Belgian authorities have arrested a 19-year-old man they say was a central figure in a European phishing and money-laundering operation that netted more than €500,000 by targeting victims with fake government emails and phone calls. The suspected scheme relied on remote-access software to carry out fraud, and investigators say cryptocurrencies were used to move and launder the proceeds.
According to a Federal Judicial Police report cited by Belgian law enforcement, the arrest took place in Antwerp at an Airbnb, where a second suspect was also found. The investigation began in March 2026, when regional authorities escalated phishing as a priority.
Key takeaways
- Belgian police say the suspected phishing crew used fake government communications to trick victims into installing remote-access software.
- The operation allegedly involved money mules and cash carriers before converting proceeds into cryptocurrencies.
- Investigators characterize crypto as serving multiple roles in phishing—both as part of laundering workflows and as an enabling tool.
- Broader industry data cited in the report reinforces that phishing and social engineering remain leading drivers of crypto theft.
- Recent warnings about malicious ads on Google highlight how attackers are continuing to target users through mainstream search advertising.
Arrest in Antwerp and a laundering pipeline using crypto
In the Belgian case, the Federal Judicial Police reported that the suspected mastermind was detained in an Airbnb in Antwerp. A second suspect was discovered at the location as well, and the primary suspect was subsequently brought before an investigating judge, who issued an arrest warrant.
While authorities did not detail the full operational workflow in the cited report, they described the alleged criminal method: victims were contacted via fake government emails and phone calls designed to induce them to install remote-access software. That is a classic social-engineering pattern in phishing campaigns, because it converts a digital entry point into remote control capabilities.
Police also said the network used intermediaries—money mules and cash carriers—to process and move funds before laundering. The critical addition for the crypto angle is that investigators allege the gang ultimately laundered proceeds through cryptocurrencies, demonstrating how digital assets can be integrated into stages of criminal finance rather than remaining isolated as a payment layer.
Why this matters for crypto users and compliance
The Belgian arrest underscores a recurring reality for the crypto ecosystem: many of the highest-impact losses do not begin with vulnerabilities in smart contracts or protocol code. Instead, fraudsters frequently use human-targeted tactics to obtain access to accounts, wallets, or other assets—and then use crypto to obscure trails.
From an investor and operator standpoint, this has practical implications. It suggests that even if a platform’s underlying technology is secure, users may still face outsized risk through phishing campaigns that impersonate trusted entities. It also points to why transaction monitoring and compliance controls remain relevant even when the entry attack is “off-chain.”
For builders and exchanges, the lessons tend to be operational rather than technical: account security, verification processes for high-risk requests, user education, and fraud response playbooks can all influence outcomes when scams target individuals rather than software.
Phishing and social engineering still dominate crypto losses
The broader threat landscape aligns closely with the Belgian case. Phishing and social engineering scams are described as major contributors to crypto theft, including in reported loss figures for early 2026.
According to Hacken, phishing and social engineering accounted for $306 million of the $482 million lost in the first quarter of 2026. That data, as presented in the source reporting, frames phishing as the most prevalent mechanism behind real-world losses—even as decentralized finance security debates often focus on exploits and protocol failures.
Attackers have long exploited predictable human behavior: creating urgency, impersonating authority figures, and using convincing messaging to bypass caution. The persistence of those tactics is why the crypto community continues to treat user manipulation as a top-tier security concern, not a fringe risk.
Malicious Google ads and evolving tactics
Recent warnings show that phishing campaigns are not limited to email and direct calls. On May 25, onchain analyst “b-block” warned that scammers used Google to run malicious phishing ads impersonating decentralized exchange Uniswap, reportedly stealing more than $400,000 from victims. The warning adds another layer to the problem: threat actors may be leveraging established advertising ecosystems to reach users at scale.
In parallel, DeFiLlama said fake ads on Google are a common source of phishing attacks. Separately, Crypto cybersecurity group Security Alliance reported in April that there was a significant uptick in phishing activity on Google Search in March. Together, these points indicate that mainstream discovery channels—search ads and ad placements—can become a distribution method for crypto scams.
Blockchain security company CertiK’s Skynet report also highlighted phishing and social engineering among leading tactics used by malicious actors associated with North Korea-linked operations. The source further notes that CertiK attributed the 2022 Ronin Bridge exploit to a spearphishing campaign that involved a fake LinkedIn recruiter and a malware-laden PDF—an example of how phishing can lead into broader compromise chains.
What to watch next
With Belgian authorities tying phishing directly to crypto laundering techniques, and with multiple reports indicating phishing remains the largest share of reported losses, the next signal to track is whether law enforcement actions and platform security measures reduce scam distribution channels—especially ads and impersonation attempts—or whether attackers continue to shift to new mainstream touchpoints faster than users can adapt.






