Massive Phishing Campaign Targets Turkish Banks with 8,400 Domains and 6,600 Social Media Ads
A large-scale fraud operation has been uncovered, utilizing over 8,400 phishing domains and 6,600 social media scam ads to target Turkish banks and government portals, impersonating dozens of financial institutions.

A significant and widespread fraud campaign is actively targeting customers of Turkish banks, employing an extensive network of over 8,400 phishing domains and 6,600 social media advertisements. This operation, identified by researchers at Group-IB, impersonates dozens of well-known Turkish banks and government portals, aiming to steal credentials, financial data, and ultimately, money from unsuspecting individuals.
The campaign is notable for its sheer scale and the speed at which malicious infrastructure is deployed and rotated. Analysts observed that the phishing domains were designed to mimic legitimate banking services and government websites, often using lookalike domain names to trick users into submitting sensitive information. A commercially available phishing kit, reportedly sold for around $250, appears to be powering a substantial portion of these attacks, enabling criminals to quickly launch new campaigns and adapt to takedown efforts.
Beyond credential theft, the operation also features fake loan offers advertised on social media platforms like Facebook and Instagram. These advertisements leverage bank branding to lure individuals seeking quick credit, pressuring them into providing personal details or paying fraudulent processing fees. The social media component is particularly aggressive, with thousands of scam ads appearing within a single month, designed to reach a broad audience before being flagged or removed.
Group-IB's research indicates that these various schemes are interconnected, forming a cohesive criminal chain rather than isolated incidents. The activity has been traced back to August 2023, with a concentrated surge observed between November 2025 and April 2026. The scale of the operation is underscored by over 23,000 victim complaints recorded across Turkey, highlighting the significant financial harm and concern generated by these scams.
The fraud extends to a money laundering component, where criminals recruit individuals to "rent" their bank accounts for 30,000 to 50,000 Turkish lira. These accounts are used to obscure the movement of stolen funds, with operators splitting illicit money across multiple accounts before converting it to cryptocurrency. This sophisticated chain aims to make tracing and recovering stolen assets exceedingly difficult for both victims and law enforcement.
The attackers demonstrate a high degree of technical agility, with phishing pages and advertisements being rapidly replaced. The infrastructure supporting these campaigns is often rotated weekly, making sustained takedown efforts challenging. This constant evolution and adaptation are key to the campaign's longevity and effectiveness.
Consumers are advised to exercise extreme caution, particularly with unsolicited loan offers or urgent requests for banking information. Accessing financial services should always be done through official apps or by manually typing website addresses. Users should avoid sharing one-time verification codes and independently verify any suspicious offers directly with their bank. Financial institutions and online platforms are urged to enhance brand impersonation monitoring and collaborate on faster reporting and takedown procedures to mitigate the impact of such widespread fraudulent activities.