More than 100 arrested in UK as fraud-as-a-service iSpoof website seized by police

More than 100 people have been arrested in the United Kingdom in what the Metropolitan Police Service described on Thursday as a take down of the country’s “biggest ever fraud operation,” with more international arrests expected to follow.

The suspects — 103 in London and 17 elsewhere in the country — are all connected to the fraud-as-a-service website iSpoof which is believed to be behind “an estimated worldwide loss in excess of £100 million” ($120 million).

A seizure notice has now replaced iSpoof’s homepage and a message has been posted on the service’s Telegram channel stating that international law enforcement “gained access to its servers and obtained customer data” several months ago.

The Metropolitan Police Service also uploaded a video in the style of an existing iSpoof advertisement mocking the criminal users and the claims the service itself made about protecting their anonymity: “iSpoof has complete end-to-end encryption, which is useless when police have access.”

Also arrested in east London on November 6 was Teejay Fletcher, 35, the alleged main administrator of the service. The Met Police say he has been charged with a range of offenses and has been remanded in custody.

The Met’s Cyber Crime Unit began investigating iSpoof in June 2021 under the name of Operation Elaborate, it said, noting that the site was created in December 2020 and had 59,000 user accounts. The site’s main website and server was seized and taken offline by American and Ukrainian authorities on November 8.

“Investigators infiltrated the site and began gathering information alongside international partners. The website server contained a treasure trove of information in 70 million rows of data. Bitcoin records were also traced,” said the Met.

“Because the pool of 59,000 potential suspects is so large, investigators are focusing first on UK users and those who have spent at least £100 of Bitcoin to use the site. A wave of UK arrests followed with details of other suspects passed onto law enforcement partners in Holland, Australia, France and Ireland.”

The service effectively allowed users to “anonymously make spoofed calls, send recorded messages, and intercept one-time passwords,” according to Europol.

The majority of the victims targeted using it were based in either the United States (40%) or the United Kingdom (35%) and there are believed to be more than 200,000 potential victims in Britain alone, according to the Met Police, which led the investigation.

On Thursday and Friday, the force intends to send texts to around 70,000 phone numbers in Britain which had been targeted by criminals using the iSpoof website, asking the potential victims to get in touch.

“Victims are believed to have lost tens of millions of pounds while those behind the site earned almost £3.2 million [$3.9 million] in one 20 month period,” the Met Police stated.

It added that the losses reported to the U.K.’s fraud hotline Action Fraud as a result of iSpoof texts and calls was around £48 million ($58 million), but “because fraud is vastly underreported, the full amount is believed to be much higher.”

The arrests follow a report from the House of Commons Justice Committee which criticized the British government’s response to fraud, detailing how law enforcement agencies and other stakeholders have structurally failed to stop digital crimes and lack adequate resources to address the issue.

It particularly criticized Action Fraud, which it said “has proven itself unfit for purpose.”

Action Fraud is set to be replaced in 2024 with a new reporting service underpinned by technology that will allow greater analysis of the volume of crimes reported — something the current service doesn’t provide.

The Met Police’s detective superintendent Helen Rance, who leads on cybercrime, said: “By taking down iSpoof we have prevented further offenses and stopped fraudsters targeting future victims. Our message to criminals who have used this website is we have your details and are working hard to locate you, regardless of where you are.”

The Commissioner of the Metropolitan Police, Sir Mark Rowley, stated: “The exploitation of technology by organized criminals is one of the greatest challenges for law enforcement in the 21st century. Together with the support of partners across UK policing and internationally, we are reinventing the way fraud is investigated. 

“The Met is targeting the criminals at the center of these illicit webs that cause misery to thousands. By taking away the tools and systems that have enabled fraudsters to cheat innocent people at scale, this operation shows how we are determined to target corrupt individuals intent on exploiting often vulnerable people,” he said.

Europol’s executive director Catherine De Bolle said: “The arrests today send a message to cybercriminals that they can no longer hide behind perceived international anonymity. Europol coordinated the law enforcement community, enriched the information picture and brought criminal intelligence into ongoing operations to target the criminals wherever they are located. Together with our international partners, we will continue to relentlessly push the envelope to bring criminals to justice.”