Worldwide cyber gang busted

by Mick the Ram

Law enforcement agencies, including the Metropolitan Police have been celebrating the dismantlement of a criminal cyber gang who had been using a technology service to facilitate fraudulent text messages, leading to theft from victims on an industrial scale.

Detectives have been making scores of arrests around the world, including London, with 37 people so far taken into custody. Victims have been contacted and given advice as to what steps should be taken.

More will follow as investigators seized the email addresses of 800 criminals who had been paying up to £300 a month to use the gang’s site – LabHost service. This helped scammers, even lacking in technical skills, to bombard victims directly with messages designed to trick them into making online payments at fake websites, appearing to be legitimate.

It had the consequence of enabling the criminals to steal identity information, including card numbers and pin codes, with police estimating that LabHost had made over a £1m in profits, meaning the sums stolen would inevitably run into the hundreds of millions of pounds, or more.

Two year operation

The arrests made followed a two-year operation involving the Met and law-enforcement in 17 other countries. Worldwide over 70 different properties were searched and in the UK arrests were made at several airports, including Luton and Manchester.

The criminals are known to have stolen more than 480,000 card numbers and 64,000 Pin codes, in an act referred to in the criminal worlds as “fullz data”.

Younger element more at risk

Deputy Commissioner Dame Lynne Owens made an interesting point by saying that surprisingly it was more likely that younger people who grew up with the internet were the most likely to fall for the “phishing” scam.

She also said people are more likely to be a victim of fraud than any other crime and that LabHost had given those non-skilled criminal minded individuals the perfect platform to commit their fraudulent behaviour.

Tens of thousands of victims

In the UK alone, it is believed that upwards of 70,000 victims were tricked into giving out their personal details online. Police say that around a third of these have been identified, and will receive subsequent text messages warning them which fake online payment services and shopping sites could have taken their money.

They will receive assistance from a special page set up on the Metropolitan Police website for crucial advice moving forward, although officers were able to offer some reassurance that personal details found in a dump of data, obtained from LabHost, have now been “secured”.

Latest in a line of successful take-downs

It has been quite the process with the gang’s activities first discovered back in 2022 by the Cyber Defence Alliance, a small team of investigators funded by UK financial bodies to infiltrate criminal networks on the dark web.

There has been successes previously with the taking down of the crime service operation known as “iSpoof” in November 2022, with its founder, 35-year-old Tejay Fletcher, who was responsible for fraud totalling in excess of £100m, now serving a 13 year prison term.

Then in February of this year, the National Crime Agency took down “LockBit” who were described as the world’s most harmful cyber-crime group, having been known to have cost victims billions of pounds.

Awareness first line of defence

Adam Pilton, Cyber Security Consultant at CyberSmart called the successful “take-down” as a “fantastic result for UK and international law enforcement.”

He said the amount of work put into the operation should not be underestimated and encouraged people to always report any phishing emails they spot, as it helps to build an intelligence picture, leading to these sort of results.

He pointed to the continued evolution of AI as an even bigger reason to build cyber defences, but maintained that awareness was still actually the very first line of defence