A 25-year old Malaysian student detained in Oslo for driving an IMSI-catcher around the office of Norway’s Prime Minister, the Defense Ministry and other government buildings is now believed to have been working for an international gang of fraudsters. The suspect was arrested on September 8 and charged with espionage two days later. The basis of the charge appears to have been the route taken by the suspect’s rented car, as determined by matching CCTV camera footage to radio signals detected in the government quarter, with the belief he was attempting to intercept sensitive communications. However, the interrogation of the suspect by Norway’s Police Security Service (Politiets sikkerhetstjeneste, PST) led them to conclude he is not a spy after all. The espionage charge has now been dropped and PST used their X account to announce they were handing over responsibility for further investigation to Økokrim, Norway’s national law enforcement authority for economic and environmental crimes.
I PSTs etterforskning av den malaysiske statsborgeren som ble pågrepet 8. sep., er hypotesen om ulovlig etterretning klart svekket. Samtidig er hypotesen om økonomisk organisert kriminalitet vesentlig styrket. Derfor overtar fra i dag Økokrim etterforskningsansvaret i saken.
— PST (@PSTnorge) September 22, 2023
This announcement can be roughly translated as saying suspicions about the Malaysian citizen being engaged in intelligence gathering have been ‘clearly weakened’ whilst suspicions relating to financially-motivated organized crime have been ‘significantly strengthened’. This is echoed by a lengthier statement issued by Økokrim.
Økokrim har i dag overtatt etterforskningsansvaret for en signaletterretningssak som til nå har vært etterforsket av PST. Det er mistanke om forsøk på en mengde grove bedragerier.
Økokrim has today taken over investigative responsibility for a signals intelligence case that has until now been investigated by PST. Attempts at a number of gross frauds are suspected.
State prosecutor Marianne Bender explicitly referred to an IMSI-catcher being used for fraud in both Oslo and in Norway’s second-largest city, Bergen, which lies 190 miles (300km) to the West of the capital. This implies the same frauds were being conducted at a large scale, affecting hundreds of thousands of mobile phone users.
Økokrim har tatt over etterforskningsansvaret for denne saken fra i dag fordi det er vi som etterforsker store økonomiske straffesaker. Vi vil nå se på saken og vurdere å endre siktelsen fra ulovlig etterretningsvirksomhet til forsøk på en mengde grove bedragerier ved bruk av IMSI-catcher i Oslo og Bergen…
Økokrim has taken over the investigation responsibility for this case from today because we are the ones investigating major financial criminal cases. We will now look at the case and consider changing the charge from illegal intelligence activities to attempts at a number of gross frauds using IMSI-catchers in Oslo and Bergen…
Norway’s authorities have never dealt with a fraud of this type before.
Saken er stor og omfattende, og trolig dreier det seg om organisert kriminalitet med forgreninger internasjonalt… dette ser ut til å være en bedragerimetode som hittil har vært ukjent for oss her i Norge, og der skadepotensialet for samfunnet og enkeltmennesker er svært stort…
The case is large and extensive, and probably involves organized crime with international ramifications… this appears to be a method of fraud that has so far been unknown to us here in Norway, and where the potential for damage to society and individuals is very large…
The name of the suspect has not been disclosed but local media reported he had only lived in Norway for a short time. He was not enrolled at any Norwegian college despite being described as a student. His Malaysian citizenship was confirmed by Malaysia’s diplomatic representatives.
Nothing has been reported about the specifics of the scam or whether any Norwegians suffered losses as a result. However, a pattern emerges when we compare this story to other worldwide news about IMSI-catchers and similar radio communications devices being used for fraud.
Scammers in South East Asian countries developed a series of techniques to bombard mobile phones with SMS messages that lure victims into romance scams or which contain links to phishing websites. Though described as IMSI-catchers, they use devices which connect to mobile phones in the same manner as genuine base stations but without the ability to support the full two-way interception and relay of communications as would be necessary for man-in-the-middle surveillance. They instead focus on sending millions of SMS messages and potentially gathering the phone numbers of any handsets within range, whilst knowing they cannot be blocked by telcos because victims are not connected to genuine networks when attacks occur. The fraudsters’ SMS blasters were initially static and situated in densely populated areas which lots of people would travel through on a daily basis. However, fraudsters later appreciated they could better avoid detection and increase the number of victims by continuously moving their SMS blasters around using cars, vans or motorbikes. Organized criminal gangs recruit low-level stooges as drivers, with the additional comfort that the stooges may not know enough to incriminate anyone else if they are captured by police. The gang leaders are further protected from law enforcement if they live in a different country.
This same kind of scam was seemingly first identified in Europe at the very end of 2022. Police stopped a lone motorist in Paris and initially thought the radio device in the back of her car was a bomb. As with the Oslo case, the first arrest relied on good fortune and the authorities did not immediately appreciate what kind of crime had been committed. Further investigation in France revealed a gang that drove multiple IMSI-catchers around the suburbs of Paris. Those devices were used to send smishing messages to 400,000 Parisians, encouraging them to submit personal data to a bogus health insurance website.
The pattern is emerging but the public is not being warned about the potential risks, even though the same crime could be occurring in other countries without detection. This reticence is because governments and law enforcement agencies do not want to publicly admit they are not prepared to tackle this kind of fraud, despite the scale at which it is executed. It was luck that led the Malaysian suspect to drive near government buildings protected by anti-espionage equipment of the type needed to detect an anomalous base station. The rest of Norway’s population will not be protected like this. If the driver had remained in other parts of Oslo or only driven around Bergen then he would not have been caught. Governments and police often like to pass the buck for fraud prevention to big businesses, but there is nothing that telcos can do about this technique because it involves the use of radios that are not known or controlled by their networks. It can only be tackled by widespread police effort, as is starting to occur in some Asian countries like Vietnam. This will be problematic for a crime that the police would typically prefer to delegate to ‘specialist’ law enforcement teams. Relying on specialists will not help the initial detection of crimes that can target hundreds of thousands of phone users by driving an ordinary-looking car around ordinary streets.



