A computer hacker who sold the personal data of thousands of people on the dark web faces jail after admitting a string of offences.
Police began investigating Grant West, 26, after he conned details from Just Eat customers in 2015.
The personal data of around 165,000 people was compromised.
Detectives later found he had 63,000 credit and debit card details – and seized more than £500,000 in bitcoins belonging to West.
He admitted charges including conspiracy to commit fraud, computer misuse, and drug offences.
West, from the Isle of Sheppey in Kent, used “phishing” emails to extract customer data from various companies.
Between July 2015 and December 2015 he targeted online food delivery firm Just Eat, using a scam in which customers received a bogus email offering a voucher in return for answering questions about the service.
The emails allowed West to harvest information – including customers’ names, addresses and payment card details – in order to sell to other criminals.
There is no suggestion that Just Eat’s own computer systems were hacked or compromised.
Detectives believe he targeted customers of just about every major online vendor, from “Argos to Uber”, as part of his criminal enterprise, using millions of email addresses to indiscriminately trick people into revealing their financial information.
Once he had a complete set of customer details he would sell them on via the now-defunct online dark web market Alpha Bay, with the user name “courvoisier”.
The details were sold as “Fullz” – a slang term on the dark web used to describe a full set of customer details that would allow others to defraud individual bank accounts and credit cards.
The courvoisier account sold details belonging to 9,627 people – many of whom lost significant amounts to other online fraudsters.
Police say West made more than £180,000 from the scam. The proceeds from his business were converted into Bitcoins and stored in multiple accounts.
The Just Eat phishing scam cost the firm more than £200,000 – but also gave specialist detectives from London’s Metropolitan Police their first lead.
West used his girlfriend’s laptop and police traced the computer via a series of IP addresses, despite his best efforts to cover his digital tracks.
As detectives moved in on West they realised that getting their hands on the laptop with his “fingers on the keyboard” was crucial.
A team of covert officers tracked West and while he was using the computer in the first class carriage on a train from Rhyl to London officers pounced on him, seizing the unlocked computer.
The arrest was captured on the train’s CCTV.
On the laptop they found the financial information of more than 100,000 people.
Officers also raided West’s home address and found an SD card with the details of 63,000 debit and credit cards, seven million email addresses with passwords, and the details of more than 500 companies – all the components required to commit mass online fraud.
They also seized £25,000 in cash and half a kilogram of cannabis.
As well as financial information, West also sold cannabis online – which he shipped to customers – and “how to” guides for fellow hackers.
Police say West treated his fraudulent activity as a “day job”, sometimes spending 18 hours a day hacking financial information and doing online deals.
At first sight his lifestyle was simple – the family home was a caravan in a residential park – but West funded luxury holidays and goods with stolen credit card details.
His former girlfriend, Rachael Brookes, 26, from North Wales, also enjoyed the cash generated by the frauds. At one point using stolen details to buy a new bikini.
She was sentenced on Wednesday to a community order after pleading guilty to unauthorised access of computer material.
His Honour Judge Michael Gledhill QC told Ms Brookes that she was “very fortunate indeed” not to be jailed and said of her relationship with West that she had “fallen into the arms of a villain and a rogue”.
West has no formal qualifications and, although he directed the frauds, investigators believe he was working with others.
Bitcoin “wallets” belonging to West were emptied the day after he was arrested. At current prices those Bitcoins are estimated to be worth £1.5m.
Detective Chief Superintendent Michael Gallagher – who led the investigation – said police were “uncovering the darkness and shady areas” where criminals operate on the dark web, and were “bringing them into the light”.
“There was a myth that Bitcoin in particular, and crypto-currencies more generally, was anonymous and it was also a myth that people can operate with impunity on the dark web and remain anonymous,” he said.
A spokesperson for Just Eat said “We were made aware of a phishing scam which took place in 2015 and at the time took steps to mitigate this… at no point were Just Eat systems compromised or breached.
“Protecting our brand and our customers from online fraud is of utmost importance to us.”
West will be sentenced on 25 May.