His laptop open in front of him and his phone by his side, Jones, 33 – a South Australian, had previously worked for state Liberal MP Michelle Lensink and had taken on an unpaid internship with a Sydney rugby team.

Jones was also was scamming millions of dollars.

But with his back to the shelves of books and a view out on to busy Botany Rd, he was completely unaware that police were moving in.

Suddenly, detectives grabbed his arms and pulled him to his feet, taking his laptop and mobile phone.

Several hours later, in SA, detectives were walking up the front steps of a house in Seaton occupied by Emily Walker, 29, and Jason Lees, 34,

Only a few weeks earlier, police had raided the house, seizing numerous electronic devices.

When they came through the door on February 6, 2020, they found those items had been replaced with new devices.

The three arrests on that day marked the culmination of SA’s largest cybercrime investigation, Operation Captcha, which brought to an end a criminal enterprise that had siphoned millions of dollars and the personal information of thousands of victims.

 CAPTCHA 

At the heart of Operation Captcha was a cybercrime – the use of stolen passwords and credentials to gain access to networks where money and personal information would be harvested.

 The investigation started with SA Police’s Cybercrime Investigation Section but quickly expanded to include personnel from the Digital Evidence Section, Forensic Accountants and Confiscation sections.

 By the end of the operation police in NSW were on board and financial institutions across the country were co-operating.

Senior SA Police officers sat down with the Sunday Mail to detail the operation.

Detective Sergeant Sam George said the lesson behind the operation was the need for cyber security and the dire consequences of the loss of personal information.

 “Once those details have gone, they are impossible to get back and the only solution is to change many of your details,” he said.

 “For us crime prevention is far easier than investigating a crime of this size and complexity.”

 Cybercrime was an ever-present risk, Sergeant George said – with people having so many personal details and data online – and the damage could be extraordinary.

THE ADVISER 

At the time of his arrest, Jones was no stranger to the police. In 2012, he was given an 18-month suspended sentence for 74 counts of fraud. At the time, he was a policy adviser to Ms Lensink, who was then in opposition.

Jones pleaded guilty to stealing people’s personal information and signing up for credit cards in their names. He was jailed for more than two years for fraud offences.

Not long after being released on parole, Jones started communicating with Lees over the dark web. Despite meeting online, the pair lived only a short distance apart, with Jones based in Brompton.

Together with Walker, the pair started down a path of deceit and fraud which would become their day jobs – involving tens of thousands of bank and phone accounts. Walker and Lees used real estate websites to find empty houses and used those addresses on bank applications. However, they didn’t want to go too far afield, with all the addresses within a 5km radius of their home.

Police began monitoring Jones after they became aware of cryptocurrency activity in his name. This led them to Walker and Lees, and the scope of the investigation grew as dozens of businesses and hundreds of individual victims came to light.

 THE SCRIPT 

Sergeant George said two initial victims were completely different. “One was a school and one was a construction company, one in NSW, the other in Victoria,” he said.

“Money was siphoned from those two companies and placed into mule accounts, and we found those accounts were in names of people whose identities had been taken as part of other network intrusions.”

Those intrusions involved the group using stolen network passwords bought on the dark web to log in remotely to business servers. They used remote desktop protocols – a method of logging in to systems remotely often used by employees working from home or IT professionals looking to fix problems externally – to gain access.

The hackers would leave a script – a series of letters and numbers designed to change the functioning of a system in a small, often imperceptible way – within the network.

“Quite often, what they would do when they remoted in was just sit and watch – sometimes for weeks or months,” Sergeant George said.

“They would note what time the company would send payroll to the bank. Then just prior to the files being uploaded they would activate the script.”

The small program would change all the bank account details to fake accounts and, once the money was paid into those, change everything back to the way it was. When employees would ask why they hadn’t been paid, the businesses would be left looking at a perfectly normal payroll spreadsheet.

 THE TRAIL 

Once the money was transferred, it was either moved on to other fake accounts or withdrawn from ATMs.

But the trio weren’t only interested in the payroll. While inside their systems, the hackers would harvest all the personal information of the companies’ employees.

Medicare numbers, copies of driving licences, mobile phone numbers, addresses, next-of-kin details, bank accounts and superannuation numbers were all skimmed. With those details, Walker, Lees and Jones set about creating their network of mule accounts designed to receive the stolen money before it was moved on.

The accounts were created in the names of the real employees which would then be used to receive the stolen funds from intrusions into other networks. To go along with the mule accounts, the trio created fake phone accounts and took out credit cards.

Jones was able to claim superannuation from several victims’ MyGov accounts. Some of the credit cards were used to pay for private servers and cloud storage where enormous quantities of stolen data would be stored so it could be shared between the three members remotely.

In some cases, the trio would use the private servers of a company they had compromised to launch the next attack on another network.

When police were given access to the cloud storage with the aid of court orders and warrants, they found hacking tools, examples of the script used to redirect funds and thousands of examples of private information. They also found a crypto wallet which had at least $10m worth of currency pass through it.

 A LINE IN THE SAND 

The trio were charged with a range of serious offences, including unlawful modification of computer data and using a computer to facilitate a serious offence in another state.

“Data analysis of their devices, which occurred later on, cemented what we already knew and uncovered a lot more,” Sergeant George said. “The data involved in this matter would have taken years to get through and realistically we had to ask what difference it was going to make to the penalty.

“We had to draw a line in the sand of what we were going to pursue.”

Walker and Lees, confident in their encryption, indicated they were planning to plead not guilty. So the SA detectives put on a presentation.

“We showed them screenshots of what we had from their devices and they were somewhat shocked. That got the ball rolling to them pleading guilty,” Sergeant George said.

During separate but similar sentencing submissions in Adelaide and Sydney, the trio said they had cocaine, methamphetamine and alcohol addictions that were costing thousands of dollars a month.

Jones was sentenced to 11 years in prison in NSW with a non-parole period of 6½ years. Walker was sentenced to four years and 11 months with a non-parole period of two years and 10 months. She will likely be deported to the UK on release.

Lees was sentenced to eight years and nearly seven months, with a non-parole period of five years. He has launched an appeal against the length of his sentence.

More Coverage

Deportation looms as loved-up hackers jailed for $18m fraud

Sean Fewster

Loved-up hackers headed to jail over $18m fraud

Sean Fewster

Originally published as Operation Captcha: Police reveal how they bought down an $18m identity scam run by Adam Jones, Emily Walker and Jason Lees