Cybercriminals Launder Millions through Bulgarian ‘Bad Apple’ Bank

Екип на Биволъ

The arrested in Bulgaria Israeli national Gal Barak and German citizen Uwe Lenhoff have been detained as leaders of an international cybercrime organization operating in several countries that is accused of stealing around EUR 100 million per year through illegal online trading platforms. The blow was announced on Tuesday by the Austrian Federal Crime Agency (Bundeskriminalamt BKA) at a special press conference, while the FinTelegram site reported earlier in February on the arrests. Bivol is conducting its own investigation into the case and has documents, according to which huge amounts of money generated through illegal activity have been transferred to accounts in Bulgarian private lender Investbank, opened to the name of shell and offshore companies.

Nonetheless, the blow to the international network of financial fraudsters and Barak’s arrest never made the headlines in Bulgaria. Neither the Ministry of Interior nor the Prosecutor’s Office nor the National Security Agency (DANS) have boasted the successful arrest of the “Wolf of Sofia“, as is the alias of the Israeli Gal Barak, although this arrest has been known since the beginning of February. According to Bivol’s insider information, Barak has been released from detention for health reasons and is expecting his extradition to Austria under house arrest, something that can allow him to cover the tracks of criminal activity.

The reason for this discretion probably lies in the fact that Gal Barak has been photographed with Bulgarian Prime Minister Boyko Borisov and the Chief Rabbi of the Habad center for Bulgaria, Yosef Salamon (the headline photo is from FinTelegram). However, this is hardly all. For years, Bulgaria has been known to be a fitting territory for fraudulent schemes of any magnitude because of ineffective law enforcement and the opportunities to launder stolen money through banks with lax supervision. The most recent huge scandal was linked to laundering money coming from Venezuela, again through Investbank. The scheme was made public after the intervention of the US Ambassador to Bulgaria Eric Rubin, and as it became clear, the Bulgarian financial intelligence either never knew what was going on or worse – it knew and did not react.

These new revelations from partner law enforcement are a further blow to the reputation of Bulgaria’s banking system in the midst of the ECB stress test and the dreams of the government of joining the European Union’s (EU) exchange rate mechanism, ERM-2, known as the euro area’s “waiting room”. However, the revelations of Austrian and German cyber police are unlikely to stop here, as Barak’s and his partners’ business still endures through other companies and countries, an investigation by Bivol found.

Boiled in the boiler room

The fraudulent scheme is known as “boiler room”, a metaphor for “boiling” gullible, but greedy customers, tempted by an easy profit. In a nutshell, the scheme involves convincing people with average financial capabilities to transfer some money to a phony investment firm against the promise of quickly earning large sums of money.

The coaxing is done on the phone or by email, therefore, a call center is needed for this purpose. It also requires a site that looks like a professional trading platform with real-time graphics. After the coaxing, the victim receives an account, invests with a credit card a small amount of real money, and enjoys the steady movement upwards of his profit’s graph. Said graph is nothing more than an algorithm generating figures and convincing pictures. At the same time, the investor is being taken care of by email and phone by their “personal financial advisor” who sweet-talks them with promises of a bright financial future, thus earning the victim’s trust.

The decisive moment comes when the advisor makes an emergency call to the client to persuade them to wire as much money as possible for a hugely profitable financial deal. If the victim takes the bait and transfers the amount, this is the end of any and all communication. The victim’s account disappears, the calls to the company are blocked for anyone who rings to ask to get their money back.

High-tech phone fraudsters

It is amazing that these schemes have been known for years, but they continue to operate and find more and more gullible victims. Already in 2015, Bivol wrote about several fake Israeli-owned trader companies that used accounts in TGI Bank. A long list of companies that present themselves as investment intermediaries but are not is available on the Financial Supervision Commission’s (FSC) website. Naturally, this list is deeply buried and is written in Bulgarian, therefore no Western investor has a chance to find it and to be informed about the danger. Meanwhile, the “boiler rooms”, though easily identifiable and disposable, obviously enjoy a cover-up in Bulgaria, as nobody troubles them, unless, of course, there is pressure from abroad.

The illegal online trading sites associated with Gal Barak are an impressive bunch – option888SafeMarketsXtraderFXGolden Markets, Optionbit, optionstars, and so on. The common among them is that they are based on the platform of the Bulgarian company Tradologic. Most of the sites specialize in the “Binary Options” that are now banned in the EU and in cryptocurrency trade. The sites’ addresses change frequently, and some are just shut down once they are detected by regulators.

The fake trading site must be able to report real-time bank account charges and deposits in order to gain the client’s trust. That is why a key point in the scheme is the API link to an online payment processing system that does not have a strict Know Your Customer (KYC) and Anti-money-laundering (AML) measures policy. These include DreamspayЕntropayPraxis CashierJupiterPayvision, the Azerbaijan-based MasterPay LTD and others (listed in detail by FinTelegram).

It should be noted that the most popular online payment processing platforms such as PayPal and Stripe make detailed KYC’s and would never work with dubious financial services sites owned by offshores or licensed by the financial watchdog of Montenegro, for example.

Account in “bad apple” bank

The online payment accounts are usually listed to offshore companies. However, bank accounts are needed as well to cash large deposits. In Bulgaria, such accounts can be opened in the “bad apple” Investbank, known for ignoring anti-money laundering rules. There are also data for accounts in International Asset Bank, which is associated with alleged organized crime boss Mladen “Madjo” Mihalev.

Bivol obtained access to data on several such accounts in Investbank, opened by companies associated with Gal Barak. One of them is to the name of the London-based Gpay Ltd, registered in 2017 to Georgi Komissarov with a capital of only GBP 100. In a year, the BG30IORT80481488911800 account has received EUR 27,674,931.42, while in one month – November 2018 alone – EUR 6,861,989.05 had been deposited in the account of Gpay Ltd and EUR 7,219,535.39 had been withdrawn.

In Bulgaria, Georgi Komissarov is the manager of Green Oaks, whose owner Vantu Capital Ltd. from the Marshall Islands is behind the trading platform Roiteks, which is on the FSC’s list. Another site under the hat of Gpay Ltd is XtraderFX.

The main proceeds to Gpay Ltd are from the based in the Netherlands PayVision, from which EUR 3.4 million had been received in November 2018 alone.

The withdrawal of the money from the account to be directed to other companies is consistently justified with marketing services contracts for DYNAMICSOLUTIONS LTD, GLOBAL MEDIA PARTNERS INC. TIBERG LIMITED, SEAGULF LTD, ONLINE PROSPECT LIMITED and the investigated by the Austrian and German police E & G BULGARIA LTD, owned by Itshak Dzhilet with manager Gal Barak.

In April 2018, Itshak Dzhilet had opened a branch of E & G BULGARIA in Georgia under the name of Alpha Marketing LLC, an investigation by Bivol’s partners from the OCCRP in Tbilisi established. FinTelegram is of the opinion that this relocation is linked to another boss of the group around Gal Barack – the hacker Gery Shalon, who is the son of Georgian politician Shota Shalelashvili. In 2015, Gery Shalon was accused in the United States of orchestrating “the largest theft of customer data from a U.S. financial institution in history”, committed several years earlier. According to FinTelegram, Gal Barak, Gery Shalon and Russian hacker Vladislav Smirnov are the three “godfathers” of a large cybercriminal group.

The Georgian link is Simon Tetroashvili, who is a half-brother brother of Shota Shalelashvili. The managed by him company, Online Prospect Limited, registered in Hong Kong, has received EUR 2.2 million from the Gpay’s account in Investbank in November 2018 alone.

Investbank did not respond to the questions sent to its press office about the accounts of Gpay Ltd and the other offshore companies that will be the subject of in follow-up of this investigation.

To be continued

Updated on February 27, 2019, at 6 pm. – a response from Investbank was received, which we publish as an attached file in Bulgarian. In it, the Bank firmly denies the accusations, insists that it is following all rules and regulations, but stresses that unfortunately, it is unable to fully defend itself due to the “bank secrecy” requirement.


If you find this article useful, support our work with a small donation.

Pay a Bivol Tax!

We will highly appreciate if you decide to support us with monthly donations keeping the option Make this donation monthly.

Select Payment Method
Personal Info

Credit Card Info
This is a secure SSL encrypted payment.

Donation Total: 5€

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

This post is also available in: Bulgarian

Вижте също / Read Also