Two young men have been arrested in the Netherlands on suspicion of running a phishing operation that harvested the credit card details of unsuspecting victims.
On June 23 2026, Dutch police detained a 23-year-old man from Zaandam and a 21-year-old from Amsterdam, and searched their respective homes, seizing devices thought to have been used for fraudulent transactions, alongside luxury goods and a car.
According to a police press release, victims were duped into entering their payment card details on bogus phishing websites.
Although the police statement did not describe the nature of the specific phishing sites alleged to have been set up by the men, or the lures used to fool the unwary, more generally the typical type of credit-card phishing scams currently encountered in the Netherlands involve fake PostNL/DHL “redelivery fee” texts, or spoofed bank webpages, or increasingly malicious QR codes.
Investigators believe the arrested men, who have not been named, did not just misuse the stolen payment card details themselves, but also passed them on to other fraudsters. Unfortunately it’s all too common for stolen data to be sold, shared, and reused – often many times over.
Just one day after police made the arrests public, the Dutch central bank (DNB) released figures showing that payment fraud in the Netherlands rose by around 30% in 2025, to approximately 658,000 cases – with total losses climbing 22% to €198 million.
Card payment fraud was found to be the single most common category, with over half a million fraudulent transactions (up more than a quarter on the year before).
And the typical way that criminals obtain these card details according to the central bank? Phishing.
According to fraud-prevention firm BioCatch, which analysed data from the European Banking Authority, the Netherlands now ranks highest of all countries in the European Economic Area for digital payment fraud.
The cybercrime unit of the Dutch police’s Noord-Holland division says they are not ruling out further arrests, and their investigation continues.
On 19 May, the very same police unit arrested two 23-year-old men from Bergschenhoek on suspicion of selling “phishing panels” – ready-made kits of fake websites, mimicking genuine bank webpages – to other criminals as a form of phishing-as-a-service. Police claimed that the pair sold their panels via social media to fraudsters in several countries, targeting banks across Europe.
None of this, of course, undoes the harm already done to the victims. Worryingly few victims ever come forward to the authorities. In 2024, just 1% of Dutch fraud victims recovered their money, and while around half reported the crime to their bank, only a fifth went to the police.
In other words, these arrests are just the tip of a very large iceberg.

