Mastermind of 'one-stop shop' fraud website with one million victims jailed

The ringleader of a website that promised to provide a "one-stop shop for phishing" has been jailed for eight and a half years.

Zak Coyne, 24, headed up a platform called LabHost which defrauded at least one million victims across the world - including 70,000 in the UK - of more than £100m by tricking them into using payment services and shopping sites that looked real.

More than 2,000 scammers signed up to the subscription-based site, many without technical skills, and used it to bombard victims with text messages which took them through to the payment sites.

Coyne, of Huddersfield, was sentenced at Manchester Crown Court on Monday after admitting three fraud-related offences last year.

His site, LabHost, was taken down in April 2024 following a combined law enforcement operation between the Metropolitan Police and global agencies.

Between August 2021 and October 2023, Coyne played a key role in creating, operating and administering the site.

Labhost described itself as a "one-stop shop for phishing" created "for spammers by spammers".

For a large monthly membership fee, the website provided its subscribers with access to phishing pages to defraud victims, which had the appearance of legitimate major banking, government and commercial websites but were fake.

Using authorised push payment (APP) fraud, amateur scammers could steal identity information, including 480,000 bank and credit card numbers and 64,000 PIN codes, known in criminal slang as "fullz data".

Criminals used the site to defraud at least one million victims in 91 countries, with the total losses to victims totalling £32m in the UK and an estimated £100m globally. LabHost itself made nearly £1 million ($1.25m) in profits from criminals.

Some 25,000 of the UK victims were identified by police and sent text messages informing them which fake online payment services and shopping sites could have taken their money. Detectives said their personal details, found in a data dump from LabHost, were now "secured".

After taking the site down, police sent a tailored video to 800 criminals who had used it, showing them the evidence they had gathered during the investigation.

Last year, 24 suspects linked to the site were taken into custody, with arrests at Luton and Manchester airports. Worldwide, 70 properties were searched and one British man charged.

Commander Stephen Clayman of the Metropolitan Police said the cases demonstrated the "commitment across law enforcement to identify and hold those to account who facilitate criminal enabling functions and think they can remain undetected. We will find you and take action."

Craig Rice, chief executive of the Cyber Defence Alliance, said that such "cybercrime-as-a-service platforms" like this one had the ability to "enable thousands of other fraudsters to conduct online frauds that impacts bank and retail customers across the UK".

Thomas Short, Specialist Prosecutor for the Crown Prosecution Service, stressed that "fraud is far from a victimless crime and the harm caused by Coyne's offending are measured not just in monetary terms, but also in the distress inflicted on countless victims who fell prey to these scammers".

The gang's activities were discovered in 2022 by a small team of investigators funded by UK financial bodies to infiltrate criminal networks on the dark web.

This investigation is an example of a new approach involving police, the National Crime Agency and banking security experts to target criminals offering services to other criminals.