NBI Crypto Scam Raid: 15 Arrested in Mandaluyong

Philippine authorities arrested 15 people in Mandaluyong City during an operation targeting an alleged cryptocurrency investment scam run through a spoofed website. The NBI crypto scam raid matters because it shows how organized fraud groups use fake platforms, desktop operations and social-engineering scripts to make crypto investment schemes look real.

NBI crypto scam raid led to 15 arrests

The National Bureau of Investigation arrested 15 individuals during a May 9, 2026 operation in Mandaluyong City, according to BitPinas’ report on the NBI crypto investment scam case . The operation was carried out by the NBI Dangerous Drugs Division with support from the Digital Forensic Laboratory Division and the Philippine Air Force Intelligence Unit. DZRH also reported that agents implemented a Warrant to Search, Seize, and Examine Computer Data, or WSSECD, at a condominium unit after intelligence reports linked the location to fraudulent online investment activity, according to DZRH’s account of the Mandaluyong raid . Authorities said the alleged operation was tied to an alias known as “Boss Choi.” The arrested group included one Chinese national, one Malaysian national and 13 Filipino nationals. Reports said the Filipino suspects included 12 men and one woman. Investigators said the suspects were found actively using desktop computers when the raid took place.

Spoofed websites made the investment pitch look legitimate

Investigators said the group used a spoofed website to solicit cryptocurrency investments from victims. That detail is the center of the case. A spoofed site can mimic a legitimate platform’s design, language, account screens, wallet flows or dashboard metrics, making victims believe they are dealing with a real crypto business rather than a fraud desk. Newsbytes.PH reported that authorities said the suspects were allegedly using a spoofed website to solicit crypto investments and that the on-site forensic examination revealed data linked to computer-related forgery under the Cybercrime Prevention Act of 2012, according to its report on the Mandaluyong crypto scam operation . That points to a fraud model built around presentation, not just persuasion. This is why the case belongs in Web3 Fraud Files . A fake investment platform does not need to break a blockchain. It needs to make victims believe deposits, account balances and returns are real. Once the victim trusts the interface, the scam can move through staged deposits, fake profits, withdrawal fees and pressure from handlers posing as account managers.

Digital evidence points to organized cyber fraud

The NBI said multiple computer devices were seized and subjected to on-site digital forensic examination. BitPinas reported that the examination revealed digital data used as instruments for computer-related forgery, while the bureau said the evidence indicated the presence of an organized scamming network.

That finding matters because a crypto investment scam hub is different from a lone impersonator account. Organized desks can divide labor across recruiters, chat operators, website handlers, payment coordinators and technical support roles. Victims may interact with multiple personas while believing they are speaking with one investment platform. DZRH reported that authorities said further investigation is continuing to identify additional members of the alleged syndicate and trace possible victims. That means the arrest count is not necessarily the final scope of the case. Digital devices may reveal account lists, scripts, wallet addresses, chat logs, exchange accounts, payment routes or domain infrastructure tied to the operation.

For investigators, the hard part is connecting digital artifacts to victim losses. A spoofed site may show internal balances that never existed on-chain. Crypto deposits, if used, may move through exchanges, mixers, wallets or intermediaries before investigators can map the full flow.

Charges fall under the Cybercrime Prevention Act

The 15 suspects were presented for inquest proceedings over alleged violations of Republic Act No. 10175, the Cybercrime Prevention Act of 2012. Reports listed alleged offenses including social engineering schemes, economic sabotage, misuse of devices, computer-related forgery and aiding or abetting cybercrime activity. Those charges show how Philippine authorities are treating the case: not only as a bad investment pitch, but as a computer-enabled fraud operation. The alleged use of spoofed websites and seized devices gives prosecutors a technical trail that can support cybercrime claims beyond ordinary solicitation. The legal framing also matters for crypto users outside the Philippines. Crypto investment scams often cross borders. A fake platform may be operated in one jurisdiction, recruit in another, receive payments through third-party wallets and target victims through global messaging apps. Local arrests can disrupt one hub, but the playbook can reappear under new domains and aliases. This connects with Cryptic Daily’s broader crypto scam coverage , where social engineering often sits beside technical deception. Fake dashboards, forged account balances and spoofed exchange pages can be as damaging to retail users as malicious smart contracts.

Victims are usually trapped through withdrawal friction

Crypto investment scams often become visible only when victims try to withdraw. Before that point, fake platforms may show deposits growing, profits compounding or VIP tiers opening. Once the victim asks for cash-out, the platform may demand taxes, verification fees, liquidity deposits, wallet unlock payments or additional investment before releasing funds. The Federal Trade Commission warns that crypto scammers often promise high returns, impersonate trusted entities and use pressure to make victims act quickly, as explained in the agency’s guidance on cryptocurrency scams . That pattern matches many spoofed-platform schemes: the user is not only tricked once; they are managed through a sequence of payments. In the Mandaluyong case, authorities have not published a full victim-loss figure. That absence should not be filled with guesses. The confirmed public facts are the 15 arrests, the Mandaluyong condominium location, the spoofed website claim, the seized devices and the cybercrime charges. The next evidence layer should come from forensic review, victim statements and any wallet or payment-route disclosures.

What users should watch after the Mandaluyong case

Users should treat any crypto platform promising guaranteed returns, managed profits, special mining yields or private investment access as high risk unless the company, license, domain, team and withdrawal process can be independently verified. A polished dashboard is not proof of custody. A rising account balance on a website is not proof of real trading.

The practical warning is simple. Do not send crypto to a platform because a recruiter, social contact, dating-app profile, Telegram group or WhatsApp handler claims to have insider access. Do not pay a “tax” or “unlock” fee to withdraw funds. Do not trust screenshots of profits. If a website blocks withdrawals until more money is sent, that is a strong fraud signal. For Philippine users, the case also shows why reporting matters. The NBI operation followed intelligence reports on fraudulent online investment activity. Scam hubs often depend on victims staying silent because of embarrassment, fear or hope that one more payment will release funds. Early reporting can help investigators freeze devices, identify operators and map additional victims before domains disappear. The next concrete signal is whether the NBI publishes more details from the seized devices, including victim counts, wallet addresses, payment channels, website domains or links to additional operators. Until then, the Mandaluyong raid should be read as a warning that fake crypto investment sites remain an active law-enforcement target, not as proof that one raid has ended the wider scam model. This article is for informational purposes only and does not constitute financial or investment advice.