The GSE Multiplier Effect: Google identifies threat actors from West Africa with signals shared by UK NCA

As part of a pilot between the UK National Crime Agency (NCA) and Google facilitated by the Global Signal Exchange under the umbrella of the newly created Online Crime Center (OCC), Google has been able to identify a large-scale scam operation out of West Africa. The threat actor used ~50,000 fraudulent accounts and 5,000 fake websites to conduct global financial fraud and government impersonation. Google Trust & Safety teams disabled all the associated accounts and have taken action on the websites. Google’s CyberCrime Investigation Group concluded the investigation by submitting a criminal referral back to the NCA.

Based on a small subset of signals which were collected from victim reports in the United Kingdom and shared by the NCA through the GSE, Google uncovered a large-scale, professional-grade abuse network with indications of organized, centralized control.

The Investigation: The process began with a batch of 1,000+ signals shared by the NCA within a small group of four online tech platforms. Approximately half of these signals were URLs and the other half email addresses.

Among the email addresses, Google identified 87 Gmail accounts which connected to a cluster of nearly 50,000 accounts originating from West Africa.

A deeper analysis revealed a number of policy violations against Google’s Terms of Service and confirmed the malicious nature of the accounts which seem to be used in a variety of scams that included advanced payment fraud, extortion, invoice fraud, and social media celebrity fraud.

From 4 URLs that were shared by NCA through the GSE, the Google Trust & Safety team identified a templated scheme with ~5,000 cloned websites, impersonating banks. The websites also originated from West Africa, with the aim of luring victims into revealing sensitive information, such as their bank login details.

Outcomes and Implications: The findings have been used to take down all abusive Gmail accounts and make algorithmic improvements to our detection systems. In addition, with the knowledge gained about the bad actors, Google has submitted a criminal referral to the NCA which works closely with law enforcement authorities in West Africa.

Role of the GSE:

First, the GSE plays a critical role in facilitating the exchange. Once the technical connections are set up, the signals can start flowing in close to real time increasing the velocity of the investigation rapidly.

Second, the GSE allows sharing across multiple teams and organisations which can access the signals separately and pipe them into their own workflows to increase exposure.

Third, going beyond the traditional content reporting: Content removal relies on uni-directional messaging and is limited to a single action based on one signal. The GSE offers a different, more powerful framework where any type and number of signals is placed on the GSE for deeper, more holistic investigations without limiting the action to a takedown. Instead, signals can be used to refine risk models, as training data and as enrichment.

Last but not least, GSE ‘Observe and Pull’: This design allows for timely, less deterministic sharing. In this case, it led to a major discovery where a handful of signals unlocked insights into a larger network of abuse. Through automated machine-to-machine feedback, this enhances the situational awareness and coordinating actions between industry and law enforcement.