The National Crime Agency (NCA) has arrested four people after taking down a phone number spoofing platform used by criminals to defraud thousands of people in the UK, with more arrests to follow
The National Crime Agency is analysing huge quantities of data seized from an online platform to identify hundreds of criminals who used a phone number spoofing service to defraud victims of tens of millions of pounds.
The NCA, working with prosecutors from Ukraine, the Netherlands and other countries, has seized data from servers used by Russian Coms, a mobile phone and web-based platform that allowed criminals to steal money from an estimated 170,000 people in the UK.
Criminals were able to spoof the phone numbers of banks, financial institutions, telecoms companies and law enforcement agencies to win the trust of victims before stealing their money and personal details the NCA revealed on 1 August 2024.
Following what the NCA described as months of intelligence gathering and painstaking investigative work, in March 2024, officers arrested two men, aged 26 and 28, in Newham suspected of being the platform’s developers and administrators, leading to the closure of the operation.
The operators published a message on the Russian Coms Telegram messaging channel warning users to use the service at their own risk: “Everything has been compromised no matter what software you have been using, all other providers have been compromised as well.”
Warning message published on the Russian Coms Telegram messaging channel
On 12 April 2024, police arrested a 28-year-old man in Newham, described as a close affiliate of Russian Coms and a courier who delivered handsets. Police made a further arrest of a user of the Russian Coms service in Potters Bar this week, with further arrests expected over the coming months.
Criminal network disrupted
Miles Bonfield, deputy director of investigations at the NCA, said the agency had taken out a sophisticated piece of technical infrastructure, arrested two individuals with the technical know-how to provide the phone spoofing services, and disrupted the wider criminal social network.
“Those who use Russian Coms and other services like it are told these services provide anonymity. They don’t. We can go after the data and use that data to identify the users, and those users need to prepare for us knocking on their door at any time of day or night,” he said.
City of London Police worked with the NCA to cross-reference 100,000 data points, including IP addresses, phone numbers and names, against data reported by the public to Action Fraud, a national reporting centre for fraud and cyber crime, and other police databases to identify suspects and an initial 5,000 victims of Russian Coms.
Investigators have established that between 2021 and 2024, more than 1.3 million calls were made by users of Russian Coms to 500,000 unique UK phone numbers. The average loss to people who reported losses to Action Fraud was over £9,400, though some have lost hundreds of thousands of pounds.
Phones displayed fake numbers
The phone spoofing service was sold initially as a customised Motorola Android phone, with one functioning app that was capable of making calls that displayed a fake number to the recipient and VPN options to allow users to hide their IP address.
The phone, which was sold for between £1,200 and £1,400 for a six-month contract, featured a burn capability that allowed users to instantly wipe its contents. Other apps on the phone were fake but were designed to look like genuine Android apps.
The operators of Russian Coms later introduced a web app, marketed as a “flagship” service, which allowed full access to a web-based phone for £350 a month, or £1,000 for three months, to be paid in cryptocurrency.
The flagship service offered unlimited minutes, hold music, encrypted phone calls, 24/7 support and voice changing services which claimed to allow users to match their accents to the victim’s location.
A Russian Coms web app allowed full access to a web-based phone for £350 a month, or £1,000 for three months
Fraudsters impersonated banks
In a typical scam, offenders spoofed the number of a bank to gain the trust of a victim before convincing them that their account had been subject to fraudulent activity. The offender would then persuade the victim to transfer their money to another account to protect their savings.
In other cases, fraudsters impersonated reputable companies and stole money for goods that were never delivered or arranged to collect debit and credit cards from the victims on the pretext that they needed replacing.
Fraudulent calls were made to individuals in 107 countries around the world, including the US, New Zealand, Norway, France and the Bahamas.
NCA using seized data to identify fraudsters
Adrian Searle, director of the National Economic Crime Centre, part of the NCA, said investigators had acquired significant amounts of data from the operation, which would allow police to identify users of Russian Coms.
Police have arrested four Russian Coms suspects so far, with further arrests expected over the coming months
“The takedown and acquisition of the server, in particular, have enabled us to acquire significant amounts of data, which in turn, we can use to identify the users of this platform equipment, the criminal users of the platform, and over time going after those users,” he said.
Searle said the NCA had identified other phone spoofing platforms and was prioritising action against the services having the greatest impact. “We are now breaking the trust that criminals have in online services,” he added.
Police need tech companies to act
Nik Adams, temporary assistant commissioner at the City of London Police, said the police needed the support of technology companies to stay ahead of fraud.
“Making sure that it isn’t easy for someone to develop a tool that can spoof phone numbers of legitimate organisations and then for that to appear on your device as a legitimate number – that is something that technology companies have to grapple with,” he said.
He said the telecoms regulator, Ofcom, had taken steps to ban phone number spoofing from overseas numbers, but that it was proving more difficult to prevent spoofing from UK numbers. This is partly because there are legitimate uses for number spoofing, and also because of the need to upgrade parts of the telecommunications infrastructure.
“We need to equip people with the tools to make good decisions about how they are interacting with technology and to make sure that people are using two-factor authentication and other methods to secure their data,” he said.
Despite its name, Russian Coms was run from the UK and had no links to Russia.