London’s Metropolitan Police have disrupted one of the largest digitally-enabled fraud operations ever seen and arrested the mastermind behind it, in a major blow to criminals targeting the UK public.
Operation Elaborate targeted iSpoof.cc, an underground website that sold call spoofing services which allowed fraudsters to contact their targets pretending to be trusted organisations, such as banks, tax offices or other official organisations, to trick them into handing over sensitive information including account credentials and, ultimately, funds.
The site’s infrastructure, which was hosted in the Netherlands but was moved to Kyiv, Ukraine earlier in 2022, was seized and taken offline in a joint Ukrainian-US operation earlier this month.
At the same time, the Metropolitan Police arrested the site’s administrator, a 34-year-old man based in East London, who can now be named as Teejai Fletcher. Fletcher was charged with making or supplying articles for use in fraud, participating in the activities of an organised crime group, and proceeds of crime matters. He has been remanded in custody and will appear at Southwark Crown Court on 6 December.
However, in what the Metropolitan Police is describing as an “industrial-scale” response to the industrialisation of digitally-enabled fraud, a treasure trove of 70 million lines of data and bitcoin payment records found on the site’s server has also been used to trace and arrest over 100 UK-based users of iSpoof.
All of those arrested had spent more than £100 of cryptocurrency on call spoofing services. Meanwhile, details of other high-rolling suspects have been passed to police in Australia, France, Ireland and the Netherlands.
“Instead of just taking down the website and arresting the administrator, we have gone after the users of iSpoof,” said Helen Rance of the Metropolitan Police Cyber Crime Unit. “This work will have a much larger impact and will no doubt have prevented hundreds, if not thousands, of additional crimes.
“Our message to criminals who have used this website is: we have your details and are working hard to locate you, regardless of where you are.”
At its peak, said Rance, iSpoof boasted about 59,000 users, who between them caused £48m of losses to 200,000 identified victims in the UK, with an average loss of £10,000, although the true scale is likely to be much higher.
It is thought that at one stage, scammers hiding behind false identities created using iSpoof were contacting 20 people every minute, posing mostly as representatives of banks, including Barclays, First Direct, Halifax, HSBC, Lloyds, Nationwide, NatWest, Santander and TSB.
Fletcher and two other admins are thought to have earned up to £3.2m and, according to Rance, lived “lavish lifestyles”.
Operation Elaborate began in June 2021 and ultimately expanded to draw in Dutch investigators, who were working on the same case from the Netherlands, and law enforcement agencies from across Europe, Australia and the US. Additional support was provided through pan-European agencies Eurojust and Europol.
“This is the first time we have proactively gone after cyber fraud on such a large scale,” said John Roch of the Metropolitan Police Economic Crime Unit. “Fraud mostly takes place online, it’s instantaneous and it can be international and therefore it’s got to be very difficult to identify and bring criminals to justice.
“This operation shows the importance of international collaboration to fight cyber crime. It has given us a unique opportunity to understand how these fraudsters are operating and how we think they dissipate the funds they’ve stolen.
“We will use legislation, and the Proceeds of Crime Act, to try our very best to recover the money lost. This will be a long and protracted effort. The investigation itself will grow, and we know we have only scratched the surface. But we are up for the challenge.”
The Metropolitan Police is today launching an appeal for victims of iSpoof scammers to come forward and report any fraud losses online.
The force has compiled a database of 70,000 UK mobile numbers that it knows to have been contacted via iSpoof, and will be contacting each of them by SMS message on 24 and 25 November.
On the basis that most people are, understandably, wary of unsolicited texts, recipients will be directed to enter the URL of a police microsite into their browser to receive more information, and a call to action, rather than clicking on a link.
If you do not receive a SMS message in that timeframe, your number is not contained in the database, but importantly, if you do receive a message appearing to be from the police after 25 November, it did not originate from the Metropolitan Police and should be disregarded as potentially dangerous.
For more information on how to protect yourself from digitally-enabled fraud, resources are available from UK Finance and the National Cyber Security Centre. If you think you have been a victim of fraud, contact your bank immediately and report it to Action Fraud.