Polish internet swindlers have cooked up an elaborate scam that involves taking over your Facebook profile to ransack your bank account and swiftly transfer the stolen funds to anonymous Bitcoin wallets.

Discovered by independent cybersecurity research collective BadCyber, the unusual deceit has been documented in a recent blog post that goes over the attack vector in more detail.

What is particularly interesting is how intricate and laborious the scheme is.

To get things off the ground, the hackers rely on well-known malware and phishing techniques to exfiltrate login credentials and obtain access to Facebook accounts. Once an account has been breached, the attackers proceed to inspect the user’s chat history and target individuals close to the account owner.

Posing as the actual user, the attackers then reach out to numerous contacts and ask them to wire a small amount of money for insignificant online purchases. Since Poland heavily uses intermediary payment services that enable online shopping without credit cards, such requests are not at all uncommon.

Once a contact has agreed to make the transaction, the attackers send a spoofed payment link that directs unsuspected victims to carefully cloned websites of popular payment providers. There, the user is quickly prompted to complete the payment by entering a one-off code received over SMS.

This is where things finally start to get tricky. While the SMS simply asks for transaction approval, the researchers noticed that the attackers had discovered how to doctor the text to surreptitiously authorize a ‘trusted transfer’ – a procedure that enables users to send funds to select accounts without additional security measures.

Here is a screenshot of the deceitful page as it appeared before it was eventually taken down:

As soon as the attackers have managed to trick the victim into marking the transaction as a ‘trusted transfer,’ BadCyber estimates that it takes approximately 15 minutes to empty the compromized bank account and transfer all stolen funds to anonymous Bitcoin wallets.

It remains unclear how wide spread the attack is, but the researchers speculate ‘a handful of attempts’ could take place during the same night.

According to the security collective, what makes the scam particularly nasty is that it remains largely out of the scope of banks once the funds have been exchanged for Bitcoin. BadCyber also points out the increased difficulty of identifying the swindlers due to the multi-step nature of the attack.

“It begins on Facebook, then moves to fraudster’s hosting and the thief logs into the bank using mostly socks ports on zombie machines in the same area where the victim lives,” the researchers say. “Only vigilant fraud detection departments equipped with proper detection mechanisms can handle those attacks properly.”

So in case you want to keep your money in your bank: Better enable two-factor authentication on Facebook now and stay extra careful when someone asks you to “help out” with a small online transaction.

on BadCyber

Read next: Indian creator of $3,500 self-driving car: "Reaching Level 5 autonomy will take a decade in India"