How Spain’s IP police busted cyber criminals ring
Spain’s anti-piracy police tell Managing IP how the unit completed one of the first investigations of its kind into sellers using ‘hidden links’ to push fakes
It was a routine day in early 2020 at the anti-piracy unit of the Spanish National Police.
For regular officers, this may have meant patrolling the streets. But in this department, officers were on ‘cyber patrol’.
The head of the investigation, speaking to Managing IP on the condition of anonymity, says officers’ focus had been on browsing different social networks to locate criminal behaviour and identify new illicit methods.
“For some time, we had noticed an increase in the use of social networks as a means of disseminating criminal behaviour by cyber criminals,” she explains.
What officers then discovered on this routine patrol were sellers using so-called ‘hidden links’.
This phenomenon occurs when adverts for counterfeit products are displayed on social media. A link then takes consumers to listings of entirely different unbranded and non-counterfeit infringing products on e-commerce websites.
After the buyers make their purchases, they receive the originally advertised counterfeits they saw on social media.
The consumers are part of the scheme all along.
The anti-piracy unit’s subsequent investigation into this practice concluded this summer. Police uncovered three social media groups, each with more than 40,000 members, 30 different links to e-commerce websites selling thousands of counterfeit luxury brands, and sellers who had been working to order.
Six people, from different regions across Spain, were arrested.
In this instance, sellers were using Telegram.
The cloud-based instant messaging service provides optional end-to-end encrypted chats that can also self-destruct. It has attracted controversy in the past for allegedly being a preferred communication method for extremists.
“The Telegram channels are the ideal means to publicise the sale of this type of product,” says the unit’s head.
The channels were controlled by administrators, or intermediaries, who used open and closed groups to publish different images of counterfeit products every day alongside a link to an e-commerce platform.
Although the buyer is directed to the innocuous e-commerce listing, they will still ‘buy’ the original counterfeit item.
During the purchasing process, buyers were asked to include a code, which acted as a nickname for the Telegram intermediary that published the original hidden link. The ultimate manufacturer of the counterfeit product, which sent the item to consumers directly, then paid a per-sale commission to the Telegram administrator.
Once officers had established the mechanics of the system, a team of investigators, including eight tasked with working on the investigation full time, begun conducting test purchases.
When received, the products were sent to the forensics unit to be analysed, says the anti-piracy unit’s head.
That unit then provided an expert report, which determined whether a product was counterfeit or not.
The forensic team’s findings were also accepted and relied on by judges tasked with deciding whether to grant orders sought by the anti-piracy unit, such as requests to track sellers’ data, permission to conduct surveillance, and to issue search warrants.
Police time was largely split between analysing the social media channels and the sellers’ profiles, and seeking court orders, the head of the unit explains.
“It is a job that combines police investigation on networks and the internet with a traditional police investigation, such as requests for warrants and surveillance.”
In fact, the unit’s head says, cooperation from the courts was crucial in securing a successful outcome.
“The collaboration and involvement on the part of the Spanish justice system has been exemplary, especially considering the difficulty of the investigation.”
As with any investigation, though, there were some severe stumbling blocks. Most notably, and perhaps predictably, many of the problems occurred when trying to secure buy-in and support from Telegram.
The head of the unit describes a “total lack of collaboration” from the platform.
“At no time did it offer any type of help to the judicial or police authorities in order to unmask the people who commit all types of crimes – in the case at hand, crimes against IP.”
She adds: “Due to this lack of collaboration, criminal organisations roam freely on Telegram because of the feeling of impunity that it offers them.”
Managing IP attempted to contact Telegram’s press team but discovered you must be a member of the service to send a message.
However, the unit head adds that this type of operation, and the publicity it receives in the media, goes some way to counteracting the lack of punishment bad actors face online.
“If a person when looking for counterfeit products discovers channels that have been closed, police operations that culminate successfully and criminals that end up being convicted of this type of activity, in the end they will think twice about continuing to consume this type of product.
“Giving publicity to this type of operation is the best way to optimise the work of investigators.”
She adds that when a website is blocked, it is important that a message confirming this is displayed to users who try to access it.
Breaking down borders
The websites in question have been blocked in Spain, but the structure of the domain name system makes it difficult to stop them worldwide. Spanish legislation cannot oblige internet service providers in other countries to block sites, the unit head notes.
She says there is a need for stronger transnational legislation to take account of this and other problems with enforcement.
“Investigations will continue to locate and close new virtual businesses, but the collaboration of all the entities involved, as well as the existence of legislation, is essential. We are fighting against transnational crime, we cannot address it with national legislation.”
The EU’s Digital Services Act (DSA), approved in July this year, is one piece of legislation that could help achieve cross-border harmonisation.
One of its provisions is a rule compelling e-commerce platforms to collect information on their users. However, some critics say the DSA did not go far enough in this regard: they have criticised the act for not extending those requirements to other platforms, such as social media channels.
On the issue of monitoring, the head of unit adds: “The internet and the different social networks must be monitored to protect the citizens, and this feeling must reach the public.
“It is not about censorship or control, but surveillance against criminal activities. Just as a citizen is protected on the street, in the cyber sphere he or she should also be protected against violations of rights.”
We can expect plenty more cyber patrols, then, one would assume. As far as the police are concerned, the next challenge is to make sure those patrols and any subsequent action span international borders.