28 April 2025

– The deceptive “Know Your Customer” process

Without the possibility of making thousands of phone calls per day to victims across the world, the scam call centers would not be “in business”. Thanks to the access to vast numbers of diverse phone numbers, the scammers gain credibility while hide their location.

These services are provided by a handful of VoIP (Voice-over-IP) providers that supply telephony and SMS services to the scam call centers. Thanks to these providers, the call centers have been able to operate a lucrative business for years.

This article reveals who these VoIP providers are, and why they might not have any interest in effective Know-Your-Customer (KYC) and Anti-money-laundry (AML) procedures to prevent that fraud is taking place from their infrastructure.

The Facts

The Scam Empire data leak includes a great amount of documents and data bases that includes the names of the five VoIP operators presented in this article. All operators provide voice services to the “Sapphire Network” with call centers in Cyprus, Bulgaria and Israel as well as the “AK Group” call center operating from Georgia.

According to leaked financial records, since late 2020 the “Sapphire Network”, consisting of several call centers, has paid not less than 1 million EUR for voice services.

The leak also reveals that intermediary (proxy) companies were used to hide the connection between scam call centers and VoIP providers. Internal chat conversations strongly indicates hat the VoIP providers were fully aware of the call centers fraudulent activities.

The evidence in the leak include (but is not limited to):

Information from the “Predator” software that among other things maps each VoIP operator with the individual calls to the 26,800 victims of the “Sapphire Network”.
Service agreements between the scam call centers and the VoIP operators using intermediary companies.
Call logs including brands and affiliates associated to the calls, uploaded to Robonote – an AI call analysis service.
Telegram and Signal conversations between the VoIP operators and the support teams of the “Sapphire” and “AK Group” call centers.
Screen recordings of sales agents’ computers that include the VoIP clients used by the “AK Group” as well as the configuration of VoIP operators in each of the brands of “Sapphire”.
Software development roadmaps with quality assurance and new features that include information about the VoIP operators.

Fraud awareness

The standard response from all the VoIP providers we contacted was essentially the same: they claim to simply offer a voice service, adhere to their own Know Your Customer (KYC) procedures, and expect clients to follow the Acceptable Use Policy outlined in the service agreement. It’s the classic old-school mantra: “I’m not responsible for what my clients do.”

However, the leaked material tells a different story.

Chat logs between VoIP operators and call centers reveal that when phone numbers used by the scam call centers were flagged as “Spam” or “Fraudulent” by different phone reputation services, the VoIP carriers refreshed the numbers in coordination with the scam call centers. Hence, the VoIP providers made sure that the scammers had access to fresh numbers to continue their scam.

In the case of the “Sapphire Network”, we found that the VoIP providers worked closely with their developers to integrate their voice systems with the CRMs of the different brands, so the status of each of the establishment of the calls was presented to the agents in their dashboards (so called “web hooks”).

The VoIP Operators

The Georgian call center and the Sapphire Network used five common VoIP Providers. Four of them of Israeli origin.

Company registration: Israel (Haifa)

Partnership: Vonage – Ericsson (Sweden)

Front-companies: Mexpend, Intek Systems, Meltanera

Company registration: Israel(Jerusalem)

Office: Sofia, Bulgaria

Front-companies: Mexpend, Intek Systems

Origin: Israel (Herzliya)

Office Petah Tikva (Israel)

Partnership: Porta One (Canada)

Origin: Singapore

Office location: Amsterdam (Netherlands), Larnaca and Limassol (Cyprus), Dubai (UAE), Manila (Philippines)

Partnership: DIDlogic

Origin: Israel, Ramat Gan

Registration: Hong Kong

Office location: Manila (Philippines), Kyiv (Ukraine)

An analysis of call records stored in “Predator”, a system from the “Sapphire Network” that monitors victims’ deposits and calls, revealed that Coperato’s voice services had been used since August 2021 and generated more than 7 million phone calls. Coperato was the oldest VoIP operator found in the leak and we could trace records of payments to Coperato back to 2020.

Coperato stands for the largest amount of calls by the Sapphire network (>7 million).

This screenshoot from the “Leaderboard” CRM used by the Sapphire Network shows an overview of all VoIP operators that are connected to the business unit “Bugati”, namely SquareTalk, Coperato, Commpeak and Voiso.

The Sapphire Network also used, or evaluated, Omega Telecom, Reshet, PrimeTelecom and Voicespin. The CRM “Cooltecho”, used by the Sapphire Network, includes code to integrate these VoIP providers to their call centers.

Front Companies – a way to hide

The scam call center are using front-companies to avoid a direct and “formal contact” with the VoIP providers. There are two different types of front-companies that we have come across:

Account holder: The scam call centers opens an account with the VoIP provider in the name of the front-company. Once the initial KYC process is done on the front-company more sub-accounts can be created.

Financial transfers: Front-companies are also used to pay VoIP invoices as a way to hide the real identity of the ultimate client. The very same front-company can also be used to receive deposits from victims of the scam call centers.

For example, Mexpend Ltd (UK), Intek Systems (UK) or IT Factory 62 Dooel (MT) were used to establish agreements with VoIP Providers and Meltanera SL (Spain) was used to receive deposits from victims and pay a VoIP provider.

VOIP OPERATOR 1: EM COPERATO LTD

The forensic investigation reveals that the Israeli based Voice over IP (VoIP) and SMS provider (fullsms) EM Coperato Ltd has been used as one of the main voice carriers in several call centers involved in investments frauds.

In the case of “Sapphire Network” that operates call centers in Cyprus, Bulgaria and Israel, Coperato is responsible of originated millions of phone calls targeting no less than 20,000 victims during 2024 alone.

Coperato, founded in 2013, is led by CEO Gil Shoval. The company specializes in tailored business communication services, including VoIP solutions and comprehensive call center services. The company is headquartered in Haifa, Israel.

In response to our claims that Coperato is knowingly collaborating with scam call centers, the company replied that it is “not allowed to listen to clients’ phone calls, and therefore cannot know when its service is being misused.” However, this explanation does not hold up under scrutiny.

The below screenshot from CRM manager “Zoe Wilson” (Ziva Reichel), reveals how Coperato replaces a UK number flagged as fraudulent for a new one associated to the brand “Fintrex“.

Front-companies to keep distance from crime

In both fraud networks, business agreements with Coperato were established using intermediary companies (front-companies) not to expose the real actors. A few examples of the front-companies presented in this article.

Mexpend Ltd (UK)

The proxy company “TeleTalk” (teletalkhub[.]com), trading as Mexpend Ltd has been responsible of arranging the different agreements with VoIP carriers including Coperato for the Sapphire Network.

The signed Service Agreement between Coperato and Mexpend lists Yanina Nikolova (ID 389355744) as Customer, while the agreement is signed by a “Jason Parker” from TeleTalk Hub. Mexpend is using the postal address of Ghost Mail Ltd in Herefordshire, a so called “mail service company”, often used by shady businesses for privacy reasons. Likely, Yanina is registered as company owner in the UK, but all rights of the company have been transferred to TeleTalk Hub. The signature of “Jason Parker” at TeleTalk Hub reveals that he is based in Bulgaria (37.63.97{.}152). His clumsy signature strongly indicates that Jason is not his real name.

IT Factori 62 Dooel (Montenegro)

A company registered in Montenegro in the name of Bulgarian, Emil Nikolaev Nikolov. The company is used to arrange agreements with payment processors, affiliate marketing campaigns and VoIP providers as Squaretalk.

Meltanera SL (Spain)

The Spanish company Meltanera SL (Ltd) has been used both to pay for services to Coperato and to collect deposits from victims.

The BBVA wire transfer below shows an transaction of 5,000 EUR from Meltanera to Coperato for voice services. The CaixaBank statement shows a transfer of 15,500 EUR from a victim to Meltanera.

Intek Systems

Similarly, in the case of the Georgian “AK Group Network”, the front company “Intek Systems” is used in the name of Lithuanian Jevgenij Roscenkov. However, the daily operations with the VoIP providers are performed by Georgian Zviad Urushadze that goes by the name “Luke Wade”.

Moving to crypto

The “Sapphire Network” payed Coperato by means of wire transfers for its voice services during 2020 to 2022. Since 2022 Coperato stopped receiving wire transfers from front-companies and payments moved to crypto-currency. Coperato’s Ethereum (ETH) wallet that was used by the scam call centers is 0x5801206d94cf60c81466dac0604ef6ce70ccddf1.

(Left) The Telegram conversation between members of the “Zebra” team in the Georgian Call Center shows how Bitcoin transactions of 2,000 USD were made to crypto wallets of both Coperato and Voiso. (Right) Coperato giving instructions to the “KIRI” (Kiriosta) at Sapphire Network how to pay them in crypto currency.

The following screenshots show how crypto payments to Coperato are handled.

Scam call centers’ client accounts

The following client accounts belonging to scam call centers operated in Coperato’s infrastructure:

Sapphire Network: zebra, zebra2, mjglobal, testa2, c4u, astro, jaguar, bgcanada, testa, inv-serb, ast-srb, kiri, arkcapitals, fidelityexchange, MJglobal, consalit
Georgia Network (AK Group): morning

Support, features and development

The leak contains records of how Coperato provided direct support to both scam networks, assisting them to integrate their Voice platform with their Customer Management Systems (web hooks), activate new phone numbers when the numbers are flagged as Spam or to block inbound numbers (DIDs) to stop victims from calling the scammers.

Chat between Coperato account manager and scam call center regarding numbers flagged as spam.

Information about how the “Sapphire Network” implemented and integrated new features to the VoIP operations was found in the leak. For example:

The development of a monitoring system to monitor the quality of the phone numbers checking them numbers against two online services “IP Quality Score” and “Seon”.
The integration of their newly enhanced CRM “cooltecho” with the VoIP providers (webhooks)
The use of AI to monitor phone calls using third party provider Robonote.
The integration of Coperato’s fullSMS service in November 2023.

The Vonage/Ericsson connection

During our research we discovered that Coperato relied on Vonage Communications APIs to support customer connections and conversations over multiple channels including voice and SMS. A strategic collaboration with Coperato was announced by Vonage in February 2023.

The Swedish Telecom giant Ericsson acquired Vonage for $6.2 billion in July 2022. The acquisition has been labeled a “fiasco” due to the significant challenges it faced, culminating in Ericsson writing off nearly its entire investment in Vonage in 2024.

Vonage was confronted by the #ScamEmpire Consortium as they were an important upstream provider to Coperato, a VoIP operator delivering voice services to several call centers involved in financial fraud. Vonage confirmed that Coperato was a client of theirs, and provided the following quote:

We have systems and measures in place to monitor for and mitigate risks of fraud, scams and phishing on our platform and from Vonage accounts. In addition, all Vonage customers must follow the Terms of Service when signing up for services, as is stated in the Acceptable Use Policy, which provides guidelines on prohibited and/or inappropriate content and use of Vonage services. When we’re made aware of suspected fraud, scams or phishing, we will investigate the matter and service for customers found to be in breach of Vonage’s Acceptable Use Policy will be terminated.

When Qurium informed Vonage that Coperato’s malicious activities could be traced back to to 2020, and asked why their measures had not stop them, Vonage replied:

We don’t normally comment on customers but we can confirm Coperato is no longer a customer.

VOIP OPERATOR 2: SQUARETALK

Squaretalk is a cloud-based voice provide founded in 2010 and is headquartered in Jerusalem, Israel with hub office in Sofia, Bulgaria. Elie Rubin serves as the Chief Executive Officer and Chairman of the Board. SquareTalk started off as Innitel, which later was rebranded to Deskforce.

SquareTalk provides voice services to both scam networks and just like Coperato, the front-companies TeleTalk Hub (trading as Mexpend) and Intek Systems are used to obtain the voice services.

Sapphire Networks’s point of contact at Squaretalk is the account manager Darena Yordanova (Dary). In April 2024 SquareTalk signed a service agreement with the “Sapphire Network” to provide inbound numbers in Chile, Colombia and Mexico. This information suggest that the organization is planning to expand its scam activities into Latin America.

SquareTalk allocates different staff members of their support team to attend requests of the different call centers’ Desks that run different billing agreements. The Telegram chat below shows that IT Factori 62 has different points of contact for each of their operations (Amy, Jason, Henry, Tom and John) that are associated to Squaretalk’s sub-accounts Kiriosta, Mexpend, Teletalk, Purplesun, ADDM, Vector, Finbok.

In the leak we could find the following SquareTalk accounts: kiri, finbok, srb, bg and mex which matches with billing desk Kiriosta, Finbok, Serbia, Bulgaria, Mexpend.

Squaretalk keeps serving the scam call centers

After the release (5 March 2025) of the joint investigation #ScamEmpire, Qurium approached Squaretalk to learn about the findings of their internal investigation and whether any actions were taken to stop the fraudulent calls. To our surprise, Squaretalk did not only decide not to take any action against the accounts operating scams but continued to provide voice services to the fraudsters.

Documentation leaked to Qurium (see slideshow below) from Squaretalk’s internal management systems shows:

Squaretalk created new sub-accounts for the “Sapphire Network” the very same day that the investigation was made public (5 March 2025). The sub-accounts “Prime”, “Prime2” and “Concept” were created associated to the main “Sapphire Network” master account “IT Factory 62 Dooel” (Slide 1)
Squaretalk are doing business with Sapphire Network’s scam call centers via the front-company “Mexpend” (Slide 2)
The “AK Group” kept placing groups using the account Intek Systems on 25 March 2025 and that the account was labeled “Golden Currencies Trade” (Slide 3).
“Luke Wade” (Zviad Urushadze from the AK Group) is still an active user in the Intek System account on 25 March (Slide 4).
The “Sapphire Network” kept placing calls as of 25 March 2025 using the sub-account “Concept” (Slide 5).

Slide 1: Under the main account of the Sapphire Network (IT Factory 62 Dooel), the sub-accounts Prime, Prime2, and Concept were created on March 5, 2025.

Slide 2: Sapphire Network (IT Factory 62 Dooel), also runs active sub-accounts in the name of Mexpend and Purplesun.

Slide 3. AK Groups keeps placing calls via the Intek Systems account, labeled “Golden Currency”.

Slide 4: The account of the front-company “Intekret” still had a user with name “Luke Wade” on 25 March 2025.

Slide 5: The sub-account Concept of “IT Factory 62 Dooel” (Sapphire Network) was still active on March 25th.

Slide 6: Darena Yordanova (Dary) was the account manager of PurpleSun LTD, an account under the Sapphire Network which was cancelled in January 2025.

We also learned that Squaretalk received more than 140.000 USD from March 2024 from Intek Systems. The payment receipt below from March 2025 shows a transaction of 3,000 USD from Intek Systems to Squaretalk.

VOIP OPERATOR 3: COMMPEAK

CommPeak’s voice services are used by both scam networks. The agreement with the Georgian call center is done between Michelle Quizana (Human Resources) based in the Philippines and “Nita Barnov” from the “AK Group”.

The Skype account of IT department employee Zviad Urushadze (alias “Luke Wade”) from the Tbilisi call center, shows that he has at least two contacts within CommPeak (Denis and Anastasiia), with whom he speaks Russian.

The “AK Group” operates under the accounts akcapitall and afternoonstar in CommPeak.

VOIP OPERATOR 4: VOISO

Voiso was founded in 2018 and according to their LinkedIn profile they “operate as an AI-driven omnichannel contact center software provider”. Martin Kalinov serves as the Chief Marketing Officer (CMO) at Voiso.

Communication between Vosio and the “Sapphire Network” is handled by Head of Sales Andrew Dumaresq (Andrew D) and “Zoe Wilson” (real name Ziva Reichel) (Slide 1).

“Predator”, the software used to keep track of calls and earnings, shows clear evidence that Voiso is used by the scam call center (Slide 2) as a VoIP operator.

Voiso’s Head of Sales Andrew Dumaresq communicating with Sapphire Network via Skype chat group “Teletalk + Voiso (AD)”.

“Predator” logs calls for each brand, agent and VoIP provider. Voiso is clearly one of the VoIP providers used.

Andrew from Voiso included in the chat group “Teletalk – Voiso (AD)”.

VOIP OPERATOR 5: MMDSMART

In the middle of 2024, Mmdsmart was added to the pool of VoIP suppliers. As with the other providers, the agreement was done between MMDSmart and Mexpend. Once the agreement was put in place, the team of mmdsmart started to work into the integration of the voice provider with the scam network.

The integration was done by Evgeny Kuchkov (MMDsmart engineer) using the account “Teletalk” that refers to the website teletalkhub.com associated to Mexpend.

When we reached out to mmdsmart regarding the “Teletalk” account and Mexpend. Mmdsmart replied that the found an operator with the name “Teletalk” in their systems from Bangladesh.

In a conversation with Jason (VoIP), MMDSmart engineer discusses the new brand “VpTrade”.

Responses from the VoIP operators

Before the release of the “Scam Empire investigation” the 5th March 2025, each of the five VoIP providers were contacted with our allegations. All providers provided similar answers:

They are just companies that provide a platform to enable their customers to make phone calls.
They have on-boarding processes that includes a comprehensive KYC (Know Your Customer) procedure.
They are bound with strict non-disclosure clauses and agreements.
They cooperate fully with authorities when presented with fraud or harassment complaints.
They monitor their customers and react to fraudulent activities.

None of the operators specified what the KYC process includes or what mechanisms that are in place to detect fraudulent activities.

Coperato insisted that they are not responsible for any actions, if any, taken by third parties on its systems. The company claims that they have never knowingly provided services to any entity suspected of engaging in unlawful activity.

Commpeak stated that they are legally bound by confidentiality and data protection laws, which prohibit them from disclosing any information regarding their customers, employees, or specific business relationships. They emphasize that CommPeak maintains compliance policies, including KYC and anti-abuse procedures, designed to prevent misuse of their platform.

Squaretalk’s attorney stated that they are bound with strict non disclosure clauses and agreements and they will conduct an internal investigation regarding the clients that we have pointed. At the time of this writing the result of the investigation has not been communicated. In their most recent response to Qurium, Squaretalk expressed that they have been engaged in active cooperation with law enforcement authorities in multiple jurisdictions since January 2025 and they have received confidential police inquiries instructing the company not to disclose the existence of the investigation or take any action that might compromise it.

Voiso stated that as a company committed to strict compliance, security, and ethical business practices, they conduct Know Your Customer (KYC) procedures and on-going Customer compliance to prevent misuse of their platform and that they cooperate with law enforcement agencies and regulatory authorities in accordance with the law.

MMDsmart stated that they implement a strict due diligence process for all new customers and continuously monitor their existing customers for any signs of fraudulent activity. MMDsmart added that Mexpend is a “brand” of Squaretalk. a reputable company in the telecom sector. MMDsmart informed that neither Teletalk or Mexpend has shown any indication of fraudulent activity.

Media

11 Jun 2025. Cantabria Diario. Una investigación periodística expone una trama internacional de llamadas telefónicas fraudulentas

Cookie	Duration	Description
adsight	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight1	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight2	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight3	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight4	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight5	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-functional	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.