4 arrests，seizure, Cybercrime, online fraud, money laundering 2023.12.13, 2024.3.20, 4.12, 4.18 ✓Press ✓Police ✓UK,英国

International investigation disrupts phishing-as-a-service platform LabHost
LabHost facilitated the phishing of users of hundreds of financial institutions worldwide for monthly subscription fee
18 APR 2024

This week, law enforcement from 19 countries severely disrupted one of the world’s largest phishing-as-a-service platform, known as LabHost. This year-long operation, coordinated at the international level by Europol, resulted in the compromise of LabHost’s infrastructure.

Between Sunday 14 April and Wednesday 17 April a total of 70 addresses were searched across the world, resulting in the arrest of 37 suspects. This includes the arrest of 4 individuals in the United Kingdom linked to the running of the site, including the original developer of the service.

The LabHost platform, previously available on the open web, has been shut down.

This international investigation was led by the UK’s London Metropolitan Police, with the support of Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) hosted at its headquarters.

Europol has supported this case since September 2023. An operational sprint was organised at its headquarters with all the countries involved so that the national investigators could identify and develop intelligence on the users and victims in their own countries. During the action phase, a Europol specialist supported the Dutch National Police with their enforcement actions.

Commoditising phishing attacks

Cybercrime-as-a-service has become a rapidly growing business model in the criminal landscape whereby threat actors rent or sell tools, expertise, or services to other cybercriminals to commit their attacks. While this model is well established with ransomware groups, it has also been adopted in other aspects of cybercrime, such as phishing attacks.

LabHost had become a significant tool for cybercriminals around the world. For a monthly subscription, the platform provided phishing kits, infrastructure for hosting pages, interactive functionality for directly engaging with victims, and campaign overview services.

The investigation uncovered at least 40 000 phishing domains linked to LabHost, which had some 10 000 users worldwide.

With a monthly fee averaging $249, LabHost would offer a range of illicit services which were customisable and could be deployed with a few clicks. Depending on the subscription, criminals were provided an escalating scope of targets from financial institutions, postal delivery services and telecommunication services providers, among others. Labhost offered a menu of over 170 fake websites providing convincing phishing pages for its users to choose from.

What made LabHost particularly destructive was its integrated campaign management tool named LabRat. This feature allowed cybercriminals deploying the attacks to monitor and control those attacks in real time. LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.

Easily accessible, yet still a crime

Platforms such as LabHost make cybercrime more easily accessible for unskilled hackers, significantly expanding the pool of threat actors.

Yet, however user-friendly the service portrays itself to be, its malicious use constitutes an illegal activity – and the penalties can be severe.

A vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the malicious users of this phishing platform.

The following authorities have taken part in the investigation:

Australia: Australian Federal Police-led Joint Policing Cybercrime Coordination Centre;
Austria: Criminal Intelligence Service (Bundeskriminalamt);
Belgium: Federal Judicial Police Brussels (Police judiciaire fédérale Bruxelles/ Federale gerechtelijke politie Brussel);
Finland: National Police (Poliisi);
Ireland: An Garda Siochana;
Netherlands: Central Netherlands Police (Politie Midden-Nederland);
New Zealand: New Zealand Police;
Lithuania: Lithuania Police;
Malta: Malta Police Force (Il-Korp tal-Pulizija ta’ Malta);
Poland: Central Office for Combating Cybercrime (Centralne Biuro Zwalczania Cyberprzestępczości);
Portugal: Judicial Police (Polícia Judiciária);
Romania: Romanian Police (Poliția Română);
Spain: National Police (Policía Nacional);
Sweden: Swedish Police Authority (Polisen);
United Kingdom: London Metropolitan Police;
United States: United States Secret Service (USSS) and Federal Bureau of Investigation (FBI);
Czechia: Bureau of Criminal Police and Investigation Service;
Estonia: Estonian Police and Border Guard Board;
Canada: Royal Canadian Mounted Police.

—

Global police agencies take down massive scam website that defrauded thousands of victims

•Britain’s Metropolitan Police said in a statement Thursday that the LabHost website was used by 2,000 criminals to steal users’ personal details.
•Police identified just under 70,000 individual U.K. victims who entered their details onto one of LabHost’s websites.
•LabHost’s websites were disrupted and replaced with a message stating that law enforcement has seized the services.

A huge fraud website used by thousands of criminals to trick people into handing over personal information such as email addresses, passwords and bank details, has been infiltrated by international police.

Britain’s Metropolitan Police said in a statement Thursday that the website, called LabHost, was used by 2,000 criminals to steal users’ personal details.

Police have so far identified just under 70,000 individual U.K. victims who entered their details onto a website linked to LabHost. A total of 37 suspects have been arrested so far, according to the Metropolitan Police.

Police have also disrupted those websites and replaced the information on their pages with a message stating that law enforcement has seized the services.

LabHost obtained 480,000 credit card numbers, 64,000 PIN codes, as well as more than 1 million passwords used for websites and other online services, the Metropolitan Police said.

The Metropolitan Police said that up to 25,000 victims in the U.K. have been contacted by police to notify them that their data has been compromised.

What is LabHost?

Police say that LabHost was set up in 2021 by a criminal cyber network which sought to scam victims out of key personally identifiable information, such as bank details and passwords, by creating fake websites.

Criminals were able to use it to exploit victims through existing sites, or create new websites mimicking those of trusted brands including banks, health-care providers and postal services.

“Online fraudsters think they can act with impunity,” Dame Lynne Owens, deputy commissioner of the Metropolitan Police Service, said in a statement Thursday.

“They believe they can hide behind digital identities and platforms such as LabHost and have absolute confidence these sites are impenetrable by policing.”

Owens added that the operation showed “how law enforcement worldwide can, and will, come together with one another and private sector partners to dismantle international fraud networks at source.”

Private companies including blockchain analysis firm Chainalysis, Intel 471, Microsoft, The Shadowserver Foundation and Trend Micro worked with police to identify and bring down LabHost.

The investigation started in June 2022 after police received intelligence about LabHost’s activities from the Cyber Defence Alliance, an intelligence-sharing partnership between banks and law enforcement agencies.

The Met’s Cyber Crime Unit then joined forces with the National Crime Agency, City of London Police, Europol, regional U.K. authorities, as well as other international police forces to take action.

—

Police storm airports across the UK to break up ‘LabHost’ cyber scam gang that defrauded 70,000 Brits by using AI to copy banking websites in an ‘industrial scale’ con worth £1m

Police have stormed a number of airports across the UK to break up a global cyber scam gang that defrauded 70,000 Brits.

The UK-founded website LabHost, which had been used to defraud victims on an industrial scale, was infiltrated by the Metropolitan Police leading to 37 arrests around the world, including at Manchester and Luton airports.

The site was set up in 2021 by a criminal network and enabled criminals to create their own scam websites designed to trick innocent victims into revealing personal information such as email addresses, passwords, and bank details.

By the beginning of 2024, more than 40,000 fraudulent sites had been created through LabHost, which generated just under £1 million in payments from criminal users paying a monthly subscription fee.

As many as 70,000 UK victims were tricked by scamming set up through LabHost, which obtained 480,000 card numbers, 64,000 PINs and more than one million passwords globally.

Criminal subscribers to LabHost were able to log on to the service and choose from existing sites or request bespoke pages replicating those of trusted brands including banks, healthcare agencies and postal services.

LabHost even provided templates and an easy to follow tutorial allowing would-be fraudsters with limited IT knowledge to use the service and set up phishing websites.

Phishing is a form of scam where attackers deceive people into revealing sensitive information by masquerading as a legitimate person.

By the beginning of 2024, more than 40,000 fraudulent sites had been created and 2,000 users were registered and paying a monthly subscription fee to LabHost.

LabHost provided its subscribers with fake profiles for 170 companies to trick victims, including 47 based in the UK.

Those subscribing to the ‘worldwide membership’, meaning they could target victims internationally, paid between £200 and £300 a month. Since creation, the site has received just under £1 million in payments from criminal users.

Work apprehending the gang behind LabHost began in June 2022 after detectives received crucial intelligence about the site’s activity from the Cyber Defence Alliance – a group of British-based banks and law enforcement agencies which work together to share intelligence.

The Met joined forces with the National Crime Agency, City of London Police, Europol, Regional Organised Crime Units (ROCUs) across the country and other international police forces to put an end to the gang’s harmful scheme.

They also worked with a number of tech companies including Intel 471 and Microsoft to bring down the platform.

Between Sunday, April 14 and Wednesday April 17 a total of 37 suspects were arrested across the UK and by international law enforcement agencies.

This included arrests at both Manchester and Luton airports, as well as in Essex and London. Over 70 addresses were searched both in the UK and across the world.

Shortly after the arrests were made on Wednesday, LabHost and its linked fraudulent sites were disrupted and existing information was replaced with a message stating law enforcement had seized the services.

Following the Met’s intervention, 800 users subscribed to LabHost received a video message, nicknamed LabHost wrapped, telling them that police ‘know who they are and what they’ve been doing’.

Criminals users were shown how much they’ve paid to LabHost, how many different sites they’ve accessed and how many lines of data they’ve received, according to data obtained by the Met.

These users will continue to be investigated by detectives over the coming weeks and months.

Meanwhile, detectives have so far contacted up to 25,000 victims in the UK to tell them their data has been compromised after using scamming sites set up through LabHost.

Detectives have so far established that just under 70,000 individual UK victims have entered their details into one of LabHost’s fraudulent sites, but said the total number of victims is likely to be even higher.

The Met said that each victim has been given advice about next steps and how to further protect their data, while a team of officers will also be on hand to provide personalised support to any victims who want further help and advice.

Dame Lynne Owens, deputy commissioner of the Metropolitan Police Service, said: ‘You are more likely to be a victim of fraud than any other crime.

‘In addition to the financial impact, it undermines the public’s confidence in the tools and technology they need to use in daily life. Our collective approach should ensure suspects feel that same level of distrust in their own criminal environment.

‘Online fraudsters think they can act with impunity. They believe they can hide behind digital identities and platforms such as LabHost and have absolute confidence these sites are impenetrable by policing.

‘But this operation and others over the last year show how law enforcement worldwide can, and will, come together with one another and private sector partners to dismantle international fraud networks at source.

‘Our approach is to be more precise and targeted with a clear focus on those enabling online fraud to be carried out on an international scale.’

Adrian Searle, director of the National Economic Crime Centre in the NCA, said: ‘Fraud is a terrible crime that impacts victims both financially and psychologically, undermining our collective trust in others and the online services on which we all rely.

‘Together with cyber crime, it makes up around 50% of all crime in England and Wales. Recognising the scale and nature of the threat, law enforcement are working evermore closely together, both here and overseas, to target the fraudsters and the technology they are exploiting.

‘This operation again demonstrates that UK law enforcement has the capability and intent to identify, disrupt and completely compromise criminal services that are targeting the UK on an industrial scale.’

—

欧洲刑警组织和18国联合 捣毁诈骗网络钓鱼平台

（伦敦19日讯）欧洲刑警组织和18个国家的警察机构，以及多家大型企业展开联合行动，捣毁一个网络钓鱼诈骗平台。

领导这项全球执法行动的英国警方说，这次行动破坏了名为“LabHost”的平台。执法单位过后突击了70个场所，先后在英国等地逮捕37名嫌犯，包括4名疑似创建和运营网站的人。

当局说，这是一个一站式的网络钓鱼平台，骗子可以利用它来创建钓鱼网站，诱骗受害者透露银行信息和密码等个人资料。

欧洲刑警组织的调查发现，该平台在全球拥有约1万名用户，至少有4万个钓鱼域名和“LabHost”有关联，受害人数以万计。

当局是在接到情报后，从2022年6月开始调查。参与这次执法行动的包括澳洲、纽西兰、美国等国家，以及微软、区块链分析公司“Chainalysis ”、网络犯罪情报公司Intel471等企业。

9 arrests in EUR 645 million JuicyFields investment scam case
Unreported damages presumably much higher, with 186 000 persons victimised by massive Ponzi scheme

A joint investigation conducted by several European law enforcement authorities, supported by Europol and Eurojust, has culminated in the arrest of 9 suspects following the notorious “JuicyFields” investment fraud case. On an action day carried out on 11 April 2024, over 400 law enforcement officers in 11 countries executed 9 arrest warrants and conducted 38 house searches. During the investigation and action day, EUR 4 700 000 in bank accounts, EUR 1 515 000 in cryptocurrencies, EUR 106 000 in cash and EUR 2 600 000 in real estate assets were seized or frozen. Law enforcement also seized several luxury vehicles, works of art, cash and various luxury items, as well as large numbers of electronic devices and documents.

According to judicial estimates, the total damages resulting from fake investments in the advertised cannabis cultivation crowdsourcing platform amount to a staggering EUR 645 million, but actual and unreported damages could be significantly higher. In total, an estimated 550 000 participants worldwide, most of them European citizens, were registered as online investors. Using bank transfers or cryptocurrencies, around 186 000 participants actually transferred funds into the elaborate Ponzi scheme active from early 2020 to July 2022.

JuicyFields and its fake cannabis investment opportunities

The suspects, of mainly Russian but also Dutch, German, Italian, Latvian, Maltese, Polish, Jordanian, United States and Venezuelan nationality, used advertisements on social networks to lure victims to their websites. These platforms offered promising crowdsourcing investment opportunities in the cultivation, harvesting and distribution of cannabis plants to be used for medicinal purposes.

With a minimum initial investment of at least EUR 50 in this so-called ‘e-growing’ opportunity, investors were promised to be linked with producers of medical cannabis. Upon the purchase of a cannabis plant, the platform assured investors – also referred to as e-growers – they could soon collect high profits from the sale of marijuana to authorised buyers. While the company pledged annual returns of 100 percent or more, they did not reveal exactly how they would accomplish this, let alone be able to guarantee it.

The legalisation of cannabis cultivation or the expansion of permissible THC content in cannabis products for personal, recreational, and therapeutic purposes is a significant subject of public debate within the EU. This discourse is further fuelled by the reality that cannabis stands as one of the most widely consumed illicit substances both within the European Union and globally. As seen in other contexts, criminal networks are particularly adept at applying new narratives to existing criminal practices, particularly in periods of changes in regulatory frameworks, which may open up a window of opportunity for fraudsters to advertise low-risk, high-profit investment opportunities.

A classic “too good to be true” Ponzi scheme

A Ponzi scheme is a type of investment scam where criminals promise high returns with little or no risk to investors. Instead of actually generating profits through legitimate business activities, the scammers use money from new investors to pay returns to earlier investors. This creates the illusion of a profitable enterprise, but in reality, the scheme collapses when there aren’t enough new investors to sustain the pay-outs, leaving most investors with losses.

As an example, the average – even cautious – investor would make an initial investment of EUR 50 and receive a pay-out doubling their money soon after. Motivated by these financial gains, many investors would raise the stakes and pay in hundreds, thousands, or in many cases even tens of thousands of euros. The platform feigned credibility as it was not only represented in the digital world, but upheld the image of a trustworthy legal business structure with physical offices, staff and representation at cannabis industry events. Initially, the more than 500 000 e-growers were receiving their investment returns. In July 2022 however, the criminals behind the scheme abruptly removed company profiles from social media networks and stopped users from logging in to their accounts, thus freezing cash withdrawals.

Complex investigation following elaborate fraud scheme

The widespread occurrence of police reports across Europe prompted Europol to initiate a coordinated approach for investigations involving multiple EU and non-EU countries. This law enforcement focus on JuicyFields and related investment platforms was followed by the establishment of a joint investigation team at Eurojust, led by German and Spanish Police, French Gendarmerie and supported by Europol, the National Crime Agency of the United Kingdom and other law enforcement from numerous Member States. After painstakingly piecing together breadcrumbs of digital evidence, investigators had drawn up a joint intelligence picture that allowed police forces across Europe to initiate this wave of arrests.

One of the primary High Value Targets in this investigation was traced to a residence in the Dominican Republic. The Russian national, suspected to be one of the main organisers of the fraudulent scheme, had a property he was residing at searched by the Dominican Republic authorities with officers from the Spanish investigation team along with a Europol specialist deployed on site to assist with coordination.

Europol’s role
Europol supported this massive cross-border investigation from the very start, taking the lead in operational coordination and providing tailored analytical support. Furthermore, Europol shared results of financial investigations as well as other intelligence with the involved countries. On the action day, Europol deployed officers with mobile offices to various locations around the globe. Eurojust ran a coordination centre, staffed by senior police officers from the various investigation authorities, prosecutors and Europol staff, to assist with the coordination of legal coercive measures in multiple countries in multiple time zones.

Joint Investigation Team:
France: National Gendarmerie (La Gendarmerie Nationale)
Germany: Criminal Investigation Department Berlin (Landeskriminalamt Berlin); Berlin public prosecutor’s office (Staatsanwaltschaft Berlin)
Spain: National Police (Policía Nacional – Unidad de Delincuencia Económica y Fiscal (UDEF))

Participating countries:
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Dominican Republic, Estonia, Finland, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovak Republic, Slovenia, Switzerland, United Kingdom, United States

Participating agencies:
Europol
Eurojust

(https://www.europol.europa.eu/media-press/newsroom/news/9-arrests-in-eur-645-million-juicyfields-investment-scam-case)

—

UK arrest in €645 million international investment scam

The National Crime Agency has arrested a senior staff member of a scam company, joining law enforcement across the continent to crack down on “JuicyFields” – a notorious and elaborate Ponzi scheme.

Ponzi schemes are a form of fraud, promising large profits with minimal risk. Instead of generating returns through legitimate business activities, the scammers use money from new investors to pay earlier investors, creating the illusion of a profitable enterprise. The scheme collapses when there aren’t enough new investors to sustain the pay-outs.

Investments in the platform are thought to amount to a staggering €645 million, though unreported damages could bring that sum far higher.

From early 2020 to 2022, more than 500,000 individuals across dozens of countries were registered to JuicyFields websites and offered promising crowdsourcing investment opportunities in the cultivation, harvesting and distribution of medicinal cannabis. Over 180,000 investors transferred funds.

In July 2022, those behind the scheme abruptly removed company profiles from social media networks and prevented users from logging into their accounts, thereby freezing cash withdrawals.

The NCA’s work was part of co-ordinated action across 10 countries.

Huge numbers of police reports across Europe led to the establishment of a joint investigation team at Eurojust, led by Spanish, German and French authorities, and supported by Europol, the NCA, and policing partners from multiple Member States.

On 11 April 2024, law enforcement across the continent arrested nine individuals and conducted over 30 house searches. Over the course of the investigation, several millions of Euros in crypto assets and bank accounts have been frozen. Real estate properties, vehicles, artwork, cash and various luxury items have been seized, in addition to a large number of electronic devices and documents.

Officers from the NCA, joined by Spanish police, arrested a 42 year-old man in Atherstone, Warwickshire. He was responsible for paying salaries to staff members and helped to legitimise the company by attending industry events.

In a subsequent search of his house, officers recovered a number of digital devices, which will now be forensically analysed. He appeared at Westminster Magistrates’ Court on 11 April for the commencement of extradition proceedings.

Tom Barford, NCA Branch Commander, said: “Criminals like those behind JuicyFields are highly adept at identifying new and more sophisticated ways to target victims.

“In this case, individuals across the world were lured by the promise of high returns with little or no risk, and then faced with devastating losses.

“The NCA is one of many partners who joined German, French and Spanish authorities to take joint action, showing what we can achieve when we come together to tackle serious and organised crime.”

For more information on how to protect yourself from fraud, including ways to report it, visit the Stop! Think Fraud website.

12 April 2024

(https://www.nationalcrimeagency.gov.uk/news/uk-arrest-in-645-million-international-investment-scam)

—

Nine Arrested In ‘JuicyFields’ Cannabis Fraud Probe

European police have swooped on website operators of a now defunct cannabis investment scheme, Europol said on Friday, arresting nine suspects and seizing millions of euros in bank accounts and cryptocurrency.

Some 400 law enforcement officers raided premises around Europe and the Dominican Republic on Thursday in an operation against operators of the “JuicyFields” Ponzi scheme — which Europol said duped more than 180,000 investors around the world.

Police arrested suspects in Britain, Germany, Italy, Latvia, and Spain, as well as one of the main suspects, a Russian, in the Dominican Republic.

“According to judicial estimates, the total damages resulting from fake investments in the advertised cannabis cultivation crowdsourcing platform amount to a staggering 645 million euros,” the Hague-based law agency said.

“Actual damages could be significantly higher,” Europol added.

“JuicyFields” which Europol called an “elaborate” online pyramid scheme, between 2020 and 2022 enticed customers to invest as little as 50 euros to buy a cannabis plant online in so-called “e-growing opportunities.”

The website claimed to link up investors with producers of medical cannabis, promising “annual returns of 100 percent or more,” Europol said.

Initial investors of the 50 euros were paid out double their investment.

“Motivated by these financial gains, many investors would raise the stakes and pay in hundreds, thousands, or in many cases even tens of thousands of euros,” Europol said.

“The platform feigned credibility as it was not only represented in the digital world, but upheld the image of a trustworthy legal business structure with physical offices, staff and representation at cannabis industry events,” Europol said.

Although 186,000 people paid over money to JuicyFields, some 500,000 “e-growers” were getting investment returns.

In July 2022 however, the scheme’s backers abruptly removed company profiles from social media networks and stopped users from logging in to their accounts, freezing cash withdrawals.

Widespread reports to police triggered Europol to coordinate a complex investigation involving various European countries and agencies.

“After painstakingly piecing together breadcrumbs of digital evidence, investigators had drawn up a joint intelligence picture that allowed police forces across Europe to initiate this wave of arrests,” Europol said.

The Russian suspect was at a property in the Dominican Republic which was searched by local law and Spanish law officers, accompanied by a Europol specialist.

Police seized cash, luxury vehicles, art, cash and various luxury items, Europol said.

—

騙走逾222億！大麻投資「龐氏騙局」遭歐警破獲 JuicyFields強迫關閉

歐洲警方揭露6億歐元醫用大麻「龐氏騙局」！日前，醫用大麻詐騙集團JuicyFields成員於歐洲各國遭逮捕，其利用資金轉移手法建立一套行銷系統，誘導受害者進行投資，行騙蹤跡橫跨歐洲數國。如今，歐洲刑警組織追回部分受害者的財產，JuicyFields也被強迫關閉。

詐騙行銷系統
《路透社》報導，歐洲刑警組織及歐洲國家警察逮捕「JuicyFields」國際詐騙集團成員，該組織涉嫌使用藥用大麻設計騙局，向眾多國家受害者詐騙高達6.45億歐元（約222億台幣）。此外，他們也建立一個詐騙行銷系統，並在國際大麻博覽會中說服民眾進行投資。

西班牙警方發言人加里多表示，該組織建立一個詐騙行銷系統，並在國際大麻博覽會中說服民眾進行投資，並聲稱利用投資者的資金轉移建立合作夥伴關係，為大麻種植計畫提供援助。透過詐騙行銷系統的運作，該組織向受害者承諾每年有近70%到168%的利潤。

虛假商業模式
《WION》指出，JuicyFields以虛假的商業模式吸引受害者，並聲稱使用投資者的資金來種植大麻。然而，JuicyFields只是一個詐騙計劃，利用新投資者的錢財來償還先前投資者的資金，而當他們的資金流動無法償還所需時，所建立的資金系統便會崩潰。

英國國家犯罪局（NCA）稱其為「惡名昭彰且精心策劃的龐氏騙局」，並表示約有 18 萬人向JuicyFields投資。目前，警方封鎖兩個分別有58600歐元和116300歐元的加密貨幣帳戶，並追回了106000歐元現金，其價值26億歐元的財產也被沒收。

如今，9名嫌疑人因涉嫌詐欺而分別在西班牙、英國、德國、拉脫維亞、波蘭、義大利和多明尼加共和國被拘留，在西班牙和英國等多個警方的共同努力下，JuicyFields已被關閉。

https://www.cps.gov.uk/cps/news/specialist-cps-team-involved-uks-largest-bitcoin-seizure
Specialist CPS team involved in UK’s largest Bitcoin seizure
–20 March 2024|News, Fraud and economic crime

An ex-takeaway worker has been convicted (Wednesday 20 March 2024) of laundering the proceeds which saw her rise from living above a Chinese restaurant to residing in a multi-million pound house in an affluent part of North London.

Jian Wen, 42, was found guilty at Southwark Crown Court of an offence relating to money laundering.

A Metropolitan Police investigation resulted in the CPS seizure of Bitcoin wallets from Wen, with an initial estimated value in excess of £2 billion. Prosecutors told the court the sheer scale of the seized Bitcoin, the lack of any legitimate evidence for how it was acquired and its connection to a massive investment fraud in China, all indicated that it was criminal property. The original fraud and acquisition of the Bitcoin was undertaken by another suspect who is yet to be arrested and brought before the court. Wen was involved in converting significant amounts of Bitcoin into cash and other expensive assets, on behalf of the international fraudster.

Prior to working for her “employer”, Wen lived a modest lifestyle in Leeds, with declared earnings in 2015 and 2016 of just £12,800 and £5,979. Her fortune changed significantly when she met the fellow Chinese national who was the source of the Bitcoin.

In 2017, they moved into a six-bedroom property in London, at a rental cost of over £17,000 each month. The two women presented themselves as successfully operating an international jewellery business, with Wen operating as the English-speaking and apparently legitimate front person for her employer. Wen was later joined by her young son, who moved from China to attend a private school in the UK, benefitting from her newly affluent lifestyle. Wen later stated that she had been gifted 3,000 Bitcoin, then valued at approximately £15 million, by her employer.

Between Autumn 2017 and late 2018, Wen made efforts to purchase properties in London, valued at £4.5 million, £23.5 million, and £12.5 million. She was hampered by difficulties converting sufficient Bitcoin into Sterling and by “know your customer” questions asked of her under anti-money laundering regulations. When challenged about the source of the proposed funding for the property purchases, Wen claimed it came from legitimate sources including Bitcoin mining, a claim that was ultimately not accepted by those she instructed to assist with the sale.

Between 2017 and 2019, Wen also travelled abroad extensively, throughout Europe and elsewhere, largely enabling the conversion of large amounts of Bitcoin into more tangible assets. A receipt addressed to Wen, for example, showed jewellery worth tens of thousands of pounds had been purchased in Zurich. In 2019, she travelled to Dubai, arranging to view a number of properties for sale. In October and November of that year, she went on to purchase two properties in Dubai. Their value in total amounted to more than £500,000.

Throughout the course of the investigation and subsequent trial, Wen denied knowing that any of the Bitcoin was derived from criminality and had no suspicions about its scale.

The CPS Proceeds of Crime Division used its civil powers to obtain a Property Freezing Order from the High Court against Wen whilst it undertakes a non-conviction-based civil recovery investigation. That investigation could result in the forfeiture of the seized Bitcoin regardless of whether Wen or the other suspect are convicted.

Andrew Penhale, Chief Crown Prosecutor, said: “Bitcoin and other cryptocurrencies are increasingly being used by organised criminals to disguise and transfer assets, so that fraudsters may enjoy the benefits of their criminal conduct. This case, involving the largest cryptocurrency seizure in the UK, illustrates the scale of criminal proceeds available to those fraudsters.

“Although the original fraudster remains at large, the Metropolitan Police and CPS have successfully secured a money laundering conviction against Jian Wen, an individual employed to launder criminal proceeds. The CPS will now work to ensure, through criminal confiscation and civil proceedings, that the criminal assets remain beyond the fraudsters’ reach.

“The CPS is committed to working closely with law enforcement and investigatory authorities, to bring to justice individuals and companies who engage in laundering criminal proceeds through cryptocurrency.”

Adrian Foster, Chief Crown Prosecutor said: “The CPS has used the full range of our criminal and non-conviction based civil asset recovery powers, to firstly freeze and then look to seize the very large quantity of cryptocurrency and other assets, used by Wen and her “employer” to fund their extravagant lifestyle.

“We have worked with the Police to obtain freezing orders preserving all the seized cryptocurrency, and a CPS-led civil recovery investigation is running to establish that the frozen cryptocurrency is criminal property and to seek its forfeiture.”

Detective Chief Superintendent Jason Prins, Metropolitan Police, whose team led the investigation, said: “Thanks to the hard work and perseverance of highly skilled detectives in the Met, we have been able to disrupt a sophisticated economic crime operation – the sheer scale of which demonstrates how international criminals seek to exploit cryptocurrency online.

“Our team have helped secure justice today and have persevered to trace this Bitcoin and identify the criminality it was linked to.

“Today’s verdict and lengthy five-year investigation demonstrates that we’ll leave no stone unturned in our pursuit to catch criminals who look to enjoy the proceeds of illicit funds – no matter how complex the case.”

Notes to editors

•Andrew Penhale is the Chief Crown Prosecutor for the Regional and Wales Division of the CPS Serious Economic, Organised Crime and International Directorate
•Adrian Foster is the Chief Crown Prosecutor for CPS Proceeds of Crime Division of the Serious Economic, Organised Crime and International Directorate
•Jian Wen (DOB: 25/12/1981) has been found guilty of one count of entering into or becoming concerned in a money laundering arrangement at Southwark Crown Court and is due to be sentenced on 10 May 2024
•Where a defendant refuses to pay their Confiscation Order in a timely way, CPS Proceeds of Crime Division can invite the court to impose an additional default sentence on them of up to 14 years’ imprisonment. The full debt continues to be in force until it is paid, and interest is charged against it at the civil judgement debt rate, currently 8%
•Where they are found to have additional available assets in the future, the CPS may ask the court to revisit the order and make an additional confiscation order up to the value of their full criminal benefit

—

Woman found with £2bn in Bitcoin convicted of money laundering arrangement offence

A former takeaway worker found with Bitcoin worth more than £2bn has been convicted at Southwark Crown Court of a crime linked to money laundering.

Jian Wen, 42, from Hendon in north London, was involved in converting the currency into assets including multi-million-pound houses and jewellery.

On Monday she was convicted of entering into or becoming concerned in a money laundering arrangement.

The Met said the seizure is the largest of its kind in the UK.

Although Wen was living in a flat above a Chinese restaurant in Leeds when she became involved in the criminal activity, her new lifestyle saw her move into a six-bedroom house in north London in 2017 which was rented for more than £17,000 per month.

She posed as an employee of an international jewellery business and moved her son to the UK to attend private school, the Crown Prosecution Service (CPS) said.

That same year, Wen tried to buy a string of expensive houses in London, but struggled to pass money-laundering checks and her claims she had earned millions legitimately mining Bitcoin were not believed.

She later travelled abroad, buying jewellery worth tens of thousands of pounds in Zurich, and purchasing properties in Dubai in 2019.

Another suspect is thought to be behind the fraud but they remain at large.

The Met said it carried out a large scale investigation as part of the case – searching several addresses, reviewing 48 electronic devices, and examining thousands of digital files including many which were translated from Mandarin.

Det Ch Supt Jason Prins, whose team led the investigation, said the “sheer scale” of the operation “demonstrates how international criminals seek to exploit cryptocurrency for illegal purposes”.

“This verdict and lengthy five-year investigation demonstrates that we’ll leave no stone unturned in our pursuit to catch criminals who look to enjoy the proceeds of illicit funds – no matter how complex the case,” he said.

The CPS has obtained a freezing order from the High Court, while it carries out a civil recovery investigation that could lead to the forfeiture of the Bitcoin.

The value of the Bitcoin was worth around £2bn at the time of initial estimates – but due to the fluctuation in the currency’s value, it has since increased to around £3.4bn.

CPS chief crown prosecutor Andrew Penhale said Bitcoin and other cryptocurrencies “are increasingly being used by organised criminals to disguise and transfer assets, so that fraudsters may enjoy the benefits of their criminal conduct”.

He added this case “illustrates the scale of criminal proceeds available to those fraudsters”.

Wen is due to be sentenced on 10 May.

—

How Chinese takeaway worker led police to Bitcoin worth £3bn in Britain’s biggest ever cryptocurrency seizure
Jian Wen, 42, was said to have been the “front person” recruited to help fugitive Yadi Zhang launder the profits of a £5bn fraud.

Within weeks of Yadi Zhang’s arrival in London in September 2017, Jian Wen had left her job and room in a Chinese takeaway and moved into a £5m six-bedroom house near Hampstead Heath.

The women, who claimed to run an international jewellery business trading in diamonds and antiques in countries including Japan, Thailand and China, travelled the world and spent tens of thousands of pounds on designer clothes and shoes in Harrods.

In her newly affluent lifestyle, Wen bought a £25,000 E-Class Mercedes and sent her son to the £6,000-a-term Heathside preparatory school.

But alarm bells rang when she tried to buy some of London’s most expensive properties, including a £23.5m seven-bedroom Hampstead mansion with a swimming pool and a nearby £12.5m home with a cinema and gym.

Wen, who had declared income of just £5,979 in the 2016/17 financial year, could not explain the source of the Bitcoin she would use to pay for the properties and police first raided the women’s home on 31 October 2018.

But it would be another two-and-a-half years before investigators realised they had made the UK’s biggest-ever cryptocurrency seizure when more than 61,000 Bitcoin were discovered in digital wallets.

The cryptocurrency was worth £1.4bn at the time but its value has now risen to more than £3bn, while 23,308 Bitcoin, now worth more than £1bn, linked to the investigation remains in circulation.

The £5bn investment fraud

The Bitcoin came from a £5bn investment scam carried out in China by Zhang, 45, who arrived in the UK on a false St Kitts and Nevis passport after conning nearly 130,000 Chinese investors in fraudulent wealth schemes between 2014 and 2017, a court heard.

Wen was not alleged to have been involved in the underlying fraud.

Zhang, who is also known as Zhimin Qian (which means money in Chinese) has fled the UK and her whereabouts are unknown.

Wen, 42, has been found guilty of one count of money laundering between October 2017 and January 2022 and the jury failed to reach verdicts on two similar counts following a trial at Southwark Crown Court.

Prosecutors are not seeking a retrial and Wen will be sentenced on 10 May.

She was acquitted of 10 other money laundering charges at a trial last year, which could not be reported over fears hackers could target the firm holding the seized cryptocurrency if the figures involved were made public.

As a Category A prisoner, Wen, a small woman wearing large round glasses, was led to the witness box in handcuffs, while two dock officers guarded the door as she gave evidence.

She told jurors she grew up in a working-class family in China, where she met her husband Marcus Barraclough before coming to the UK while heavily pregnant on a spousal visa in 2007.

Wen’s lifestyle change

The relationship broke down following the birth of their son and she lived a modest lifestyle in Leeds, where she took a law diploma and completed a BA in economics before moving to London in the summer of 2017.

She had already opened cryptocurrency accounts, making meticulous notes in her Wallace and Gromit notebook, but said she had “no idea” she would soon be dealing with Bitcoin on such a “massive scale”.

She applied for dozens of jobs while working in a Chinese takeaway in Abbey Wood, southeast London, where she lived in a room below the restaurant.

Wen said she saw an advert on Chinese social media app WeChat for a “butler” and first met Zhang at the five-star Royal Garden Hotel in Kensington. She later described her role as “live-in PA for a high net worth individual” on her CV.

The women soon moved into a £17,000-a-month Hampstead home after paying a £40,000 deposit and six months’ rent in advance.

Wen took trips to Thailand and Dubai and the women travelled extensively throughout Europe, with Zhang – who used aliases including Rose, Emma, and Hua Hua – avoiding countries with Chinese extradition agreements.

Hampstead mansions and a Tuscan villa

They sold Bitcoin and bought fine jewellery, with receipts found for £25,600 and £18,750 from Christopher Walser Vintage Diamonds, in Zurich, and two watches worth around £49,300 and £69,900 from Van Cleef & Arpels in Switzerland.

Over a three-month period at the end of 2017, more than £90,000 was spent in Harrods on designer women’s clothes, jewellery and shoes using a rewards card in Wen’s name, although she told jurors: “I was the one carrying the bags.”

Wen bought two apartments in Dubai for more than £500,000 and looked into buying a £10m 18th century Tuscan villa with a sea view.

But efforts to buy multimillion-pound properties in London triggered anti-money laundering checks and none of the purchases went ahead because the source of the Bitcoin could not be explained.

Wen initially claimed the cryptocurrency had been mined, then said it was given to her as a “love present”, drawing up a deed of gift stating she had been given 3,000 bitcoin, then worth £15m, by Zhang.

Prosecutors said Wen acted as a “front person” to help disguise the source of the stolen money, which had been used to buy cryptocurrency to remove the proceeds from China.

‘I was duped’

Gillian Jones KC said when Zhang landed in London she needed to convert the Bitcoin back into cash or “property, jewellery or other high-value items”.

Wen accepted she was involved in an arrangement dealing with some of the cryptocurrency but said she did not know or suspect it was from the proceeds of crime, claiming she was “duped” by the woman she called her boss.

“We were close… but looking back now, I was badly used,” she said. “I have no idea where she is.”

Police say they are still actively looking for Zhang.

Two arrests as police raid Herts and Essex homes in illegal Sky TV streaming investigation

Two Essex men thought to be behind an £800,000 “sophisticated large-scale criminal operation” selling illicit TV subscription packages across the UK have been arrested.

Simultaneous police raids on residential addresses in Harlow and Chigwell in Essex, Waltham Cross in Hertfordshire and Lanarkshire in Scotland on Tuesday (December 12) resulted in the pair, in their 30s, being arrested on suspicion of fraud, money laundering and intellectual property offences.

A 35-year-old man was detained in Chigwell, where specialist financial investigators seized £17,000 in cash, custom streaming devices and digital devices, which were sent for further examination.

A 33-year-old Harlow man was also arrested for firearms licence breaches after two shotguns were seized.

They were taken into police custody for questioning and subsequently bailed. Enquiries are ongoing.

The investigation, led by the Eastern Region Special Operations Unit (ERSOU), relates to a Telegram channel selling unauthorised access to Sky TV packages, which are thought to have been resold to thousands of end users, earning those involved more than £800,000.

Det Insp Steve Payne, from ERSOU’s regional organised crime unit, said: “Yesterday’s arrests form part of an investigation into a sophisticated large-scale criminal operation which has generated significant sums of money through the illicit sale of TV subscription packages.

“We know from experience that the money generated through illegal means such as this often goes on to fund wider organised criminality, which is why it’s key to apprehend those involved.

“We have also gained access to the details of those purchasing the streams, and I would remind anyone doing so that they will be breaking the law and could ultimately be subject to criminal proceedings.”

Matt Hibbert, director of anti-piracy, UK and Republic of Ireland, at Sky, said: “We’re grateful to ERSOU and to the forces involved for taking this action, which will have a significant impact on the illicit sale of Sky TV.

“We’ll continue to support efforts to shut down the organised networks involved in the large-scale theft of our content and to protect consumers from the risks involved in accessing content in this way. Anyone concerned about those risks can visit BeStreamWise.com for more information.”

Illegal streaming services are increasingly operated by sophisticated criminal networks, often involved in other types of crime including cyber-crime. Using illegal streams can give criminals your personal information from which they can steal your money or identity and increases the risk of devices being infected with viruses and malware.