Yahoo News Police arrest gang behind Britain’s most prolific scam site
Police have arrested a gang of fraudsters including university students behind Britain’s biggest phishing website, which scammed 70,000 victims in the UK out of tens of millions of pounds.
Scotland Yard this week raided the homes of the gang leader and his four key lieutenants, who provided a one-stop shop for 2,000 fellow criminals to buy and set up fraudulent websites for as little as £200 to £300 a month.
The bespoke phishing websites used the profiles of 170 well-known brands, banks and public services. They enabled the criminals to scam victims into handing over their personal data such as email addresses, passwords and financial details.
In a two-year operation with 17 other law enforcement agencies worldwide, the Metropolitan Police infiltrated the website, known as Lab Host, to identify the gang bosses and the 2,000 criminal “customers” who bought the fraudulent websites.
Police estimate Lab Host was used to create 40,000 fraudulent phishing sites and harvested over one million data logs worldwide. This included 70,000 victims in the UK alone. Worldwide, police believe the criminals obtained 480,000 card numbers, 64,000 PIN numbers and one million passwords for online services.
Police arrested 37 suspects in the UK and searched 70 properties worldwide as they shut down the site. A significant number of the 2,000 UK criminal users were said by police to be university students or young people who were “likely to go on to perfectly legitimate careers”.
One investigator said: “They see this as easy to do and anonymous. They don’t have that physical interaction with [a victim]. They are entering into this not fully understanding the risks and the potential outcomes for them.”
For the £200 to £300 monthly membership fee, the gang offered a bespoke service to help users set up their fraudulent sites within minutes with little technical know-how. They even offered a customer support messaging service via the encrypted app Telegram.
The fraudsters could choose to be “active” users who tracked victims in real time as they entered their fake sites and then stole their personal data. Or they could simply leave them as “sleeper” sites which would automatically harvest victims’ details. They could then sell these on to the dark web or other fraudsters.
Many of the victims were in the 25 to 44-year-old age group because of their frequent use of the internet for services from banking to food deliveries and online subscriptions.
In a reverse sting, police created a bespoke message to send to 800 of the users identified by detectives. It detailed to each of them their illegal actions over the past year. Police likened it to a Spotify-style wrap of the fraudster’s year’s usage which it joked was “made in partnership with international law enforcement”.
“We valued you as a customer ever since the day you joined. We’ve been collecting your data that whole time. And now we’ve served it to police on a platter,” said the message.
“You’ve targeted victims all around the world. The police there may not be too happy so think carefully about where you go on holiday next. That was your 2023 Lab Host wrap. Lab Host is dead now.”
Lynne Owens, the Met Police’s deputy commissioner, said there would now be a major operation to contact all the 70,000 victims of the phishing scams to provide them with support and advice. Some 25,000 have already been contacted this week.
She said the “wrap”, which police hope will go viral, and the raids were designed to strike fear into fraudsters. “Fraud gets to the heart of individual and community confidence. It undermines confidence in day to day activity that we all do online and elsewhere,” she said
“This operation is about creating that same level of fear and uncertainty for the criminals because they can no longer be confident that the enabling services they are buying are protecting them.”
