FBI in interrogation room

Fraudster site iSpoof shut down, 142 arrested internationally

iSpoof, a website that lets fraudsters impersonate or spoof trusted companies or contacts with the intent to get sensitive information from victims, has been seized and shut down by the Federal Bureau of Investigation (FBI) and the US Secret Service (USSS). This is part of a greater collaborative effort among international law enforcement authorities in Australia, Canada, Europe, Ukraine, the United Kingdom, and the United States. The Europol press release states that iSpoof caused a worldwide loss of over $120.9M (£100M).

Meanwhile, on November 6 the UK’s Metropolitan Police (aka The Met) arrested iSpoof’s main administrator, who was based in East London according to the BBC. Two days after, iSpoof was seized and taken offline by US and Ukrainian authorities.

This is what iSpoof looks like now after its seizure. (Source: Pieter Arntz | Malwarebytes)

About iSpoof and its users

iSpoof was set up during the height of the pandemic in December 2020. Online criminals found out about it from adverts on encrypted channels on Telegram.

For prices ranging from £150 to £5,000 in Bitcoin per month, its 59,000 users could use specialized software to aid them in their fraud campaigns, such as masking their phone numbers so they could make anonymous calls, sending recorded messages, and intercepting one-time passwords. The tool also allowed fraudsters to impersonate an infinite number of trusted entities—government institutions, banks, and retail companies.

As many as 20 people were randomly called every minute, skillfully persuading victims to give the cybercriminals personal details they then used to steal the victims’ money. Victims lost an average of $12,000 (£10,000), with one losing $3.63M (£3M).

The BBC said that fraudsters would often claim to be employees of banks, including Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, NatWest, Nationwide, and TBS. Most calls (40 percent) were made in the US, while 35 percent were in the UK. The rest of the percentage was spread across other countries.

So far, international law enforcement has arrested 142 users and administrators of iSpoof from all over the world, including Teejai Fletcher (34), the alleged mastermind, who was earning more than $3M and living a “lavish” lifestyle.

“The UK’s biggest ever fraud sting”

Catherine De Bolle, Europol’s executive director, said:

The arrests today send a message to cybercriminals that they can no longer hide behind perceived international anonymity. … Together with our international partners, we will continue to relentlessly push the envelope to bring criminals to justice.”

The Met contacted around 70,000 potential victims to inform them that they had been defrauded by users of the iSpoof site. Met Commissioner Sir Mark Rowley told the public that if they received an SMS from the police in the next 24 hours, they’d been a victim of fraud.

This tactic, however, is problematic since fraudsters have targeted scam victims using text messages while pretending to be the police. Sir Rowley acknowledged this.

“There’s something slightly bizarre about it, isn’t it?” he said in a BBC Radio 4 Today interview when asked about the dilemma of reaching victims using the same tactic that got people defrauded in the first place. “Which is why we were encouraging people to actually go onto the Met Police website and they’ll find the shortcuts and links there to report this.”

“So don’t respond to any text with dodgy shortcuts and things in it, come through official websites is the best way of doing this. 

“But we want to hear from you because the people we message in the next 24 hours have been victims of fraud or attempted fraud and we can stack all these offences against the people we’ve been arrested.”

What to do if you’ve been defrauded by an iSpoof scammer

If you’re based in the UK and you received an SMS from The Met on Thursday or Friday, heed Sir Rowley’s advice and file a report to the Met Police official website. Call your bank immediately as well to report the fraud and get your account details reset. The BBC says victims can sign up for a Protective Registration with Cifas (for a fee of £25 for two years) if the fraud involves personal information.

Make sure you always use the maximum amount of security options on your bank accounts (and all online accounts in general). It’s not a failsafe, but it definitely makes it harder for the scammers.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.