An international police operation has dismantled an online spoofing service that allowed cybercriminals to impersonate trusted corporations to steal more than $120 million from victims.
iSpoof, which now displays a message stating that it has been seized by the FBI and the U.S. Secret Service, offered “spoofing” services that enabled paying users to mask their phone numbers with one belonging to a trusted organization, such as banks and tax offices, to carry out social engineering attacks.
"The services of the website allowed those who sign up and pay for the service to anonymously make spoofed calls, send recorded messages, and intercept one-time passwords," Europol said in a statement on Thursday. "The users were able to impersonate an infinite number of entities for financial gain and substantial losses to victims."
London’s Metropolitan Police, which began investigating iSpoof in June 2021 along with international law enforcement agencies, in the U.S., the Netherlands, and Ukraine, said it had arrested the website’s suspected administrator, named as Teejai Fletcher, 34, charged with fraud and offenses related to organized crime. Fletcher was remanded to custody and will appear at Southwark Crown Court in London on December 6.
iSpoof had around 59,000 users, which caused £48 million of losses to 200,000 identified victims in the U.K., according to the Met Police. One victim was scammed out of £3 million, while the average amount stolen was £10,000.
Europol says the service's operators raked in estimated profits of $3.8 million in the last 16 months alone.
The Metropolitan Police said it also used bitcoin payment records found on the site’s server to identify and arrest a further 100 U.K.-based users of the iSpoof service. The site’s infrastructure, which was hosted in the Netherlands but moved to Kyiv earlier in 2022, was seized and taken offline in a joint Ukrainian-U.S. operation earlier this month.
Police have a list of phone numbers targeted by iSpoof fraudsters and will contact potential victims via text on Thursday and Friday. The text message will ask victims to visit the Met’s website to help it build more cases.
Helen Rance of the Metropolitan Police Cyber Crime Unit said: “Instead of just taking down the website and arresting the administrator, we have gone after the users of iSpoof. Our message to criminals who have used this website is: we have your details and are working hard to locate you, regardless of where you are.”