Police have taken down a gang accused of using a technology service that helped criminals use fraudulent text messages to steal from victims. They have arrested 37 people worldwide and are contacting victims. Officers say younger people who grew up with the internet were the most likely to fall for the "phishing" scam. The technology allowed scammers without technical skills to bombard victims with messages designed to trick them into making payments online. Police targeted the gang's site, LabHost, which helped criminals send the messages and direct victims to fake websites appearing to be legitimate online payment or shopping services.
It had enabled the criminals to steal identity information, including 480,000 card numbers and 64,000 Pin codes, known in criminal slang as "fullz data", the police said.
Detectives do not know how much money was stolen but estimate the LabHost site made nearly £1m ($1.25m) in profits.
Metropolitan Police Deputy Commissioner Dame Lynne Owens said: "You are more likely to be a victim of fraud than any other crime.
"Our approach is to be more precise and targeted, with a clear focus on those enabling online fraud to be carried out on an international scale."
National Economic Crime Centre director Adrian Searle said: "Technology is enabling crime to be delivered at scale in an almost industrial fashion."
And LabHost had given criminals without technical skills the opportunity to "buy them off the shelf online and use them against victims in the UK and elsewhere".
The arrests were the result of a two-year operation involving the Metropolitan Police, National Crime Agency, City of London Police and law-enforcement bodies in 17 countries.
In the UK, 24 suspects were taken into custody, with arrests at Luton and Manchester airports.
Worldwide, 70 properties were searched and one British man charged.
Text messages
In the UK, 70,000 victims are believed to have been tricked into giving their details online.
About 25,000, who have been identified, will be sent text messages warning them which fake online payment services and shopping sites could have taken their money.
They will be advised to go to a Metropolitan Police website for advice.
Their cases have been reported to fraud investigators.
And officers say their personal details found in a dump of data, obtained from LabHost, have been "secured".
Personalised videos
Investigators also seized the email addresses of 800 criminals paying up to £300 a month to use the LabHost service.
And they will be sent personalised videos making clear police know who they are and what they have been doing.
The strategy, which follows advice from behavioural psychologists, is designed to undermine criminal confidence in the security of scam services.
The gang's activities were discovered in 2022 by the Cyber Defence Alliance, a small team of investigators funded by UK financial bodies to infiltrate criminal networks on the dark web.
An alliance official said: "Unless we build a network to defeat a criminal network, we are going to be overwhelmed."
This investigation is an example of a new approach involving police, the National Crime Agency and banking security experts to target criminals offering services to other criminals.
In November 2022, police took down iSpoof, another "crime as a service" operation, which allowed criminals to cold-call victims to take their money.
Tejay Fletcher, 35, who founded the service, responsible for fraud totalling £100m, was jailed for 13 years in 2023.
And in February 2024, the National Crime Agency took down LockBit, "the world's most harmful cyber-crime group", which had used ransomware attacks costing victims billions of pounds.