The Sapphire Network scam is a multi-layered financial syndicate that mainly targets European and Western citizens. The management is Israeli-led, with technical developers based in Bulgaria and call centers operating out of Georgia.
The network remains active, though it has significantly evolved its tactics in 2026. While several of their classic domains have been flagged and pulled down, the organization continues to operate by rapidly cycling through new “bait” websites and leveraging newer technologies or maintaining some older domains.
View and download the full list(PDF) containing 60+ domains linked to the Sapphire Network syndicate in 2026.
According to qurium.org report, here’s a list of domains linked to the network:
| Original Entity | Subsequent Domain | Current Status |
| BTCcapital | btccapital.io | Domain remains active: Currently pivoting to “Fixed-Return” crypto packages to lure investors during market volatility; often uses “Capital Outflow” narratives to create urgency. |
| Tactixinvesting | tactix-invest.com/ tactix.pro | The tactix-invest.com domain is currently unreachable whereas tactix.pro redirects to tactix.ca, an unrelated business. |
| Finxocap | finxocap.com | Domain is active and currently scamming. |
| Orbonex | orbonextrades.com | Domain is active and currently scamming. |
| BproTrade | bprotrade.io | Domain is active and currently scamming. |
| Finbok | finbok.io | Domain is active and currently scamming. |
| Onyx-traders | onyx-traders.com | Domain is active and currently scamming. |
| Rivobanc | rivobanc.com | Domains is currently warming |
| SIFX | sifx.com | Domain is active and currently scamming. However, the scammers seem to be using geolocation barrier software that filters out visitors from certain countries. |
| Tredomatix | tradomatix.com | Domain is active and currently scamming. |
| Ubsinvesting | ubsinvesting.pro/ ubs-platform.cc | Impersonating the legitimate UBS Group. |
| Vptrade | vptrade.com | Domain is active and currently scamming. |
| Xnvest | xnvest.com | Domain warming up and probably waiting to be relaunched. |
According to the Qurium Media Foundation, widely considered a highly credible source in digital forensics and cyber-investigation, the Sapphire Network scam is also linked to:
Our independent research at ScamReader.info confirms these findings, as we have previously exposed each of these four brands.
You can refer to the 2026 PDF blacklist provided earlier in this report for the full list of 60+ domains connected to this syndicate
The Leadership and Technical Backbone Of the Sapphire Network scam
The network’s “brain” is primarily based in Israel, providing the strategy and the sophisticated software needed to manage thousands of victims at once.
At the core of the operation is an affiliate leads tracking software called GetLinked.io. It was developed by a Bulgarian firm (Perspecta LTD) but is managed by Gal Friedman.
An individual named Ronen Nimrod Kapeika, using the alias “James Collins”, acts as the Chief Marketing Officer of the Sapphire Network scam.
He bridges the gap between the technical software and the “back office” that manages the money flow. Operations are often masked behind legitimate-sounding entities like MDR Solutions LTD (Madar), BTCcapital, BproTrade, FX Capital Group, Dukasbanc, and Vptrade.
The Georgian Call Centers
While the leadership is in Israel, the “muscle”, the people who actually call victims, is largely outsourced to Georgia mainly due to lax regulation.
AK Group is the name given to this call center group with staff who work in various building complexes within the Republic of Georgia. These include:
- The King David Business Center: A prestigious, glass-fronted twin-tower complex on the banks of the Mtkvari River.
- Vake District Offices: Some clusters have been identified in the upscale Vake district, often within smaller, modern commercial buildings that allow for more discreet entry and exit of staff.
- Saburtalo Business Hubs: Office spaces in the Saburtalo district, known for its dense concentration of business centers and tech startups.
The network employs thousands of young, fluent speakers of English, German, French, and Spanish. They are trained in high-pressure psychological tactics to convert “leads” into “depositors.
The 6-Step Victim Lifecycle
The Sapphire Network uses a highly organized industrial “assembly line” to move a person from seeing an ad to losing their life savings:
Step 1: Building campaign web pages to attract new “leads” (victims) to the Sapphire Network scam in the name of “investment opportunities”
The campaign web pages are given legitimate-sounding names such as:
- Bitcoin 360 AI
- Bitcoin Circuit
- Bitcoin Banker
- Bitcoin Bank.
Notably, these Campaign pages are hosted with hosting providers that protect the identities of the scammers.The hosting providers are typically located in jurisdictions with lax data-protection laws or where international legal requests are difficult to enforce. They typically:
- Do not require ID verification or a real name to sign up.
- Accept crypto payments, allowing scammers to pay for hosting without linking a bank account or credit card.
- Openly advertise that they will not take down content based on copyright or “abuse” complaints from outside their home country to lowkey appeal to bad actors.
- Are often located in countries like Russia, Moldova, Seychelles, or Panama, which may not cooperate with Western law enforcement quickly.
Some common web hosts that either knowingly or unknowingly make it easy for scammers to operate include:
- Shinjiru Web Hosting(shinjiru.com.my)—Located in high-privacy jurisdictions; famously slow to respond to international “takedown” notices. Likely located in Malaysia, given the .my domain extension.
- AbeloHost(abelohost.com)—Located in high-privacy jurisdictions; famously slow to respond to international “takedown” notices. Claims to be based in the Netherlands.
- AlexHost(alexhost.com)—Located in high-privacy jurisdictions; famously slow to respond to international “takedown” notices. Located in Moldova based on the company’s Google Reviews Profile.
- FlokiNET(flokinet.is)–Founded by privacy activists; they prioritize customer anonymity above almost all else. The company’s Google Reviews Profile alongside its domain extension, .is, suggest that it’s located in Iceland.
- Njalla(njal.la)–Founded by privacy activists; they prioritize customer anonymity above almost all else. Based on the “.la” domain extension, this company might be located in Laos, a country that hosts a massive, isolated cyber-scam industry run by foreign criminal networks, often involving trafficked labor.
- BlueAngelHost(blueangel.host)—Specialize in “DDoS protection” and “high-risk” hosting, which provides a sturdy shield for a site under scrutiny. Trustpilot shows that this company is based in Bulgaria. Like most countries, this nation has had some individuals or groups involved in online fraud, particularly call-center scams and cybercrime rings that have been reported in the past. There have also been law enforcement actions by Bulgarian authorities and international partners targeting such operations.
- KoDDoS(koddos.net)—Specialize in “DDoS protection” and “high-risk” hosting, which provides a sturdy shield for a site under scrutiny. The company’s Google Reviews Profile shows that it’s located in Hong Kong.
Other Ways In Which the Sapphire Network Scam Masterminds Hide
It isn’t just the host that protects them; these scammers use a multi-layered approach:
- Besides favourable hosts, they use conducive registrars that offer the Whois privacy, conveniently hiding their email contacts and phone numbers from public records.
- Many use Cloudflare or similar services as a front, conveniently hiding their “real” IP addresses. This makes it look like their sites are hosted in the US when they are actually offshore.
- They may hide their malicious traffic inside the encrypted traffic of a legitimate service (like Google or Amazon) to bypass security filters.
Before you sign up for any “investment”, check the website’s hosting details. If it’s hosted by a ‘privacy-first’ host, stay away. It’s a major red flag. Protect your money and your data by walking away immediately.”
Step 2: Contracting a Tracker
The Sapphire Network has contracted a “tracker service” known as “GetLinked”, which acts as a broker between the syndicate and dubious affiliate marketers.
In this context, a “tracker service” is specialized software (and often a company/platform) that manages, tracks, and optimizes affiliate marketing campaigns, especially performance-based ones.
Run by an individual called Gal Friedman, the service assigns affiliates the “offers” that need to be promoted, the geolocation of those offers and to which target group (by language) the offer is targeting. These “offers” are linked to genuine-sounding brands and the affiliates are provided with information on how much compensation they can claim for each victim (conversion).
Then there’s an individual called Ronen Nimrod Kapeika a.k.a “James Collins”. He acts as the point of contact between the entity behind the tracking software and the core backoffice of the entire Sapphire Network scam.
Step 3: Inviting Affiliate Networks
Affiliate marketers are recruited through major affiliate networks such as ROI Collective, Supremedia and Affilomania-TrafficOn. They strategically choose these notable entities to increase their outreach and maximize conversions. The affiliate marketers are responsible for “generating traffic” to the Sapphire Network’s dubious offers, essentially leading victims to the scammers.
It is important to understand that the affiliates do not directly promote the brands owned by the Sapphire Network but rather use generic and legitimate-sounding entity names.
The reason here is to hide the Network’s brands from the general public, an approach that makes it harder for victims of previous scams linked to the network to connect the dots.
Step 4: Sending Potential Victims To the Sapphire Network Scam
The affiliate marketers use different techniques to promote the so-called investments. These include placing paid ads in Social Media.
To attract attention, gain credibility, and vouch for their “investments”, they often use names of celebrities and/or successful individuals, e.g. Elon Musk.
Below are a few screenshots showing the use of Elon Musk’s photos and a video to direct unsuspecting visitors to Quantum AI and Immediate Granimator, two questionable online investment platforms.
Affiliates often purchase traffic through third-party ad networks such as Los Pollos or Taco Loco. Another common tactic involves exploiting publishing platforms like Medium, where they post compelling articles to drive potential victims toward active scams. Furthermore, promotional efforts frequently extend to paid influencer videos, mobile app pop-ups, and direct SMS messaging.
Step 5: Victim submits contact details
Victims who find the “investment opportunity” ads in social media and other methods outlined above appealing are re-directed to the respective sites to complete an online application form. They innocently provide their contact details, which are submitted to the scammers’ call centers.
The Getlinked leads tracking software keeps track of which affiliate brought a victim.
Step 6: The enrollment call
Agents from the Sapphire Network scam use the information provided in the sign-up forms to contact potential victims directly.
They use different VoIP (voice-over-IP) services for all outgoing calls and SMS to the victims. These advanced services enable them to spoof numbers, allocate numbers for inbound calls, and integrate their voice services with the customer relationship management software smoothly.
Notably, the VOIP service providers know the locations where the calls are placed.
Victims are asked to complete the enrollment process, which is finalized when the victim makes a financial transaction of 250 EUR (or the equivalent in the victim’s local currency).
The data leak and forensic investigations by the Qurium Media Foundation (released in early 2025) identified five primary VoIP providers used by the Sapphire Network:
- Squaretalk (Israel)
- CommPeak (Israel)
- Local03 (Israel)
- B-Compliance (Israel)
- NetSapiens (Singapore/International)
Are You a Victim of the Sapphire Network?
If you have lost funds to BTCcapital, Finxocap, BproTrade, or any of the domains linked to the Sapphire Network scam, you are not alone. My investigation into this syndicate is ongoing, and your evidence is crucial to mapping their 2026 operations.
Don’t let them get away with it. I can help you document your case and provide guidance on the next steps for recovery and reporting.
Report a Sapphire Network Scam Here
N/B: All submissions are handled with the strict confidentiality required for forensic investigations.