Operation Sunflower: Inside the Alleged €100 Million-a-Month Investment Scam Machine

Spread financial intelligence

Dutch and Belgian investigators say an international organisation operated around 20 call centres, employed more than 700 people and targeted tens of thousands of victims. The case exposes investment fraud not as a collection of rogue websites, but as an industrial infrastructure business.

Operation Sunflower is not primarily a story about one fraudulent broker, one call centre or one notorious hacker. It is the emerging picture of an international investment-fraud organisation allegedly built and managed like a multinational enterprise.

According to the Netherlands Police, the organisation had operated since at least 2021, maintained approximately 20 offices in several countries and employed more than 700 people of different nationalities. Separate teams targeted victims in specific countries and languages, while a central head office allegedly coordinated the wider operation. Police estimate that the organisation stole more than €100 million per month across different jurisdictions.

The investigation has so far produced six arrests. Five suspects were detained in Cyprus, Belgium and Greece on 7 and 10 July 2026. A sixth suspect—a 46-year-old man with Israeli and Polish citizenship—had already been arrested at a Polish airport on 26 May while travelling from Dubai. He was subsequently surrendered to the Netherlands. Further arrests are possible.

Key Facts

IndicatorCurrent official information
Suspects arrested6
Alleged period of operationAt least since 2021
Estimated offices/call centresApproximately 20
Alleged workforceMore than 700 people
Dutch victim reports linkedApproximately 550
Reported Dutch lossesNearly €25 million
Belgian victims identifiedMore than 200
Estimated global victimsTens of thousands
Estimated criminal proceedsMore than €100 million per month
Confirmed seizures in the Belgian investigationDevices, data carriers, €50,000 cash and a luxury vehicle

The €100 million monthly figure is a police estimate, not a judicially established loss figure. It should not be extrapolated across the entire alleged operating period without additional evidence.

From a Facebook Ad to a Crypto Wallet

The alleged victim journey followed the now-familiar architecture of industrialised cybertrading fraud. Potential victims encountered professional-looking online advertisements promoting cryptocurrencies, trading courses or supposedly exclusive investment opportunities. Some advertisements allegedly misused the images and identities of well-known Dutch and Belgian public figures.

Anyone who submitted contact details was approached by a purported investment adviser or account manager. Initial deposits were deliberately kept low. A convincing online dashboard then displayed fictitious profits, creating the impression that the investment strategy was working.

The account manager maintained frequent contact, sometimes for months, gradually building trust and encouraging larger deposits. The trading interface looked real, but police say no genuine investment took place. The displayed balances and returns were fictitious.

The Belgian Public Prosecutor’s Office provided a particularly important additional detail: suspects allegedly used remote-access tools to take control of victims’ computers and mobile phones. Victims were guided through the opening of crypto accounts, after which their funds were converted into cryptocurrency and transferred to wallets controlled by the suspects.

When victims requested withdrawals, the fraud entered its final extraction stage. They were told that additional taxes, guarantees, security deposits or administrative charges had to be paid before their supposed profits could be released. The payment never came.

The Case That Opened the Belgian Investigation

The Belgian investigation began in January 2024 after a woman in Koksijde reported an investment fraud. She had been directed to a professional-looking platform and persuaded to transfer a substantial amount through 32 separate transactions. Investigators eventually linked more than 200 Belgian victims to the same international organisation. The financial and digital trails led them to Cyprus, where the organisation allegedly operated a call centre.

During the coordinated operation in Cyprus, approximately 45 officers took part in searches and arrests. Computers, mobile phones, data carriers and €50,000 in cash were seized. A luxury vehicle was separately seized during a search in Ieper, Belgium.

The five suspects pursued in the Belgian investigation are suspected of fraud, money laundering and participation in a criminal organisation. Three were arrested in Cyprus, one in Belgium and one in Greece. The Belgian authorities are seeking the surrender of the suspects arrested abroad.

Cyprus as an Operational Hub

Cyprus is more than a geographical footnote in this case. Belgian prosecutors state that the suspects allegedly defrauded victims from Cyprus and that investigators located a call centre on the island. Cyprus Police, Europol and the police of the British Sovereign Base Areas participated in the coordinated enforcement action.

This does not establish that the entire global network was headquartered in Cyprus. The Dutch investigation describes one central head office directing multiple international offices but has not publicly identified its location.

However, Cyprus has repeatedly surfaced as an operational location in large European cybertrading investigations. In November 2024, German and Cypriot authorities dismantled 13 fake investment platforms allegedly operated through a Cyprus-based call centre, with reported losses of at least €10 million. In a separate 2024 action involving Cyprus and Serbia, authorities targeted an online investment-fraud scheme estimated to have caused at least €300 million—and potentially up to €500 million—in global losses.

There is currently no public evidence that these earlier cases and Operation Sunflower involve the same organisation. The recurring Cyprus connection nevertheless warrants closer examination of local offices, corporate vehicles, directors, telecommunications arrangements, technology contracts and payment infrastructure.

The Alleged Technical Mastermind

The Netherlands Police have not officially published the full name of the 46-year-old Israeli-Polish main suspect. They describe him as a notorious figure in the cybercrime scene who had previously been prosecuted for attacks on prominent foreign government systems. Police say his technical knowledge was instrumental in keeping the organisation hidden and operational for years.

Dutch and Israeli media have identified the suspect as Ehud Tenenbaum, better known as “The Analyzer.” Tenenbaum became internationally known in the late 1990s after attacks on US military and government computer systems during the FBI investigation known as Solar Sunrise. He was later involved in further criminal proceedings concerning attacks on financial infrastructure and payment systems.

The importance attributed to the main suspect suggests that the organisation’s technical layer was not limited to hosting fake websites. It allegedly supported the concealment of office locations and identities, the coordination of hundreds of agents and the management of digital infrastructure across multiple countries.

Investigators followed IP addresses, financial transactions and other digital traces, secured equipment and used the recovered data to identify offices and suspects. Commercial hosting providers subsequently cooperated in taking key infrastructure components offline.

The Police Turn the Scam’s Leaderboard Against Its Agents

Website for the Operation Sunflower launched by the Dutch police

Operation Sunflower also represents an unusual experiment in perpetrator disruption. The Netherlands Police launched a dedicated website containing approximately 700 aliases used by alleged account managers. The website presents the list as a “leaderboard”—mirroring the performance rankings reportedly used within the fraud organisation—and warns agents that they may themselves have become the target.

Police say identified Dutch suspects have already been arrested and information about other suspects has been shared with foreign authorities through Europol. Suspected account managers were contacted by letter or email and invited to cooperate. Law enforcement also entered online recruitment groups used to attract new fraud workers and posted warnings that participants could be identified and prosecuted.

This approach is designed to break trust inside the organisation. Every agent must now consider whether a colleague, team leader, service provider or former employee has already cooperated. The pressure is directed not only at frontline agents but also at the wider office and infrastructure teams.

The Cryptic Message to the “Office Team”

The official Operation Sunflower website contains an extraordinary message addressed to the organisation’s “Office Team.” It refers to double VPNs, TeamPass, compromised CRMs, internal salary data, office locations, language teams and the Gush Dan metropolitan area surrounding Tel Aviv. It also states that fintech, telecommunications, IT and crypto companies provided investigators with information.

The page includes apparent wordplay involving the names Leverate, Coperato and Voiso, as well as references to TeamPass and other possible systems or providers. These references are highly relevant because the companies operate in precisely the categories required to run a scalable online brokerage or call-centre operation:

  • Leverate markets white-label brokerage technology that can include trading platforms, CRM, KYC, payment-service-provider tools, liquidity and back-office infrastructure.
  • Voiso provides contact-centre and CRM integration technology for financial-services and fintech operations.
  • Coperato provides VoIP, call-routing, monitoring and auto-dialler technology.
  • TeamPass is a collaborative credential and password-management system.

The references do not establish that any of these companies knowingly supported criminal activity. They may indicate systems used by the organisation, providers that cooperated with investigators, evidentiary sources, or a combination of these possibilities.

FinTelegram is not alleging criminal conduct by any technology or telecommunications provider on the basis of these references alone.

The critical compliance question is different:

What customer due diligence, behavioural monitoring and escalation systems existed when hundreds of agents, multiple call centres, high-volume outbound communications and fraudulent brokerage brands allegedly operated through commercial infrastructure?

Recovery Fraud: Extracting Money Twice

Operation Sunflower reportedly continued targeting victims after the original investment scheme had collapsed. Victims who stopped transferring money were sometimes contacted by supposed recovery companies offering to retrieve their losses in exchange for an advance fee. Dutch police believe these recovery operations were likely connected to the same criminal organisation.

This model allows the organisation to monetise the same victim repeatedly:

Investment fraud → withdrawal fees → false taxes → fake guarantees → recovery fraud

The fraudsters already possess the victim’s identity, financial circumstances, emotional vulnerabilities and transaction history. The recovery approach is therefore highly targeted and often arrives precisely when the victim is desperate for help.

The Wider European Context

Operation Sunflower emerges against a rapidly escalating investment-fraud crisis.

The Dutch Authority for the Financial Markets estimates that actual annual investment-fraud losses in the Netherlands could reach approximately €750 million. The regulator says the true scale is structurally underestimated because many victims never report their losses. It also warns that investment fraud is becoming increasingly professional, digital and international, usually beginning through social media, fake advertisements or malicious websites.

Against that background, the €25 million currently linked to Operation Sunflower’s Dutch victims may represent only the visible portion of a much larger loss base.

The case also confirms that fake investment fraud cannot be countered effectively by warning against individual domains. Domains and brands are disposable. The operating infrastructure is not.

FinTelegram Assessment: This Was Fraud as a Business

The core lesson of Operation Sunflower is that large-scale investment fraud has evolved into a vertically integrated service industry.

Its components allegedly included:

Misleading advertisements → lead collection → multilingual call centres → CRM and retention management → remote-access tools → fake trading dashboards → crypto conversion → controlled wallets → withdrawal obstruction → recovery fraud

Each customer-facing brand could be replaced. Each domain could be abandoned. Each apparent broker could disappear overnight.

The workforce, scripts, customer data, telecommunications systems, CRM environment, payment routes and management hierarchy could continue under another name.

This is why the next stage of the investigation matters more than the initial arrests. Law enforcement and investigative journalists must identify the durable infrastructure behind the disposable brands.

The Missing Pieces

As of 19 July 2026, the authorities have not publicly released the most important forensic datasets:

  • the names and domains of the fraudulent investment platforms;
  • the corporate entities used for employment, marketing, software and payments;
  • the location of the central head office;
  • the identities of senior management and team leaders;
  • the banks, EMIs and payment processors handling fiat funds;
  • the crypto exchanges, brokers and OTC desks used for conversion;
  • the wallet addresses and transaction hashes;
  • the advertising accounts and affiliate networks used to generate leads;
  • the recovery companies allegedly used for secondary victimisation;
  • the commercial service providers that terminated or continued relationships after risk indicators emerged.

These datasets could connect hundreds of apparently unrelated complaints, regulatory warnings and former broker brands to the same underlying organisation.

Call for Whistleblowers and Victims

FinTelegram is seeking information from former employees, account managers, team leaders, technology providers, payment professionals, compliance officers, victims and other insiders with knowledge of Operation Sunflower or related investment-fraud networks.

We are particularly interested in:

  • broker names and domains;
  • agent aliases and real identities;
  • office addresses and call-centre locations;
  • screenshots or exports from CRMs and trading dashboards;
  • internal chat groups, sales scripts and performance rankings;
  • employment agreements, payroll records and commission structures;
  • corporate entities, directors and beneficial owners;
  • payment instructions, IBANs and merchant descriptors;
  • crypto wallet addresses and transaction hashes;
  • exchange or OTC account details;
  • invoices and contracts involving hosting, VoIP, CRM or trading technology;
  • information about recovery companies connected to the same operators.

Information can be submitted anonymously and securely through Whistle42, FinTelegram’s evidence-first whistleblower platform. Whistleblowers control what they disclose, how FinTelegram may follow up and whether they remain anonymous. For personal safety, do not use workplace devices or accounts when the information concerns your employer.

Operation Sunflower may have shut down a major fraud machine. The next task is to expose the brands, companies, financial rails and facilitators that allowed it to operate.

FinTelegram will continue to follow the evidence.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Stay Connected

9,906FansLike
48FollowersFollow
2,130FollowersFollow
- Advertisement -spot_img

Latest Articles