NCA charges five over Russian Coms spoofing platform
The NCA charged five London residents over Russian Coms — a caller-ID spoofing platform behind 1.8M scam calls and 170,000 victims. Westminster court date Aug 14.
The public switched telephone network has never authenticated caller-ID end-to-end. The number a handset shows is a claim the originating carrier attaches to a call setup, and it survives across interconnects because downstream carriers relay that claim rather than verify it. That was fine in the 1980s, when the parties on both ends of a national interconnect were licensed telcos and nobody was renting outbound minutes on the wholesale market from a mobile app. Russian Coms sold access to what the trust model still allows.
The NCA said today it has charged five London residents over their alleged supply of Russian Coms devices and app subscriptions: Zakkaria Sehailia, 30; Ayoub Sehailia, 28; Usman Din, 30; Denis Ozmus, 29; and Fadila Salem, 53. Zakkaria Sehailia is additionally charged with failing to comply with a notice to provide phone passcodes; the other four face conspiracy-to-supply-articles for-fraud, transferring, converting, or acquiring criminal-property counts. All five appear at Westminster Magistrates’ Court on 14 August 2026.
The platform itself was live from 2020 through the NCA’s March 2024 takedown. It began as a handset — a mobile device marketed and sold by the operators — and later moved to a web-based application that lowered the per-subscriber cost of buying in. Neither variant required the customer to run any telecom infrastructure of their own. Trust in the calling-line identifier is a property of the network’s interconnect, not of the endpoint that placed the call, so once a spoofing gateway sits upstream of the interconnect it is upstream for anyone paying for access to it. That is the reason a small handful of platforms can service the volume of scam calls that end up on a bank’s fraud line.
Numbers, per the NCA: 1.8 million scam calls placed and around 170,000 confirmed victims, with total losses in the tens of millions of pounds. The 2024 takedown put the average victim loss at £9,400, a figure consistent with the platform’s primary lure — appearing on the target’s screen as an incoming call from a bank’s published fraud line, a mobile carrier’s account team, or a local police number. Once the number that the target’s own banking app tells them to trust is the number showing on the incoming call, the social-engineering script does most of the rest of the work.
Subscriptions ran £1,200 to £1,400 in cryptocurrency for six months, per the reporting on today’s charges. Today’s five sit inside Operation Henhouse, the NCA’s rolling anti-fraud operation, which has produced 290 arrests since the March 2024 shutdown. That is a large number for a single operation, and it matches the pattern in other recent cross-border scam-infrastructure takedowns — INTERPOL’s First Light 5,811 arrests in June, the Dutch police charging the impersonator behind the Odido vishing runs — where the tooling is centralised and the fraud operators renting the tooling are dispersed and multiple.
The load-bearing defence at the network layer is authenticated caller-ID at the originating carrier, and the UK is behind the US on it. Ofcom’s rules requiring UK operators to block inbound international calls that present a spoofed UK CLI are in force, but the equivalent of the US’s STIR/SHAKEN framework — the originating carrier cryptographically signing the CLI it puts on a call, so downstream carriers can verify rather than trust — is not yet mandated on UK domestic traffic. Until it is, the specific detail for a UK enterprise still running an outbound callback flow is the boring one: publish a single, clearly-signposted number that call recipients can always dial back into, and instrument outbound answer rates against your published CLIs. A spoofing run against your brand shows up first as complaint volume from customers who “called you back” and reached the fraudster’s callback line, not yours.
Found this useful? Share it.


