Turkey’s banking customers are facing a large fraud campaign built around fake websites and social media advertisements.
Criminals are abusing trusted financial brands to draw people into credential theft, fake loan offers, and other scams designed to steal money quickly.
The operation is notable for its scale and speed, as more than 8,400 phishing domains have targeted Turkish banks.
While 6,600 scam advertisements appeared on Facebook and Instagram during a single month, giving criminals repeated opportunities to reach customers before pages or ads disappear.
Analysts at Group-IB identified five interconnected schemes that impersonated dozens of Turkish banks and used several channels to find victims.
Group-IB said in a report shared with Cyber Security News (CSN) that the campaigns form a connected criminal chain rather than separate fraud incidents.
The research covers activity from November 2025 through April 2026, with earlier malicious activity traced back to August 2023. More than 23,000 victim complaints were recorded across Turkey, showing that the scams have caused widespread concern and financial harm.
Turkish Banks Targeted by 8,400 Phishing Domains
The phishing infrastructure was built to imitate legitimate banking services and government-related online portals.
Attackers used lookalike domains to host pages that could collect login details, card information, personal data, and one-time verification codes from unsuspecting users.
Group-IB found that one commercially distributed phishing kit supported the majority of Turkish banks and powered more than 6,700 domains impersonating Turkey’s government services portal.
The kit was reportedly sold through underground channels for about $250, lowering the barrier for criminals to launch new campaigns.
At least four campaign clusters were linked to the same infrastructure, suggesting that separate operators were relying on shared tools and templates.
This approach allows criminals to create fresh pages quickly when older domains are blocked, reported, or removed.
The fake websites did not operate in isolation. They were promoted through scam advertisements, gambling platforms, and social engineering tactics intended to make fraudulent offers appear legitimate.
Victims could be directed from a social media post to a phishing page in only a few clicks. The report also describes fake loan advertisements that use bank branding to attract people seeking quick credit.
These promotions can pressure victims into providing sensitive information or paying supposed processing fees before they realize that the offer is fraudulent.
Social Ads Fuel Laundering Chain
More than 80 percent of the observed scam activity ran through Facebook and Instagram. Advertisements could remain online for as little as 30 minutes before being replaced, while the supporting infrastructure rotated weekly to make tracking and takedowns more difficult.
The fraud chain continued after credentials or money were stolen. Recruitment advertisements offered 30,000 to 50,000 Turkish lira to people willing to “rent” their bank accounts, creating a network of money mules used to hide the movement of stolen funds.
Operators reportedly split stolen money across groups of three to five accounts before converting it into cryptocurrency through exchanges.
Court records referenced in the research show that people involved in these laundering operations have received prison sentences of up to 10 years.
For consumers, the clearest warning signs are unexpected loan offers, urgent requests for banking details, and advertisements that redirect to unfamiliar websites.
Users should access banking services through official apps or manually entered addresses, avoid sharing verification codes, and independently verify offers with their bank.
Financial institutions and online platforms also need to watch for brand impersonation, rapidly changing ad campaigns, and phishing sites that mimic their services.
Faster reporting, coordinated takedowns, and clear customer alerts can reduce the time that fraudulent pages remain available to potential victims.
Help your security team focus on the that matter most. Use ANY.RUN Threat Intelligence Feeds to automate enrichment and improve detection accuracy.
The post Turkish Banks Targeted by 8,400 Phishing Domains and 6,600 Social Media Scam Ads appeared first on Cyber Security News.



