Bulgarian Man Sentenced for Massive Phishing SchemeSvetoslav Donchev Helped Scam Victims Out of More Than $50 Million, Authorities Say
A Bulgarian man has been sentenced to nine years in prison after pleading guilty in connection with his role in running a large-scale phishing campaign that scammed victims out of £41 million ($51 million) over several years, according the U.K. Crown Prosecution Service.
Svetoslav Donchev, 37, was arrested by Bulgarian and Metropolitan Police investigators in his home in Pleven, Bulgaria, where he lived with his parents, according to British prosecutors. Investigators also confiscated a computer that detailed the extent of his phishing scheme, according to the prosecution service. Donchev was later extradited to the U.K., and he pleaded guilty to five charges on Friday, British authorities said.
Donchev and the unnamed cybercriminal gang for which he worked targeted over 50 U.K. companies, stealing personal and financial data on as many as 500,000 individuals, prosecutors say.
"Donchev's criminal activity facilitated the compromise of hundreds of thousands of victims' personal details and banking credentials by the theft of their personal banking details," says Sarah Jennings, a prosecutor assigned to the case.
It's not clear when this particular scheme started, but investigators believe that Donchev helped create " website scripts" that were designed to look like legitimate webpages but were connected to servers controlled by the criminal gang, prosecutors say.
Victims were sent phishing emails that claimed their accounts needed verification to allow for a cash refund from the company that had it's websites spoofed, prosecutors say. Those emails contained links back to the phony websites.
When a victim entered personal and financial information on the spoofed website, it was sent back to the criminal gang and eventually packaged up and sold on dark net sites, prosecutors allege. Donchev also created software to help the phishing emails bypass security features in various web browsers, they add.
"Donchev would not steal the bank details himself. He would supply the tools for others to do so," Jennings says.
Connections to Other Hackers
While U.K. prosecutors did not name the criminal gang for which Donchev worked, they did note that investigators found his name during the prosecution of Grant West - a notorious British hacker who carried out attacks that targeted more than 100 companies over a two-year period.
Grant, who pleaded guilty in 2017, is serving a 10-year prison term, and British police are confiscating more than a $1 million in cryptocurrency that he accumulated through his crimes (see: $1.1 Million in Cryptocurrency to Be Seized From Hacker).
Increase in Fraud
Across the world, phishing campaigns continue to present a problem to law enforcement and security professionals trying to thwart the theft of credit and payment card data that’s resold on the dark net.
According to a 2019 report from U.K Finance, a trade association for the U.K. banking and financial services industry - fraud losses from the theft of payments and credit cards totalled £671 million ($835 million) in 2018, a 19 percent increase from £565.4 million ($703 million) in 2017.
The report also notes that cybercriminals are moving away from targeting financial institutions, instead attempting to impersonate other businesses.
"The number of phishing websites targeted against U.K. banks and building societies has fallen to the lowest level ever this year," according to the report. "Intelligence suggests that criminals are instead increasingly impersonating other organizations such as online retailers, travel and leisure firms, [Her Majesty's Revenue and Customs] and telecommunication companies instead."
In a July report, the U.K.’s National Cyber Security Center, the public-facing arm of the U.K. intelligence agency GCHQ, noted that in 2018 it took down more than 22,000 phishing campaigns that were being hosted throughout the U.K., which led to more than 140,000 different attacks that year. The center's investigators also removed over 14,000 U.K. phishing sites designed to look like government sites.