Eighteen-month global probe into the iSpoof.cc website — part of a criminal network that duped victims in millions of spam phone calls — leads to 100 arrests.
UK police have said their biggest-ever counter-fraud operation had disrupted an international criminal network targeting hundreds of thousands of victims in millions of spam phone calls.
The Metropolitan Police, which spearheaded the 18-month global probe into the iSpoof.cc website has arrested over 100 people in recent weeks, including one of its alleged London-based administrators.
Working with Europol, the FBI and other law enforcement worldwide, suspects were nabbed in the Netherlands, Australia, France and Ireland, while servers were shuttered in the Netherlands and Ukraine.
UK police believe organised crime groups are linked to the website and its tens of thousands of users, who could access software tools to help illicitly obtain victims' bank account funds and commit other fraud.
Met Commissioner Mark Rowley said the investigation signalled "a different approach" to criminals exploiting technology.
"This is about starting from the organised criminals that drive and create the fraud that we see in the world around us," he told reporters.
Millions of frauds, millions in losses
The London force — the UK's largest — said in the year to August, suspects paid to access the website and make more than 10 million fraudulent calls worldwide.
Around 40 percent were in the United States, while more than a third were in the UK, targeting 200,000 potential victims there alone.
Fraud detection agencies have so far recorded $58 million in losses in the UK alone, with the largest single theft of $3.6 million and an average of $12,000.
"Because fraud is vastly under-reported, the full amount is believed to be much higher," the Met said.
Those behind the site earned almost $3.87 million from it, the force added.
Only around 5,000 British victims have so far been identified.
However, the Met's investigation has yielded the phone numbers of more than 70,000 potential victims who have yet to be contacted.
The force will attempt to reach them over the next two days, sending text messages directing those contacted to its website, where details can be safely logged.
"What we're doing here is trying to industrialise our response to the organised criminals' industrialisation of the problem," Rowley added.
The iSpoof website — described as "an international one stop spoofing shop" — was created in December 2020 and, at its peak, had 59,000 users paying between $181 and $6,041 for its services, according to the Met.
It enabled subscribers, who could pay in Bitcoin, to access so-called spoofing tools which made their phone numbers appear as if they were calling from banks, tax offices and other official bodies.
Some of the UK's biggest consumer banks — including Barclays, HSBC, Santander, Lloyds, and Halifax — were the most commonly imitated.
Combined with customers' bank and login details illegally obtained elsewhere online, the criminals were then able to defraud their victims.
"They would worry them (about) fraudulent activity on their bank accounts and tricked them," explained Detective Superintendent Helen Rance, who leads on cybercrime for the Met.
She noted that people contacted would typically be instructed to share six-digit banking passcodes allowing their accounts to be emptied.
The Met launched "Operation Elaborate" in June 2021, partnering with Dutch police who had already started their probe after an iSpoof server was based there.
The previous day the Met had charged Teejai Fletcher, 34, of east London, with fraud and organised crime group offences.
He remains in custody and will next appear in a London court on December 6.
"Instead of just taking down the website and arresting the administrator, we have gone after the users of iSpoof," she added.
Two other suspected administrators outside the UK remain at large, the Met noted.