UK police on Thursday said their biggest ever counter-fraud operation had disrupted an international criminal network targeting hundreds of thousands of victims in millions of spam phone calls.
The Metropolitan Police spearheaded the 18-month global probe into the iSpoof.cc website, working with Europol, the FBI and other law enforcement agencies worldwide.
A total of 142 people have been arrested, including one of its alleged London-based administrators. Suspects were nabbed in Australia, France, Ireland and the Netherlands, while servers were shuttered in the Netherlands and Ukraine.
UK police believe organised crime groups are linked to the website and its tens of thousands of users. The site enables users to access software tools to illicitly obtain victims’ bank account funds and commit other fraud.
Met Commissioner Mark Rowley said the investigation signalled “a different approach” to criminals exploiting technology.
“This is about starting from the organised criminals that actually drive and create the fraud that we see in the world around us,” he told reporters.
The London force, the UK’s largest, said in the year to August, suspects paid to access the website and make more than 10 million fraudulent calls worldwide.
Around 40 percent were in the United States. More than a third were in the UK, targeting 200,000 potential victims there alone.
Fraud detection agencies have so far recorded £48 million in losses in the UK alone. Victims lost an average £10,000. The largest single theft was worth three million pounds.
Losses to victims worldwide are estimated at over £100m.
“Because fraud is vastly under-reported, the full amount is believed to be much higher,” the Met said.
Those behind the site earned almost £3.2m from it, the force added.
Only around 5,000 British victims have so far been identified.
However, the Met’s investigation has yielded the phone numbers of more than 70,000 potential victims, who have yet to be contacted.
The force will attempt to reach them over the next two days, sending text messages directing those contacted to its website, where details can be safely logged.
“What we’re doing here is trying to industrialise our response to the organised criminals’ industrialisation of the problem,” Rowley added.
The iSpoof website, described as “an international one-stop spoofing shop”, was created in December 2020 and at its peak had 59,000 users paying between £150 and £5,000 for its services, according to the Met.
It enabled subscribers, who could pay in Bitcoin, to access so-called spoofing tools which made their phone numbers appear as if they were calling from banks, tax offices and other official bodies.
The mostly commonly imitated organisations include some of the UK’s biggest consumer banks — including Barclays, Halifax, HSBC, Lloyds and Santander.
Combined with customers’ bank and login details, illegally obtained elsewhere online, the criminals were then able to defraud their victims.
“They would worry them (about) fraudulent activity on their bank accounts and tricked them,” explained Detective Superintendent Helen Rance, who leads on cyber crime for the Met.
She noted that people contacted would typically be instructed to share six-digit banking passcodes allowing their accounts to be emptied.
The Met launched “Operation Elaborate” in June 2021, partnering with Dutch police, who had already started their own probe after an iSpoof server was based there.
A subsequent server operating in Kyiv was shuttered in September and the site was permanently disabled on November 8.
The previous day the Met had charged Teejai Fletcher, 34, of east London, with fraud and organised crime group offences.
He remains in custody and will next appear in a London court on December 6.
“It’s fair to say that he was living a lavish lifestyle,” Rance said, noting that the investigation remained ongoing.
“Instead of just taking down the website and arresting the administrator, we have gone after the users of iSpoof,” she added.
Two other suspected administrators outside the UK remain at large, the Met noted.