Polish Police Smash Facebook Phishing Gang That Stole Over 100,000 Passwords

Polish cybercrime officers dismantled an 11-member phishing gang that stole over 100,000 Facebook credentials and scammed victims using BLIK payment codes. Here's what happened.

If you ever clicked a shocking headline about a celebrity death and ended up on a Facebook login page — this story is for you.

Polish authorities have dismantled a sophisticated cybercrime ring that spent two years harvesting Facebook credentials from unsuspecting users across Poland and Germany. When officers from Poland's Central Bureau for Combating Cybercrime (CBZC) finally moved in, they seized more than 100,000 stolen usernames and passwords. That's not a typo.

The gang's method was deceptively simple. They built websites that looked almost identical to well-known news portals, then loaded them with sensational, clickbait-style headlines — think "Famous celebrity found dead" type stuff. When curious readers clicked through, a fake Facebook login window popped up. The moment someone typed in their credentials, the criminals had everything they needed.

Eleven suspects have been charged after a two-year operation that used fake news sites to trick people into handing over their Facebook logins — then drained their bank accounts.

From there, it got worse. The group used the stolen logins to access victims' real Facebook accounts and then contacted their friends and family — posing as the account owner — to request BLIK payment codes. BLIK is a popular mobile payment system in Poland, and the scam allowed the criminals to siphon money quickly and with minimal trace.

The operation ran from May 2022 to May 2024, and by the time it was over, eleven people had been identified across two countries. Six of them are currently sitting in pretrial detention. Prosecutors have filed more than 400 charges covering everything from running an organised criminal group and unlawfully accessing accounts, to online fraud and money laundering.

It's a good reminder that the scariest cyber threats aren't always the most technical ones. Sometimes all it takes is a fake headline and a convincing login box.