The GSE Multiplier Effect: Turning a Few UK Victim Reports into a 50,000-Account Criminal Case

As part of a pilot between the UK National Crime Agency (NCA) and Google facilitated by the Global Signal Exchange under the umbrella of the newly created Online Crime Center (OCC), Google has been able to identify a large-scale scam operation out of Nigeria. The threat actor used 50,000 "made for abuse" accounts and 5,000 fake websites to conduct global financial fraud and government impersonation. The associated Google Trust & Safety teams disabled all the associated accounts and have actioned the websites. Google’s CyberCrime Investigation Group has concluded the investigation by opening an affirmative litigation case against the threat actor.

Based on a small subset of signals which were collected from victim reports in the United Kingdom and shared through the GSE, Google uncovered a large-scale, professional-grade abuse network with indications of organized, centralized control.

The Investigation: The process began with a batch of 1,000+ signals shared by the NCA within a small group of four online tech platforms. Approximately half of these signals were URLs and the other half email addresses.

Among the email addresses, Google identified 87 Gmail accounts which connected to a cluster of nearly 50,000 accounts, with 91% originating from Nigeria.

A deeper analysis revealed a number of policy violations against Google’s Terms of Service and confirmed the malicious nature of the accounts which seem to be used in a variety of scams which included advanced payment fraud, extortion, invoice fraud, and social media celebrity fraud.

From 4 URLs that were shared by NCA through the GSE, the Google Trust & Safety team identified a templated scheme with ~5,000 cloned websites, impersonating banks. The websites also originated from West Africa, with the aim of luring victims into into revealing sensitive information, such as their bank login details.

Outcomes and Implications: The findings have been used to takedown all abusive Gmail accounts and make algorithmic improvements to catch the websites before they can reach users via Search. In addition, with the knowledge gained about the bad actors, Google is preparing to submit / has submitted a criminal referral to the NCA which works closely with Nigerian authorities.

Role of the GSE:

First, the GSE plays a critical role in facilitating the exchange. Once the technical connections are set up, the signals can start flowing in close to real time increasing the velocity of the investigation rapidly.

Second, the GSE allows sharing across multiple teams which can access the signals separately and pipe them into their own workflows to increase exposure.

Third, traditional ‘Notice and Takedown’: This relies on uni-directional messaging. It involves time-consuming contracting and technical integration, requiring the sender to pre-sort signals for relevance to each recipient. It is often linear: one signal leads to one action.

Last but not least, GSE ‘Observe and Pull’: This design allows for timely, less deterministic sharing. In this case, it led to a major discovery where a handful of signals unlocked a 50,000-strong network. Through automated machine-to-machine feedback, this enhances the situational awareness and responsiveness of all participants simultaneously.