UK’s biggest fraud sting takes down ispoof site linked to 200,000 victims

Members of British law enforcement were part of a global operation to bring down ispoof.cc, a website described by police as an online fraud shop.

They worked with Dutch law enforcement who managed to tap the website’s servers in the Netherlands to secretly listen to phone calls.

At one point, as many as 20 people every minute were being targeted by callers using technology bought from the site. Criminals – who found out about the site from adverts posted on channels on encrypted messaging app Telegram – used the site to buy technology that allowed them to mask their phone number.

This meant they could trick victims into thinking they were being contacted by their bank and persuade them to pass on personal details that allowed the fraudsters to steal cash.

One victim alone lost £3m, with the average loss being £10,000 for the 4,785 people who reported being targeted to Action Fraud. There are thought to be many more potential victims.

Of 10 million fraudulent calls made, 40 per cent were in the US, 35 per cent were in the UK and the rest were spread across a number of countries.

Around 70,000 UK phone numbers called by criminals who used the site will be alerted by the Metropolitan Police via text message on Thursday and Friday and asked to contact the force.

Metropolitan Police Commissioner Sir Mark Rowley acknowledged it is “slightly bizarre” that potential fraud victims will now be contacted about the crime by text, but encouraged people to go through the official police website if contacted.

He told BBC Radio 4’s 'Today' programme: “There is something sort of slightly bizarre about this, which is why we’re encouraging people to actually go on to the Met Police website and they’ll find the shortcuts and links there to report this.

“Don’t respond to any texts with sort of dodgy shortcuts and things. Come through official websites is the best way of doing this. But we want to hear from you because the people we message in the next 24 hours have been victims of fraud or attempted fraud and we can stack all these offences against the people we’ve been arresting.”

So far, 120 arrests have been made in the UK: 103 in London and 17 outside the capital. These include alleged site administrator Teejay Fletcher, who was arrested in east London earlier this month and is facing criminal charges.

Police said Fletcher, who is alleged to be a member of an organised crime group, was living a “lavish” lifestyle. The site is said to have made more than £3m profit.

Sir Mark said the number of potential UK victims is “extraordinary”, adding: “What we are doing here is trying to industrialise our response to the organised criminals’ industrialisation of the problem.”

Ispoof was created in December 2020 and at its peak had 59,000 users, allowing them to pay for the criminal software using Bitcoin, with charges ranging from £150 to £5,000 per month.

UK police began investigating the site in June 2021, opting for ispoof as the largest criminal site that was based in the country.

Detective Superintendent Helen Rance, who leads on cyber crime for the Met, said: “By taking down ispoof we have prevented further offences and stopped fraudsters targeting future victims.

“Our message to criminals who have used this website is we have your details and are working hard to locate you, regardless of where you are.”

Commenting on the Met's moves to contact defrauded victims, Erfan Shadabi, a cyber-security expert at data security company Comforte AG, said: "This is a move in the right direction and bittersweet news for the victims, and a cautionary tale for banks and all customers. It is best practice for banks and any organisation that is involved in any sort of financial transaction to provide a clear warning to customers that outlines how important information, such as bank details, will or will not be provided.

"The best would be that any notice of change of banking detail be confirmed personally and supported by an original letter from the relevant banking institution. Additionally, a customer should then immediately alert the relevant company should any such fraudulent-looking email or phone call be received. 

"Banking is all about trust, but with an increasing attack surface it’s nearly impossible to prevent breaches and similar fraudulent activities. The most important thing financial organisations can do is protect customer data and make sure that their accounts are not affected, with their privacy protected whenever a breach happens."

Reflecting on the Met's text message medium of choice for contacting victims, Javvad Malik – lead security awareness advocate at security awareness training firm KnowBe4 – said: "It's good to see that the police are taking the initiative and trying to actively contact potential victims. However, the irony here is that people who receive text messages claiming to be from the police could very well believe the message itself is a scam, particularly if it includes a link. 

“For this to be effective, the police need to carefully manage the campaign and give clear instructions as to what is expected."