactions of all 82 bank accounts.   

 Graphically, the importance of Marina BARAK was resolved by the criminal authorities for the most significant bank accounts as follows:

A functioning money laundering system as a critical success factor for investment fraud

Basically, in addition to the successful operation of aggressive boiler rooms, efficient affiliate marketing and well-managed social channels, the set up and the administration of a sophisticated money laundering system is a critical success factor for all online fraud systems.

The essential elements of a functioning money flow and money laundering system of a boiler room fraud include licensed and illegal payment service providers to get hold of the deposits of the unsuspecting victims.

Payment service provider with an interface to the web shop

the licensed e-Money Institution (EMI) and/or Payment Services Provider (PSP)[2] specialised in processing the payment transactions of web shops, also often referred to as FinTech or PayTech, are licensed members of one or more credit card networks such as VISA or MasterCard and act as so-called acquiring organizations. In exchange for a higher commission per transaction some of them are willing to handle credit and debit card payments for business activities that are either prohibited or classified as high-risk business by the credit card companies. They acquire and accept European shell companies equipped with European bank accounts as contractual partners and process payments on their behalf. Some of these acquiring organizations even operate an incorporation service[3] of their own.

In the case of Gal BARAK, the Dutch FinTech PAYVISION was mainly involved in the processing of credit and debit card payments for the fraud systems (XTraderfx, SafeMarkets, OptionStarsGlobal etc.).

Illegal payment service providers

Some nationalities, such as Germans, Austrians and Swiss, still prefer to make larger money transfers by wire transfers. These victims receive the beneficiary data by e-mail from the call centre staff. The service of these beneficiary companies[4] is offered by “Money Mules as a Service” service providers.

The organizers of such illegal payment service providers sometimes administer hundreds of different shell companies with European bank accounts, these companies receive the victims’ payments in their bank accounts and forward them to the scammers’ operating companies. For these services they collect commissions of up to 3% per transaction[5]. The “Money Mules as a Service” service providers used by Gal BARAK maintained bank accounts in Germany, Serbia, the Czech Republic, Hungary, and the Netherlands.

In general, the payment services industry for fraudulent websites is developing at an immense speed due to the high revenue potential of online investment fraud.

Another critical factor in building a money laundering circuit is access to company builders (offshore and in Europe) who can provide and supply a virtually infinite number of shell companies with front men as directors and nominal owners and with appropriate bank accounts. These shell companies serve the following purposes:

Shell companies, acting as operators, service companies and the offshore owner companies

In the Gal BARAK fraud scheme, companies based in offshore destinations such as the Marshall Islands, British Virgin Islands, St. Vincent, and the Grenadines or even SAMOA were registered on the scam websites as operators. All these companies were pre-funded with Bulgarian accounts at the time of acquisition by Gal BARAK, and immediately after acquisition, bank authorizations (mostly) were issued to Marina BARAK.  Some of these offshore operating companies were mirrored with European shell companies – with the same company names – which also had a Bulgarian bank account.  The managers of these (offshore – and/or European) shell companies – straw men – signed (on behalf of Gal BARAK and without ever having had direct contact with the credit card companies) the credit/debit card contracts with the acquiring organisations. The credit card companies – in the case of Gal BARAK mostly PAYVISION – transfer the money received from the victims to the Bulgarian bank accounts of these shell companies (such as New Markets SA, SAMOA or Rockarage Ltd, Marshall Islands).  Similarly, the illegal payment service providers transferred the illegal funds received by bank transfer to these Bulgarian omnibus accounts after deduction of their commission.

From the bank accounts collecting the stolen funds from the licensed as well as the illegal payment service providers , funds get transferred to other shell companies (the service companies) set up again offshore but also in Europe with Bulgarian bank accounts, the beneficial owners of which were mainly Gal BARAK and other accomplices.  These transfers were usually made using fictitious contracts or fictitious invoices with false names or subjects of performance such as “Service Agreement” or “Agreement for Marketing Services”, “Management Services”, “License Fees”, “Marketing Services”, “Management Services”

This has made it easier to provide any necessary proof of the origin of the money in the event of onward transfer in the form of dividend payments to the beneficial owners to offshore companies officially owned by GAL BARAK (owner companies).  

A presentation of the operating companies of the scams of GAL BARAK is as follows: 

Why Bulgaria?

According to the witness statements of Alexander I. – a former call center (boiler room) employee of Gal BARAK at the Cybercrime Unit in Bamberg Germany in July 2019, there are 60 boiler rooms in Sofia, Bulgaria, following the example of the boiler room operated by GAL BARAK.

This statement by Alexander I. is in line with our observations, based on documents provided by scam victims. There are countless Bulgarian companies that appear in the documents of various fraud schemes either as operating or service companies.   The conclusion that accounts at the Bulgarian Investbank PLC, Sofia or DKS Bank AD Bulgaria are used to transfer millions if not billions of stolen savings from mainly Western Europeans to offshore countries daily is obvious.

The scammer industry appreciates the following factors according to the statements of various insiders to Bulgaria:

  • Bulgaria is a member of the EU, i.e. it grants access to the European financial market
  • Bulgaria has many ambitious young citizens with good foreign language skills
  • Bulgaria has a large Israeli religious community
  • Bulgaria has a judicial system which is not functioning or is susceptible to corruption.
  • An obviously non-existent compliance policy of Bulgarian banks.

The advantage of using bank accounts within the EU area is obvious. Thanks to the current regulations, SEPA credit transfers are carried out quickly and cheaply between the SEPA member countries.

How critical a good “interaction” with European banks is, becomes obvious when understanding the money laundering systems of the fraudsters. However, it also becomes obvious how unlikely it is that the cooperation, which in the specific case of Bulgarian banks can be a mere failure to apply the European money laundering directives properly. There is much to be said for the intent of the banks involved, or even for pure acceptance, that illegal money is being laundered on an immense scale through accounts held by Bulgarian banks.


[1] This should also have been relatively easy for Bulgarian banks to understand.

[2] New payment service providers (PayTechs) are constantly emerging using white label solutions, which in turn use licensed payment service providers for outsourcing. More and more licensed and unlicensed crypto exchanges are also being incorporated into the payment flow. All of these serve to process payments from illegal sources. The cash flows are controlled according to the connections of the respective FinTech with traditional banks in the respective jurisdiction. The FinTech’s maintain mutual account connections and work in close consultation.

[3] Incorporation services are also called company builder, these organizations set up shell companies equipped with nominee general managers and owners and equipped with bank accounts.

[4] The only purpose of these shell companies is to receive the wire transfers and to send the money off to the scammers.

[5] There are higher commissions for bank accounts in Germany, as these are extremely popular.

CategoriesInside EFRI

Leave a Reply

Your email address will not be published. Required fields are marked *