Detectives are warning 70,000 potential victims after at least £48 million was netted by criminals operating an online fraud factory.
The international scam was allegedly masterminded by a 34-year-old man living in a waterfront flat in Docklands, east London.
At one point as many as 20 people a minute were being targeted by callers using the site’s technology, which enabled them to masquerade as callers from legitimate banks and steal money.
Teejai Fletcher, who is accused of being the site’s administrator and who is alleged to have links to organised crime, has been charged with fraud.
Detectives, who said that Fletcher was living a “lavish lifestyle”, seized a Lamborghini, Range Rover and Rolex watches during his arrest.
Hundreds of other alleged users of the technology in London and elsewhere in Britain have also been arrested.
Sir Mark Rowley, the Metropolitan Police commissioner, said the sting showed that the force was “reinventing” the way it investigated fraud. “The Met is targeting the criminals at the centre of these illicit webs that cause misery to thousands,” he added.
The site iSpoof, which was advertised on channels on the encrypted app Telegram, was created in December 2020 and at its peak had 59,000 users.
They were allowed a free trial before they paid subscriptions of between £150 and £5,000 a month for its criminal software.
They posed as representatives of banks including Barclays, First Direct, Halifax, HSBC, Lloyds, Nationwide, NatWest, Santander and TSB.
The site’s technology made it look as if fraudulent calls were coming from the banks concerned.
One victim was fleeced of £3 million. The average loss of £10,000 reported to Action Fraud, the national reporting centre, by 4,785 people is thought to be the tip of the iceberg.
Detectives believe that there are tens of thousands more victims and millions of pounds more is likely to have been defrauded.
Detective Superintendent Helen Rance said that iSpoof was one of the most prolific fraud websites in operation and had earned £3.2 million in subscriptions.
Of ten million fraudulent calls made using its technology 40 per cent were in the United States, 35 per cent were in Britain and the rest spread across other countries.
The Met has said it will text potential victims today and tomorrow and ask them to visit its website for more information and to report any fraud losses online.
Detectives worked with Dutch law enforcement officers, who tapped the website’s servers in the Netherlands to secretly listen to phone calls and collect evidence. It emerged that criminals could also buy a service that sent out automated voice scripts to targets, purporting to be from their bank, to try to get personal details.
Rance acknowledged that other criminal websites would pop up and try to supply similar technology to fraudsters, but said that the Met’s operation sent the message that the police were on to would-be criminals and they would not stay anonymous.
Rance, who leads on cybercrime for the Met, said: “Our message to criminals who have used this website is we have your details and are working hard to locate you, regardless of where you are.”
She said fraudsters worked at their impersonation skills to trick victims into thinking they were being called by legitimate bank representatives.
There was an element of “social engineering” as they used information from elsewhere to build on their fraud. Often they had bought stolen bank records in other places on the dark web and so they knew personal details and even the nature of some transactions, which made their approach seem more legitimate.
Last night Fletcher’s neighbours said they were surprised at his arrest. He lived in a ninth-floor flat overlooking Royal Victoria Dock, and which has a residents’ gym and a 24-hour concierge service.
Fletcher has been charged with making or supplying articles for fraud, proceeds-of-crime matters and participating in the activities of an organised crime group. He is due to appear at Southwark crown court next month.
Commenting on the police action, by John Davis, Director UK & Ireland, SANS Institute, EMEA, said: “Providers of subscription services for amateur hackers operate in the grey zone between legal and illegal. They have strategies and business models, and they use polished, formal operating methods to put them into practice.
“Marketing themselves on the dark web, they line up clients interested in a single attack or perhaps several. The client can pay a monthly fee, usually in cryptocurrency, for advice and assistance, sometimes including around-the-clock support that covers technical aspects of an attack and matters such as negotiations with a victim. The client also may share a portion of any payment extracted from a victim with the service provider.
“However, the subscription model enables minimally skilled attackers to launch more sophisticated attacks – much the same way modern audio processing tools like Autotune can make tone-deaf singers sound like stars. Where once hackers relied upon ad hoc tactics, such as using simple phishing attacks to gain entry, these attacks have now become complex and targeted, using the latest ‘toolkit.’”