The “Internet Fraudsters Arrested” email campaign is a phishing attack where cybercriminals impersonate Spanish authorities, claiming to offer compensation after arresting fraudsters who previously victimized the recipient. This technical analysis examines the campaign structure, delivery mechanisms, and effective countermeasures.
Campaign Overview
The “Internet Fraudsters Arrested” scam operates through targeted phishing emails impersonating Spanish government entities, particularly the Supreme Court of Spain. The campaign claims recipients are entitled to €2,000,000 in compensation following the arrest of individuals who supposedly defrauded them previously. This scam is part of a larger pattern of government impersonation attacks that have increased by 35% in Q1 2025.
The primary objectives of this campaign include credential harvesting, financial fraud, and identity theft. Analysis of campaign patterns indicates connections to cybercrime groups previously observed in banking notification scams.
Technical Delivery Mechanism
The attack utilizes several technical components to bypass security controls:
- Spoofed sender addresses mimicking legitimate Spanish government domains
- Modified email headers with falsified routing information
- Embedded tracking pixels for victim monitoring
- Custom SMTP configurations designed to bypass common spam filtering rules
- HTML content obfuscation techniques
Source: Microsoft Security Intelligence, GridinSoft Threat Intelligence, 2025
Attack Sequence
The scam follows a structured attack sequence:
- Initial contact: Unsolicited email claiming the recipient is eligible for €2,000,000 compensation
- Authority impersonation: Use of Spanish government branding and forged headers
- Action requirement: Instructions to contact a designated representative (typically “George Hernández” at [email protected])
- Data extraction: Request for personal identification documents, banking details, and contact information
- Financial exploitation: Demand for payment of fabricated fees or taxes to release the non-existent funds
Technical Indicators of Compromise
Security analysts have identified consistent indicators associated with this campaign:
Email Indicators:
- From: *@gobiernodeespana[.]com, *@courtspain[.]org (legitimate domains use .es or .gob.es)
- Subject line patterns: "Crime Fraud Investigation," "Spanish Court Notice," "Compensation Claim Alert"
- Reply-to: [email protected], [email protected]
- Contact name: "George Hernández," "Jorge Hernandez," "Barrister Hernández"
- Address: Avda Reina Victoria 58 - Esc. 1, 1єA 28003, Spain
Technical Patterns:
- SPF authentication failures
- Missing or invalid DKIM signatures
- Embedded tracking pixels (1x1 transparent GIFs)
- HTML content obfuscation
- Non-government mail server routing
Common Text Patterns:
"compensation of two million euros (€2,000,000)"
"contact our legal representative immediately"
"arrested internet fraudsters who previously victimized you"
"processing fee required to release the compensation"
"confidential matter requiring urgent attention"
Sample Phishing Email Examples
Below are representative examples of actual “Internet Fraudsters Arrested” phishing emails documented by our security researchers. These samples demonstrate the technical and linguistic patterns employed in this campaign.
Example 1: Basic Crime Department Variant
From: Roger Louis <[email protected]>
To: Undisclosed recipients:
Subject: From the Crime Fraud Investigation Department Spain.
Date: 3/26/2025, 8:26 PM
From the Crime Fraud Investigation Department Spain.
This is Roger Louis, United States detective working under Spanish police on Cyber Crime and Internet Fraud.
Be informed that the internet fraudsters who defraud you have been arrested and charged to court, last Friday was the final judgement, The court has ordered the Spanish Government to pay you compensation and damages for all the money you lose to those fraudsters, in which the crime are committed by South Americans and Africans living over here in Spain.
This is to notify you that The Supreme Court of Spain has ordered the Spanish Government to pay you compensation and damages, The sum of ₤2,000.000.00 {Two Million Euros } has been approved to you in order to compensate you for all the money you lose to those internet fraudsters in Spain.
The Policía Nacional Crime Fraud Investigation Department Spain is very pleased to inform you that your information has been passed to Barrister George Hernández for immediate transfer of your compensation funds from the Spanish Government.
Barrister George Hernández will help you claim your compensation fund from the Spanish Government, You should contact Barrister George Hernández on this email address below.
Contact person : Barrister George Hernández from Principal Attorney George Hernández & Asociados Corporate and Finance Law Firm Madrid, Spain.
Contact email: ( [email protected] )
Contact Address- Address- Avda Reina Victoria 58 - Esc. 1, 1єA 28003
If you are interested in receiving the compensation funds ₤2,000.000.00 - Two Million Euros, You should contact Barrister George Hernández on this email address: ( [email protected] ), He will direct you on how to receive your funds.
When contacting the Barrister, Please ask for his ID Card, for you to be sure you are in contact with the right person.
Thank you and Congratulation in advance
Best Regards
Roger Louis
United States detective working under Spanish police on
Cyber Crime and Internet Fraud.
Example 2: Spanish Court Notice Variant
From: Judge Manuel Gonzalez <[email protected]>
To: Undisclosed Recipients
Subject: URGENT: Spanish Supreme Court Compensation Notice #REF-78591
SUPREME COURT OF SPAIN
OFICINA JUDICIAL DE MADRID
REF: SCJ/MAD/2025/COMP-78591
OFFICIAL NOTIFICATION OF COMPENSATION AWARD
This official communication is to inform you that following the successful prosecution of international cyber criminals operating from Spain, you have been identified as a victim entitled to restitution.
Case Reference: SCJ/2025/CYBER/114
Court Ruling Date: March 12, 2025
Compensation Amount: €2,000,000.00 (Two Million Euros)
The defendants, members of an organized crime syndicate operating from Barcelona and Madrid, have been successfully prosecuted for various cybercrimes including phishing, identity theft, and financial fraud targeting foreign nationals. According to our records, you were among the victims who suffered financial losses.
To initiate the compensation claim process, you must contact our appointed fiduciary officer:
CONTACT INFORMATION:
Name: Barrister Antonio Fernandez
Email: [email protected]
Phone: +34 912 555 788
Reference Code: COMP-EU-78591
You will be required to provide basic verification information and complete Form SCJ-11 (Compensation Claim Form). Please note that under Spanish Law 15/2023, a processing fee of €175 is required to cover administrative costs for international transfers.
IMPORTANT: This matter is strictly confidential. Do not share this information with third parties as it may compromise the security of your compensation.
Respectfully,
Dr. Manuel Gonzalez
Chief Justice, Cyber Crimes Division
Supreme Court of Spain
Example 3: Police Department Variant
From: Inspector Carlos Moreno <[email protected]>
To: Undisclosed Recipients
Subject: [OFFICIAL] Cyber Crime Victim Compensation - Reference #PCN-29875
POLICÍA NACIONAL DE ESPAÑA
DEPARTAMENTO DE DELITOS INFORMÁTICOS
Case Reference: PCN/CYB/2025/29875
VICTIM COMPENSATION NOTIFICATION
Greetings,
I am Inspector Carlos Moreno, Head of Cyber Crime Unit at the Policía Nacional of Spain.
This is to officially inform you that following Operation "Digital Shield" conducted between January-February 2025, we have successfully arrested and prosecuted a network of 17 individuals involved in international online fraud schemes.
After forensic analysis of the seized devices and servers, we have established that you were among the victims of their criminal activities. The Spanish Government, in accordance with EU Directive 2012/29/EU on victims' rights, has allocated compensation funds of €2,000,000.00 (Two Million Euros) to be paid to you.
The Royal Court of Madrid has appointed Crown Attorney Maria Lopez to handle the disbursement of these funds. To initiate your claim, please contact her directly:
ATTORNEY INFORMATION:
Crown Attorney: Maria Lopez
Email: [email protected]
Office Address: Calle Gran Via 42, 2B, Madrid 28013, Spain
Reference Number: PCN-2025-VIC-29875
You will be required to provide identification documents to verify your identity. Please do not delay as the compensation fund is only available for claim until May 30, 2025.
IMPORTANT NOTE: To combat potential fraud, please request to see Attorney Lopez's official identification before proceeding with any transfers or payments.
Yours faithfully,
Inspector Carlos Moreno
Badge Number: PN-87542
Cyber Crime Division
Policía Nacional de España
These examples illustrate several key technical aspects of the campaign:
- Use of false sender identities including law enforcement, judges, and barristers
- Domains that imitate Spanish authorities but use incorrect TLDs (.org, .com instead of .es or .gob.es)
- Consistent monetary value (€2,000,000) across variants
- Reference to fictitious cases, badge numbers, and legal frameworks to establish credibility
- Contact information using free email services inconsistent with government operations
- Mention of processing fees that will be requested later in the scam
Email Authentication Analysis
Examination of email headers from this campaign reveals technical anomalies that help identify these communications as fraudulent:
Key technical differences in the fraudulent emails include:
- Non-governmental email routing paths
- SPF/DKIM authentication failures
- Inconsistent return-path values
- Fabricated X-headers attempting to simulate legitimate communications
- Mixed character encoding to evade content filtering
Mitigation Strategies
Organizations and individuals should implement these technical countermeasures:
Technical Controls
- Configure email security gateways to detect and quarantine messages with known indicators
- Implement DMARC, SPF, and DKIM email authentication protocols
- Deploy anti-phishing protection with URL reputation filtering
- Enable multi-factor authentication on all accounts
- Utilize endpoint protection with behavioral detection capabilities
User Verification Procedures
Train users to verify email legitimacy by checking:
- Full sender email address (not just display name)
- Email domain authenticity (Spanish government domains end with .es or .gob.es)
- Presence of unusual requests, especially involving financial information
- Contact information through official channels rather than details provided in the email
For comprehensive protection against email-based threats including this campaign, consider implementing GridinSoft Anti-Malware with email security capabilities.
Similar Campaign Patterns
The “Internet Fraudsters Arrested” scam shares technical characteristics with other phishing campaigns:
- Chase Transfer Processing Scam – Similar email structure and extraction techniques
- FBI Monitoring Alert Scam – Parallel authority impersonation methodology
- Identity Theft Schemes – Comparable document collection procedures
These connections suggest a broader network of operations potentially sharing infrastructure and TTPs.
Impact Assessment
Victims who interact with this campaign face multiple risks:
- Financial loss: Direct monetary theft through fraudulent fees or unauthorized transactions
- Identity theft: Exposure of personal identification documents
- Account compromise: Credential harvesting across multiple platforms
- Secondary targeting: Addition to lists for subsequent attacks
Reporting Procedures
If you encounter this scam, report it through these channels:
- Forward the email to [email protected]
- File a report with the FBI’s Internet Crime Complaint Center (IC3)
- Contact your email provider’s abuse department
- Report to your national computer emergency response team (CERT)
Conclusion
The “Internet Fraudsters Arrested” campaign demonstrates how threat actors leverage authority impersonation and financial incentives to execute effective phishing attacks. By understanding the technical indicators and implementing appropriate security controls, organizations and individuals can effectively mitigate this threat.
Early detection through technical indicators combined with proactive URL verification remains the most effective defense against these increasingly sophisticated phishing campaigns.
How can I verify if an email from Spanish authorities is legitimate?
Legitimate Spanish government communications use official domains ending in .es or .gob.es, never free email services like Gmail or Outlook. Spanish authorities do not notify individuals about compensation via unsolicited emails. Always contact the purported organization directly through their official website or publicly listed phone numbers to verify communications, especially those involving financial matters.
What technical indicators reveal this is a fraudulent email?
Key technical indicators include: sender domains not matching official Spanish government patterns (.es or .gob.es), SPF/DKIM authentication failures, email headers showing routing through non-government servers, reply-to addresses using free email providers, embedded tracking pixels, and HTML obfuscation techniques. These elements can be identified through header analysis and security tools.
What should I do if I’ve already responded to this scam?
If you’ve already responded: 1) Contact your financial institutions to secure accounts, 2) Change passwords for any accounts whose information was shared, 3) Enable multi-factor authentication where available, 4) Monitor credit reports for suspicious activity, 5) Report the incident to law enforcement and relevant cybersecurity agencies, 6) Consider placing a fraud alert with credit bureaus, 7) Run a security scan of your devices to detect potential malware installation.
