Over 50k ads on social media impersonated Interpol, Europol, and EU Institutions, promising “fraud refunds”
- Pavlo Kryvenko
- 22 minutes ago
- 13 min read
In approximately a year, over 50 million Europeans on Facebook and Instagram have been reached by ads falsely claiming that the fraud victims are being refunded, while in reality, ads direct users to fake portals designed to capture personal data and extract upfront “fees” under the pretext of refund processing.
Over the course of a year, a large network of Facebook and Instagram advertisements impersonated Interpol, Europol, national “cyber police,” EU institutions, and other official bodies. The ads claimed that funds seized from fraudulent investment schemes were being returned to victims. In reality, they targeted individuals who had already lost money, drawing them into a second wave of fraud.
Our investigation identified more than 50,000 such advertisements, with an estimated reach of over 52 million people across Europe. The campaigns operated in nearly all EU member states, using multiple languages – most prominently Russian and English, but also Polish, German, Spanish, Italian, and French. Many ads targeted several countries simultaneously, ensuring broad visibility among people searching for compensation or recovery options.
Although the campaigns appeared to originate from different entities – such as law firms, compensation funds, or legal consultants – analysis revealed clear coordination. The same advertising accounts financed thousands of ads under changing brand names, while identical website designs, layouts, and messages were reused across hundreds of domains. In total, we identified 459 domains and more than 1,100 related web pages.
The ads often claimed that authorities had seized large sums from fraudulent brokers and were redistributing the money to victims. Others invited users to check whether their names appeared on “compensation lists” or “victim databases.” Many featured images of police officers, courtrooms, or institutional seals, creating a sense of authenticity. Several even included fabricated videos with AI-generated public figures or official-sounding voices urging victims to submit claims through fraudulent websites.
Individuals who engaged with these sites were asked to provide personal and financial information, and were later contacted by people posing as legal advisers or law enforcement officers. Victims were pressured to pay “administrative” or “legal” fees upfront, which only resulted in further losses.
Beyond the financial harm, these campaigns erode trust in legitimate institutions. The deceptive use of official names, logos, and language makes it harder for citizens to distinguish authentic communication from fraud, undermining genuine recovery processes run by courts, banks, and regulatory authorities.
ABCDE Framework A- Actor
At first glance, the campaigns appear to be run by many unrelated advertisers:
Impersonation of: Interpol, Europol, Cyberpol, ECB, ENISA
Law Firms (PWS Nordic, Jhingoer Advocatenkantoor, Baltic Law, WISE Law, United Claims Commission, etc.)
Fraud & Asset Recovery services
Legal consultants
“Check Investment” services
“Victim DataBase” projects
Various “asset funds”, “compensation centers” and “legal protection” initiatives
In the Meta Ad Library, payer and beneficiary labels frequently repeat across large numbers of ads, but these fields should be treated with caution: they are not consistently verified and can be populated with aliases or misleading entries.
Rather than serving as attribution, they provide a rough signal of operational scale and account reuse. The stronger evidence for coordination in this ecosystem comes from repeated reuse of landing-page infrastructure, domain patterns, and creative templates across multiple “brands.”
Ad activity is heavily concentrated among a small group of recurring payer accounts. The repeated use of short or generic aliases financing large volumes of ads indicates organized operators managing centralized advertising infrastructure.
Across the landing pages, we repeatedly see the same pattern:
Fake “Fund of Confiscated Asset” (FCA) pages claiming to distribute money seized from scammers
“Interpol” and “Europol”-branded portals inviting victims to “submit a complaint”
National-looking portals styled as “Cyber Police” or “Financial Intelligence” units
“Victim databases” that allegedly contain lists of people eligible for compensation
Logos of Europol, Interpol, Cyberpol, the FBI, ENISA, EC3, national police and prosecutors’ offices are copied, recolored, or combined with fictional seals. Many pages use blurred photos of raids, police uniforms, or anonymous “lawyers” to reinforce the illusion of official authority.
The domain-level dataset contains 459 domains; 452 (98,5%) are classified as refund-fraud or closely related scams, with the rest (7) split between illegal gambling or scam sites.
In the latest export, all 1,139 pages in the dataset are labeled removed, consistent with post-reporting enforcement. This reflects takedown responsiveness, not resolution: operators typically reconstitute campaigns via new pages and domains.
While the connections between domains, landing pages, and Facebook/Instagram pages clearly indicate a coordinated, centrally managed operation, the available data do not reliably identify the natural persons or companies behind it. Standard OSINT checks on domain registration (WHOIS) and hosting, as well as limited transparency data on page admins in the Meta Ad Library, are either privacy‑protected, inconsistent, or easily obfuscated, preventing robust attribution beyond the operational ecosystem itself.
B- Behavior
A year-long surge of ads
Between the end of 2024 and the end of 2025, we recorded ~50,426 ad instances linked to this ecosystem.
Monthly trends show a gradual ramp-up from January through April, followed by a first major wave in May. Activity then softens during June–July, before escalating sharply into the largest surge in September–October. After a marked decline in November, activity rebounded again in December, indicating continued operational capacity rather than a permanent disruption.
Weekly data reveals a distinct burst-and-replacement rhythm: periods of rapid scaling (often exceeding 2,000 ads/week) are followed by abrupt drops and quick recoveries. This pattern is consistent with an industrialised advertising operation that can rapidly redeploy new creatives, pages, and domains after takedowns or account interruptions.
Note: the final-week drop may reflect partial-week capture or dataset cutoff rather than a true operational stop.
Long-term and short-term curves show how the operators scale aggressively during specific windows, likely driven by a mix of internal sales targets, testing cycles, and platform enforcement pressure.
Spray-and-pray micro-campaigns
The ad creatives illustrate several behavioural traits:
Hyper-segmented campaigns: many ads run only 6–15 hours, often with small budgets but targeted to specific language and country combinations. This reduces exposure time for moderators while still generating leads.
Fast replacement: when one creative, page, or domain is removed, another appears within days with slightly changed wording or imagery.
Recycling of templates: the same layout (blue background, urgent CTA, institutional seal) is reused with only the text, logos, and language swapped.
High churn infrastructure: the ecosystem behaves like a rotating funnel rather than a static set of scam assets, enabling persistence despite takedowns.
From the platform’s perspective, these are thousands of small, ephemeral campaigns; from the victim’s perspective, they create a constant background noise of “official refunds”. This operational tempo is designed to keep a constant flow of fresh victims entering “refund” funnels, particularly those already primed by earlier investment losses.
Multi-language, multi-jurisdiction targeting
The campaigns are explicitly pan-European:
By ad count, the most used languages are: Russian (~26.9k ads), English (~9.0k), Polish (~3.9k), Spanish (~1.2k), German (~1.2k), followed by Czech (944), Slovak (895), Italian (799), French (500), and others.
A significant portion of ads lack language metadata in the export, which inflates an “Unknown” (~4.4k) bucket in reporting; however, Russian and English remain the dominant labeled languages by both ad volume and reach.
By estimated EU reach, the dominant languages are Russian (~24.6M people), “Unknown” (~7.5M), English (~7.0M), then Polish (~3.6M), Italian (~2.0M), Spanish (~1.8M), Slovenian (~1.5M), etc.
Russian-language content remains central, but English and Central European languages combined form an even broader pool of potential victims.
Targeting spans virtually all EU member states, frequently using multi-country bundles in ad targeting configurations. Single-country targets appear most often for Poland, Italy, Spain, Germany, France, the Czech Republic, Belgium, and Slovakia.
C- Content
The ads and landing pages use a remarkably consistent script. We can roughly group it into three narrative types.
1. “We are the official compensation program/restitution program.”
These ads claim to operate:
a “fund of confiscated assets” allegedly managed in partnership with Europol, central banks, and financial intelligence units;
a special programme for victims of fraudulent brokers, supposedly backed by Interpol, Europol, Cyberpol, ECB, or ENISA;
a “department for combating investment fraud”.
Phrases like “Funds returned to victims of investment fraud: 71,461,296 €” or “12,500,000 $ seized and to be paid to victims; 200 brokerage companies closed” appear in large fonts, with no source or context. Victims are told they can “Apply for refund”, “Return funds” or “Participate in the compensation program within 72 hours”.
AI-generated “official spokesperson” directing victims to Interpol
One of the most explicit impersonation assets in this ecosystem is a Russian-language video featuring an AI-generated likeness of Sergey Lavrov addressing “Russian-speaking residents of Europe.” The speaker claims that Interpol “successfully returned 95% of all stolen funds” over the last year and urges victims to urgently submit a complaint via the “official Interpol website.” This message combines synthetic authority with institutional branding to create a high-trust, high-urgency call to action aimed at pre-qualified victims.
The script uses classic compliance triggers:
a recognizable public figure,
a near-total “success rate” claim (95%),
an urgent directive (“don’t waste time”) that discourages verification.
In practice, Interpol does not run compensation or refund programs via advertising, and the primary function of such content is to push victims into lead-capture funnels where they are later pressured into paying “fees” to release a supposed refund.
“Interpol international operation” bulletin used to justify mass refunds
A second recurring creative format is the “news-style enforcement bulletin,” presented as a formal Interpol announcement.
The video claims that Interpol conducted a “large-scale operation” against investment fraud across more than 60 countries and reports specific enforcement outcomes (3,150 suspects detained, 6,145 bank accounts frozen, and over 250 million seized). It then asserts that Interpol has “already started refunding all victims” and instructs viewers to apply via the “official Interpol website” immediately.
The message relies on the appearance of procedural realism: precise statistics, named jurisdictions, and the language of cross-border law enforcement. This creates the impression that a legitimate restitution pipeline exists and that the viewer simply needs to “submit a claim” to receive funds. In practice, the operational purpose mirrors the broader ecosystem described in this report: to capture personal data and convert victims into leads for follow-up contact, where “refund processing” is typically conditioned on upfront payments framed as legal, administrative, or verification fees.
Interpol “raid report” framing and legal specialist callback funnel
A French-language video adopts the tone and structure of a news report, claiming that authorities dismantled a major investment fraud network that allegedly deceived over 100,000 victims through fake crypto/forex schemes. The video describes an Interpol raid and seizure of cash and electronic devices, and then introduces a key persuasion element: the claim that Interpol established a “specialized legal unit” dedicated to asset restitution and assisting victims with claims. Viewers are instructed to fill out a form, after which a “legal specialist” will contact them to help recover funds.
This format blends enforcement imagery with a service-offer narrative. By presenting restitution as a structured legal process managed by a specialized unit, the video creates the expectation that recovery is routine, procedural, and institutionally supported. The instruction to “fill out the form” and await contact from a “legal specialist” directly operationalizes the lead-generation mechanism described in this ecosystem: victims self-identify, provide contact details, and are rapidly moved into one-to-one communication where the supposed recovery process can be conditioned on upfront payments (verification deposits, administrative fees, taxes, or court costs).
2. “Check if you’re on the secret list/eligibility database.”
Another set of creatives focuses on “lists”:
“Liquidated list of victims updated – check your name before [deadline].”
“Check yourself on the compensation list.”
“Database of victims of fraudulent brokers – verify if you are included.”
On the landing pages, users are invited to:
enter their full name and contact details;
declare the amount lost in a drop-down form;
confirm they are a victim of specific categories of fraud (brokers, crypto, phone scams).
This tactic preys on curiosity and the fear of missing a one-time opportunity.
Europol “refund process underway” and victim registration/verification funnel
The video claims that Europol has uncovered criminal networks, arrested organizers, frozen accounts, and begun returning funds to victims of financial scams. Viewers are instructed to “register their loss of assets,” after which an “authorized representative” will contact them to verify details and initiate recovery. The message is accompanied with urgency (“act now”) and a directive to submit a request via the “official Europol website,” presenting recovery as a guaranteed opportunity.
This format functions as a “victim registry” gateway: it prompts self-identification and data submission while implying that refunds are already in motion and victims risk missing the process if they delay. The reference to an “authorized representative” contacting the victim is a critical conversion step – moving the interaction from public-facing content into one-to-one communication, where the scam typically shifts into fee extraction under the pretext of verification, legal processing, or administrative requirements.
3. “Trust us – we are the cyber police/law enforcement support channel.”
The visual language leans heavily on authority and urgency:
stock-photo “police officers” or “interrogators” in uniforms that vaguely resemble European police, often with female officers in tailored outfits;
close-ups of FBI jackets, handcuffs, crime scene tape, police cars with blurred suspects;
screens styled as news broadcasts (“24 NEWS”) announcing that the “liars have been caught”.
Landing pages repeat this imagery: large banners of police raids, institutional seals, national flags and formal typography. Many include warnings in red text about the legal consequences of providing false information, mimicking real police forms.
Impersonation of national leadership and “cyberpolice” enforcement framing
A Polish-language variant of the campaign targets victims through localized political authority. The video claims that Prime Minister Donald Tusk, together with Europol and “cyberpolice,” led an operation resulting in the arrest of “over 40 offices across Europe” allegedly responsible for fraudulent phone-based investment schemes. It urges immediate action (“Nie zwlekaj”) and adds a proof-of-success claim that “1.5 million PLN has already been recovered.”
The combination of urgency and partial restitution figures is designed to create a “window of opportunity” effect – pushing victims to submit personal data quickly and enter the same lead-generation funnel described throughout this ecosystem, where follow-up contact typically introduces upfront “procedural” payments before any supposed refund can be released.
BKA-branded “refund program” with legal references and testimonial scripting
A German-language video impersonates German law enforcement by claiming that the Bundeskriminalamt (BKA) has launched a support program to refund victims of investment fraud, including fake exchanges, sham company shares, and fraudulent broker platforms. The video cites § 823 of the German Civil Code (BGB) to suggest that victims have a legal entitlement to compensation, and provides alarming “trend” statistics (an alleged 87% rise in investment fraud since 2022 and over €20 million stolen in the past month). It then transitions into a first-person testimonial describing a classic investment scam trajectory (starting with €250, escalating deposits, then being blocked), followed by a “successful recovery” story after submitting a complaint to the “cyber police.”
This creative is designed to withstand skepticism by layering multiple credibility cues: national law-enforcement branding (BKA), legal citations, and a detailed procedural narrative that resembles legitimate reporting workflows. The key conversion mechanism is embedded in the instructions: viewers are told to submit an electronic refund request and must accept a follow-up call from a “cyber police employee,” otherwise the application is considered invalid. This is consistent with the broader second-wave scam funnel described in this report – capturing victim contact details, initiating direct contact via a “case officer,” and escalating the interaction into financial extraction through supposed procedural requirements.
The real purpose: lead generation for second-wave scams
D- Degree
Scale of the advertising operation
Using data from the Meta Ad Library, our own collection system and open-source intelligence (OSINT), we identified:
~50,426 ads linked to refund-fraud and related campaigns
Total estimated EU reach across the dataset period: 52,716,759
459 domains and 1,139 pages in the broader ecosystem
Most remaining domains are labeled scam, with a small remainder classified as illegal gambling, link shorteners, or collateral “credible” pages that share infrastructure with scam activity.
Scam domains dominate the domain set. In the latest export, 100% of pages we tracked are labeled removed, indicating that enforcement action does occur – but largely after campaigns have already reached large audiences and generated leads.
The illusion of enforcement
In the latest export, all tracked pages are now labeled as removed, which might suggest that enforcement has solved the problem, but in practice, it only shows that takedowns happen after the campaigns have already run and generated leads. This does not mean the problem is solved. Instead, it highlights a reactive enforcement pattern:
Operators can push large volumes of ads quickly;
Platforms remove individual assets (pages, ads, domains) iteratively, while the broader infrastructure regenerates;
Operators reconstitute the funnel using new pages and domains with minimal friction.
Takedowns reduce visibility but do not dismantle the underlying business model. The ability to regenerate pages and domains at low cost means that enforcement must shift from reactive removal toward faster detection of impersonation templates and shared infrastructure.
E- Effect
Double victimisation at a continental scale
The target group of these campaigns is not the general public. It is explicitly:
people who have already been scammed by fraudulent brokers, crypto schemes or phone scams;
those who are actively searching for ways to recover their funds;
individuals whose contact details may have been sold by the original scammers.
For these people, the promise of “Interpol compensation” or “Europol-supervised confiscated funds” is not just persuasive – it can feel like the only remaining hope.
By our conservative estimates, at least tens of thousands of victims have interacted with these campaigns. Even if a small percentage end up paying upfront “fees”, the total secondary losses could easily reach tens of millions of euros.
Collateral damage: trust and institutions
Beyond financial harm, this ecosystem:
erodes trust in real law enforcement and legitimate compensation programs;
creates confusion when actual police or financial regulators contact victims;
consumes investigative resources, as national and international agencies must debunk fakes that misuse their names.
Legitimate recovery efforts – including court-ordered restitution or bank-led chargeback processes – become harder to communicate when the information space is saturated with fraudulent “funds” and “lists”.
Conclusion
Our investigation shows that fake “law-enforcement refund” schemes are not isolated adverts or rogue websites, but part of a coordinated, data-driven marketing industry:
They masquerade as Europol, Interpol, ENISA, the FBI, and national police forces, exploiting official logos, uniforms, and the language of international cooperation.
They rely on platform advertising tools to micro-target millions of people across Europe, often in their native language.
They use short-lived pages and domains to stay one step ahead of content moderation.
At first glance, the fact that almost all identified pages are now marked as removed might suggest effective enforcement; in reality, it mostly reflects a reactive, asset‑by‑asset takedown cycle that leaves the underlying business model intact. Operators can quickly replace removed pages, ads, and domains with near‑identical assets, creating the illusion of enforcement while the ecosystem continues to regenerate and scale.
For platforms and regulators, this case raises uncomfortable questions:
Why are large-scale campaigns impersonating police and international organisations still able to run thousands of ads before being detected?
How can ad libraries and transparency tools be upgraded to systematically flag institutional impersonation and second-wave scams?
What kind of cross-border cooperation is needed so that when Europol or Interpol names are abused, platforms are obliged to act fast?
For users, the key takeaway is simple but vital:
No international police agency, EU body or national cyber police runs compensation programmes via social-media ads. They will not ask you to enter your data into generic forms or to pay “fees” to unlock seized funds.
If you have already lost money to an investment scam, seek help from official consumer-protection bodies, your national financial regulator or police, and be extremely sceptical of anyone who contacts you with an offer to “get all your money back” – especially if they discovered you through an ad.