Visit Baysec.eu
Featured image of post Case Study: Countering the Clean Air Programme Scam Network Operation
Case Study
RSS - Case Study All RSS Feeds Share

Case Study: Countering the Clean Air Programme Scam Network Operation

How we mapped a multi-entity fraud network, parsed financial statements, identified victims, and delivered a court-ready intelligence package.

Baysec Intelligence

The Clean Air Programme (Czyste Powietrze) in Poland is a government grant and subsidy program designed to help homeowners improve energy efficiency and reduce air pollution. It supports replacing old, high-pollution heating systems (especially coal stoves and old boilers) with cleaner alternatives, as well as home upgrades such as insulation, window replacement, ventilation, and heating modernization.

The program is mainly available to owners of single-family homes, and the level of financial support depends on household income and the type of improvements being made. Its main goal is to reduce smog, lower household energy use, and improve air quality across Poland.

Although the Clean Air Programme is intended to help homeowners improve energy efficiency, it has also been exploited by dishonest contractors and scammers. The programme is often targeted at vulnerable homeowners, especially older people and residents of rural areas who may have less access to information or legal support. In some cases, companies persuade people to sign contracts for overpriced or poor-quality work, withdraw subsidy money, or arrange unfavorable financing.

Many victims still have to pay even if the work is never done because the contracts and financing are usually in their name, not the contractor’s. When companies disappear or fail to complete the renovation, homeowners may remain legally responsible for repayment, leaving them with debt for work they never received.

A large-scale investigation into possible fraud in the Clean Air Programme is already in progress. Polish and European authorities are examining over 500 million PLN worth of suspicious contracts, amid concerns that public subsidies may have been misused or obtained through dishonest practices.

The case

The client paid a company for solar panels and heat pump installation. The work was never delivered and the company stopped responding.

Our role was to assess whether the company was connected to the suspected fraud scheme and deliver an intelligence package strong enough to support a favorable legal outcome for the client.

What we did

We carried out an intelligence assessment to understand who we were really dealing with. We pulled information from multiple sources like company records, financial documents, online infrastructure, maps and property data, reviews, certification databases, sanctions checks, breach intelligence through Baysec Breachripper, and direct outreach to people connected to the case. We cross-checked everything to build a clear picture of how the company operated and whether there were signs of fraud or deception.

What we found

Our investigation resulted in a documented fraud network delivered to the client.

Key Findings:

  1. Phoenix company scheme

We found a repeating pattern. The same people had been setting up new companies every few years while shutting down the old ones. A company would take on clients, collect payments, build up debt, and then enter liquidation. Soon after, a new company would appear registered by the same people, at the same address, and operating in almost exactly the same way. The debts, legal problems, and unhappy customers were left behind with the old company, while business simply continued under a new name.

This type of structure is often referred to as a phoenix company scheme: the old company collapses, but the people behind it continue operating through a newly created entity. In this case, the pattern appeared to stretch back more than ten years across seven separate entities. One particularly strong indicator was timing. Replacement company had already been registered months before the current company started receiving complaints. We also found that documents used by the new business appeared to be copied directly from earlier versions, including sections where the previous company’s name had accidentally been left in the text.

Phoenix company lifecycle

  1. Straw person involved

The director of the invesigated company was removed from the board right when complaints started piling up. He stayed as a shareholder but dropped formal liability. The real controller who wasn’t formally connected to the company in any way suddenly became CEO. A new entity had already been registered months earlier at his personal address. He used people from his personal circle as formal directors and shareholders. People with no business history, no online presence, no connection to the industry that were holding 50% of “his” company. We also found an email address from an older company as contact info in the newest entity, registered by the person who supposedly had no connection to the old one.

  1. The money trail

We cross-referenced balance sheets across related entities. The company had collected millions in client prepayments while the balance sheet showed negative equity from day one. The “receivables from related entities” line matched the prepayment amount to the penny. This suggested that client funds were being moved to a sister company instead of being used to carry out the work. The sister company was then placed into liquidation despite appearing profitable, with its balance sheet effectively cleared beforehand.

  1. Tesla grow speed

2730% revenue growth in one year with five employees and no meaningful fixed assets like tools, vehicles or equipment for a construction company. Revenue per employee over a million PLN. The board officially took zero compensation despite millions in revenue. The money was flowing out through “services from third parties” and inter-entity transfers.

  1. Subsidy fraud

The company got power of attorney over the client’s government portal, submitted a subsidy application on their behalf, and had the subsidy paid directly to the company’s bank account. When the work wasn’t delivered, clients were liable to return the subsidy to the government. The company kept the money.

  1. Zero qualifications

The company advertised itself as a specialist for a national green energy subsidy program. Nobody in the organization held the required government certification.

You are hired son

  1. Fake reviews

Six five-star reviews posted on a single day, all using the generic same language. We also found a review management platform generating exactly 100 reviews at a near-perfect average. Former clients and employees publicly confirmed the positive reviews come from staff and relatives.

  1. HUMINT

We identified a former business partner through open sources, found his phone number in public records, and called him. He confirmed that he left the network because he wanted to do business honestly.

The modus operandi

By correlating victim statements, financial data, and infrastructure analysis, we reconstructed the full operation:

Phase 1: Attract. Professional-looking website, bought reviews, promises of handling the full subsidy application. The pitch: “we take care of everything.”

Phase 2: Sign. Client signs a contract, pays a large upfront deposit, hands over personal data and power of attorney to the government subsidy portal.

Phase 3: Subsidy. The company files for the subsidy on the client’s behalf. The money goes to the company’s account.

Phase 4: Non-delivery. The work never starts, gets partially done, or doesn’t match the agreement. Equipment purchased through a related company at inflated prices.

Phase 5: Ghost. Company stops answering calls. Blocks client access to government portals and deletes negative reviews.

Phase 6: Counterattack. Victims who complain publicly receive pre-litigation payment demands. Legal intimidation to keep people quiet.

Phase 7: Phoenix. When complaints reach critical mass, a new entity is already registered and waiting. The old company enters liquidation. Debts stay with the previus entity. The cycle restarts.

Modus operandi of the investigated company

What the client got

A full intelligence report with every claim sourced and graded:

  • Executive summary - key findings, threat assessment, risk matrix, estimated scale of damages, and recommended actions
  • Individual profiles - full dossiers on all identified people: roles across entities, personal details, contact information, online presence, evidence tying them to the network
  • Legal qualification - evidence mapped to criminal code articles: fraud, creditor obstruction, fraudulent bankruptcy, subsidy fraud
  • Recommendations - which entities to file against and which assets to target
  • Corporate entity map - all connected companies, their directors, shareholders, shared addresses, and timelines
  • Financial analysis - cross-referenced balance sheets and income statements with specific red flags documented
  • Modus operandi reconstruction - the full seven-phase operation, correlated from victim statements, financial data, and infrastructure
  • Other identified victims - names, statements, and contact details for group complaint coordination
  • National investigation context - how the case connects to the ongoing EPPO/CBA proceedings
  • Chronological evidence timeline - court-ready
  • Certification verification - government registry checks confirming no one in the network holds required qualifications
  • Reputation analysis - platform-by-platform breakdown of fake reviews, manipulation evidence, and victim statements
  • Digital infrastructure analysis - connections between entities through shared domains, email, and hosting
  • Dark web and breach intelligence - from Baysec Breachripper
  • Sanctions and PEP screening - all subjects checked against sanctions lists, politically exposed persons databases, and international watchlists

Why this matters

Fraud networks like this work because individual victims rarely see the full picture. One complaint can be brushed off. But a pattern backed by corporate links, financial records, named individuals, and legal analysis is much harder to ignore.

We give victims and their lawyers the intelligence to fight back.

Who we work with

We are a cybersecurity intelligence company. Our core work is offensive security, penetration testing, and threat intelligence. Intelligence assessments apply the same skillset to a different target. We map external attack surfaces, find exposed assets, pull leaked credentials from breach databases, trace digital infrastructure, and cross-reference everything against active threat actor campaigns.

  • Law firms. Pre-litigation intelligence, due diligence on counterparties, asset tracing support.

  • Companies running M&A or partnerships. Before acquiring a company or signing a major contract, it’s important to understand what sits behind the corporate structure. We map hidden relationships and surface the relevant history so risks are identified before commitments are made.

  • Financial institutions. Corporate due diligence, counterparty intelligence.

  • Insurance companies. Claim verification, fraud pattern detection across claimants.

  • Government and public sector. Investigations, background screening, supply chain risk assessment.

  • CISOs and security teams. Penetration testing, red team assessments, EASM, application security, cyber threat intelligence, breach intelligence. Delivered through Baysec Platform.

  • Regulated industries. NIS2, DORA, compliance evidence. Continuous intelligence on threats targeting your sector.

  • HR and executive vetting. Background checks on candidates for senior positions or board seats.

  • Fraud victims and their lawyers. We build the evidence that changes the outcome.

This was a fraud investigation, but it’s one example of what our intelligence assessments deliver.

Contact us

kontakt@baysec.eu | +48 786 432 409 | baysec.eu