NCA data disrupts 50,000 fraud accounts in Google tool

The Global Signal Exchange has published a case study linking data from the UK's National Crime Agency to the disruption of nearly 50,000 fraudulent accounts and more than 5,000 fake websites, as the platform launches a new artificial intelligence-based search tool.

The case centres on 87 email addresses and four web addresses shared by the National Crime Agency through the exchange. Google's Trust & Safety team analysed those signals and identified a cluster of Gmail accounts linked to what the case study described as an organised criminal network operating out of West Africa.

According to the study, the accounts were tied to several types of fraud at once, including advance payment fraud, extortion, invoice fraud and government impersonation. Google's Cybercrime Investigation Group has submitted a criminal referral to the National Crime Agency, which is working with law enforcement in West Africa to pursue suspects.

The case study argues that a small batch of threat data can lead to far broader disruption when shared across multiple organisations rather than handled in isolation. The investigation uncovered links to almost 50,000 accounts and 5,000 cloned bank websites that had not previously been connected.

Wider sharing

The Global Signal Exchange is a UK-based non-profit owned and managed by Oxford Information Labs, also known as OXIL. Launched with Google, it is designed to let organisations share threat signals in real time across sectors and jurisdictions.

The system is intended to move beyond the traditional reporting model, in which one suspect account or website is reported to one platform at a time. In this case, sharing a limited set of indicators enabled parallel investigations and a broader view of the network behind the activity.

The publication also coincides with the release of GSE Platform 2.5.0. The update includes GSE Compass, a chat-based interface that allows analysts to query the platform's open DNS signal data in natural language.

OXIL said the tool is designed to help more partners use the exchange's dataset of more than 1 billion records without specialist technical expertise. It argues that this could widen access to threat analysis among participants without dedicated cyber teams.

Policy recognition

The platform has also received formal recognition in international and UK policy discussions on online fraud and cybercrime. An Industry Accord agreed at a United Nations Office on Drugs and Crime fraud summit in Vienna named the Global Signal Exchange as a platform for cross-border threat intelligence sharing, alongside signatories including Google, Meta, Amazon and Microsoft.

In the UK, a government progress report on online advertising fraud included a written ministerial response from Creative Industries Minister Ian Murray. In that response, Murray praised the exchange's malvertising pilot for making "significant progress in removing barriers to cross-platform information sharing".

The latest case study is likely to strengthen the case for broader data-sharing arrangements between technology groups, investigators and financial institutions. Fraud investigators have long argued that criminal networks exploit gaps between platforms, jurisdictions and sectors, especially when suspicious signals are handled separately.

Emily Taylor, chief executive of OXIL, said the case marks a shift in how the exchange is viewed by law enforcement and industry participants. "What the NCA case study shows is that the GSE is no longer a concept - it is operational infrastructure," Taylor said.

"We are seeing real enforcement outcomes: accounts disabled, criminal referrals made and supply chain weaknesses being designed out. The next stage is extending that into the financial sector, where GSE can make a significant difference in encouraging a progressive approach to data sharing in the collective fightback against scammers and bad actors. To this end, we are currently in positive discussions with a number of major banks and global payments brands," she said.

Lucien Taylor, co-founder of OXIL, said the West Africa case highlighted the limits of bilateral reporting between individual organisations. "The Vienna summit also made clear that the old model of bilateral notice-and-takedown is not equal to the scale of the problem," he said.

"What we need - and what the GSE is building - is a proactive, ecosystem-wide response. That means more regions, more sectors and more partners sharing signals in close to real time," Taylor said.