BULGARIA – An EU scam and money-laundering hub

Share on facebook
Share on twitter
Share on linkedin
Bulgaria - a money-laundering hub

BULGARIA – An EU scam and money-laundering hub

Gal and Marina BARAK’s Bulgarian money-laundering organization

On 1 September 2020, the by now infamous Wolf of Sofia, the Israeli citizen Gal BARAK was found guilty of serious fraud and money laundering as operator and beneficial owner of the cybercrime organization of E&G Bulgaria, based in Sofia, Bulgaria.

During the criminal proceedings, the European authorities opened the Bulgarian bank accounts of more than 46 companies of Gal BARAK’s criminal organization. Bulgaria turned out to be an E.U. scam and money-laundering hub.

All these companies showed the following characteristics:

  • They were all shell companies except for the boiler room (call centre) operators and two technology service providing companies.
  • Only three of these companies had employees.
  • Only 11 of these companies were legally registered in Bulgaria. Most companies originated in the British Virgin Islands, Marshall Islands, Hong Kong, London, SAMOA, Serbia, etc.
  • These 46 (shell) companies opened more than 82 bank accounts with Bulgarian banks, 50 of which were held with Investbank (IORTBGSF XXX – INVESTBANK PLC, Sofia) 10 with DKS Bank (STSABGSFXXX BIC/SWIFT code – DSK BANK AD Bulgaria )… and 11 with Eurobank (BPBIBGSFXXX BIC/SWIFT code – EUROBANK BULGARIA).
  • Between 01.01.2016 and 31.03.2019, a total of EUR 200 million in stolen funds flowed through the accounts of these companies.
  • These shell companies had nominees – primarily Eastern European citizens – as managing directors and owners.
  • All managing directors of these shell companies issued a power of attorney for power for all bank transactions to Gal BARAK’s wife, Marina BARAK (formerly Marina ANDREEVA)
  • Marina BARAK’s telephone number showed up in most of these 82 bank accounts as the contact for queries and online banking purposes.
  • From the analysis of the Austrian criminal authorities, it was clear from the research of the I.P. addresses that Marina BARAK administered most of the accounts and did the transactions[1].

Only the beneficial owners of the cybercrime organization were entitled to do the transactions of all 82 bank accounts.

Graphically, the importance of Marina BARAK was resolved by the criminal authorities for the most significant bank accounts as follows:

A functioning money-laundering system as a critical success factor for investment fraud

Basically, in addition to the successful operation of aggressive boiler rooms, efficient affiliate marketing and well-managed social channels, the set-up and the administration of a sophisticated money-laundering system is a critical success factor for all online fraud systems.

The essential elements of a functioning money flow and money laundering system of a boiler room fraud include licensed and illegal payment service providers to get hold of the deposits of the unsuspecting victims.

Licensed Payment service providers with interfaces to the online trading platforms

The licensed e-Money Institution (EMI) and/or Payment Services Provider (PSP)[2] specialized in processing payment transactions for webshops, also often referred to as FinTechs or PayTechs. Some are also licensed members of one or more card networks (VISA or MasterCard).

For a high commission per transaction, some of them are willing to handle credit and debit card payments for business activities that are either prohibited or classified as high-risk activities by card companies. They acquire and accept European shell companies equipped with European bank accounts as contractual partners and process payments on their behalf. Some of these acquiring organizations even operate an incorporation service for shell companies[3] of their own.

The Dutch FinTech PAYVISION B.V. and the FCA regulated EMerchantPay Limited and Connectum Ltd have processed all card payments for Gal BARAK’s scams (xTraderfx, SafeMarkets, OptionStarsGlobal etc.) as well as for Uwe Lenhoff’s brands (markets, Option888, Lottopalace, Tradovest).

Illegal payment service providers for bank wires

Some nationalities, such as Germans, Austrians and Swiss, still prefer to wire large deposits. These victims receive beneficiary bank account data by email for the money transfers from the call centre staff. The beneficiaries are pure shell companies equipped with strawmen. The only purpose of these shell companies is to open up bank accounts with European banks to receive the victims’ deposits and transfer the money according to the scammers’ instructions. Like with

This illegal payment service[4] is offered by “Money Mules as a Service” service providers.

The organizers of such illegal payment service providers (Money Mules) sometimes administer hundreds of different shell companies with European bank accounts. These companies receive the victims’ deposits in their bank accounts and forward them to the scammers’ operating companies. They collect commissions of up to 3% per transaction[5] for this service. The “Money Mules as a Service” service providers used by Gal BARAK maintained bank accounts with Postbank/Deutsche Bank (Germany) and banks in the Czech Republic.

In general, the payment services industry for fraudulent websites is developing immensely due to the high revenue potential of online investment fraud.

Shell companies, acting as operators, service companies and offshore owner companies.

Another critical factor in building a money laundering circuit is access to company builders (offshore and in Europe) who can provide and supply a virtually infinite number of shell companies with frontmen as directors and nominal owners and with appropriate bank accounts.

In the Gal BARAK fraud scheme, companies based in offshore destinations such as the Marshall Islands, British Virgin Islands, St. Vincent, and the Grenadines or even SAMOA showed up on the scam websites as the operating companies. All these companies were pre-funded with Bulgarian accounts at the time of acquisition by Gal BARAK. Immediately after purchase, Marina BARAK’s phone number was registered as the relevant contact and for online banking purposes. Some of these offshore operating companies were mirrored with European shell companies also holding a Bulgarian bank account. The managers of these (offshore – and/or European) shell companies – straw men – signed (on behalf of Gal BARAK and without ever having had direct contact with the acquirers) the service contracts with the acquiring organizations. The acquiring companies transfer the money processed to the Bulgarian bank accounts of these shell companies (such as New Markets S.A., SAMOA or Rockarage Ltd, Marshall Islands). Similarly, the illegal payment service providers transfer the illicit funds received by bank transfer to these Bulgarian omnibus accounts after deduction of their commission.

From the bank accounts collecting the stolen funds from the licensed and the illegal payment service providers, funds get transferred to other shell companies (the service companies) set up mainly offshore with Bulgarian bank accounts. The beneficial owners of the shell companies expressly set up offshore are Gal BARAK and other accomplices. These transfers are done based on fictitious contracts or fictitious invoices with false names or subjects of performance such as “Service Agreement” or “Agreement for Marketing Services”, “Management Services”, “License Fees”, “Marketing Services”, “Management Services.”

If the banks ask for proof of the origin of the funds, the scammers present these fictitious papers.

Gal BARAK used the following shell companies for his scams:

Why Bulgaria?

According to the witness statements of Alexander I. – a former call centre (boiler room) employee of Gal BARAK at the Cybercrime Unit in Bamberg, Germany, in July 2019, there are 60 boiler rooms in Sofia, Bulgaria, similar to the boiler room operated by GAL BARAK.

This statement by Alexander I. is in line with our observations, based on documents provided by scam victims. Countless Bulgarian shell companies show up in the papers of various fraud schemes, either as operating or service companies.   The conclusion that accounts at the Bulgarian Investbank PLC, Sofia or DKS Bank A.D. Bulgaria get used in transferring millions if not billions of stolen savings from mainly Western Europeans to offshore countries daily is prominent.

The scammer industry appreciates the following factors according to the statements of various insiders to Bulgaria:

  • Bulgaria is a member of the E.U., i.e. it grants access to the European financial market
  • Bulgaria has many ambitious young citizens with good foreign language skills
  • Bulgaria has a large Israeli religious community
  • Bulgaria has a judicial system that is not functioning or is susceptible to corruption.
  • A non-existent compliance policy of Bulgarian banks.

The advantage of using bank accounts within the E.U. area is evident. SEPA credit transfers are carried out quickly and cheaply between the SEPA member countries, thanks to the current regulations.

How critical a good” cooperation” with European banks is, becomes evident in understanding the money-laundering organizations of the fraudsters.

However, it also becomes evident how unlikely it is that the cooperation with the European banks is a mere failure to apply the Bulgarian resp. the European money-laundering directives properly.


[1] T should also have been relatively easy for Bulgarian banks to understand.

[2] New payment service providers (PayTechs) are constantly emerging using white label solutions, which use licensed payment service providers for outsourcing. More and more licensed and unlicensed crypto exchanges become part of the money flow. All these serve to process money from illegal sources. The FinTechs maintain joint account connections and work in close consultation.

[3] Incorporation services are also called company builders. These organizations set up shell companies equipped with nominee general managers and owners and equipped with bank accounts.

[4] The only purpose of these shell companies is to receive the wire transfers and send the money off to the scammers.

[5] There are higher commissions for bank accounts in Germany, as these are extremely popular.