The terrifying new generation of phone muggers who use a little-known feature on your mobile to drain your bank accounts and take out massive loans. And THIS is who they are targeting: STEVE BOGGAN

It was 1am and in a flash three young thieves had stolen almost a quarter of a million pounds from Alex White.

‘I didn’t realise what they had done until the next day,’ says Alex, 36. ‘I’d been working and hadn’t had time to check my emails. When I did, I found the thieves had applied for 20 loans and stolen £230,000 worth of cryptocurrency. I felt sick.’

This was no ordinary phone theft. This was a crypto mugging, where thieves target smart-looking, affluent young men after a night’s drinking with a view to stealing cryptocurrency, such as Bitcoin and Ethereum, in apps on their devices.

The tech-savvy crooks often empty bank accounts, take out huge loans and use payment apps to spend tens of thousands of pounds on clothes, phones, luxury accessories and more cryptocurrency.

‘It’s a massive and growing crime that takes advantage of the fact that we think our phones and the data on them are secure – unfortunately, they are not,’ says Detective Sergeant Rebecca Corser of the Metropolitan Police’s economic crime unit. ‘Cryptocurrency is particularly vulnerable as it is not regulated in the same way as traditional banking, so our opportunities to recover it once it has gone are more limited – there is no central body to go to when things go wrong.’

It is also a demonstration of the increasingly dangerous lengths to which criminals will go to get their hands on crypto.

Only this week, the unnamed daughter of a billionaire cryptocurrency exchange founder escaped a horrifying kidnap attempt in Paris, while in January David Balland, co-founder of ‘cryptowallet’ firm Ledger, was abducted, again in France. He was rescued – after his captors had chopped off one of his fingers.

Crypto mugging is relatively new, so no national statistics yet exist, but the Met has been collating its own figures for smartphone crypto and finance theft offences – and they are setting off alarm bells among forces across the country.

In 2022, there were 256 such offences in London. In 2023, this rose to 808. And between April and December last year – the latest figures available – there were another 438.

During the last quarter of 2024, detectives worked out for the first time that the average loss per crime was £12,063. If extrapolated across all three years, the total could be as high as £18 million.

‘We’re seeing a combination of thefts and robberies,’ says DS Corser. ‘Recently we have had two cases where victims lost more than £400,000 each. We’re wary that if a criminal group assess that they can make hundreds of thousands of pounds from a single attack on somebody, then violence is a possibility.

‘We’re also seeing instant online loans being taken out for tens of thousands of pounds in the West End at 2am using banking apps on stolen phones.’

More than 90 per cent of victims are males aged between 20 and 35 because young men have been early adopters of cryptocurrency.

The finance website Barron’s estimates 42 per cent of men aged 18-29 have invested in, traded or used cryptocurrency, compared with just 17 per cent of women of the same age.

Met figures show 85 per cent of offences occurred outside bars and clubs, usually in London’s West End, with intoxicated victims targeted. They often have their phones out to order taxis, locate venues or contact friends. This means devices will be unlocked and, if this occurs, thieves have ways of fixing the phone’s six digit passcode to lock out the phone’s owner and get into their finance and crypto apps.

Once the thieves change the passcode for the phone, they can change most other passwords even if the owner uses ‘two factor authentication’, where a message or text is sent to the owner to confirm it is them changing the password. This is because these messages and texts are sent to their phone… which crooks hold.

Herman Solomon, 34, from south London was part of a gang involved in phone thefts

Even using facial recognition to get into your phone is no guarantee it will be safe. Police have encountered incidents of thieves with knives pointing phones at victims’ faces to unlock them.

Alex [not his real name] was targeted just before Christmas last year. ‘It was December 18 and I had been out celebrating with friends in the West End,’ he says. ‘We had left a pub that had just closed and bought something to drink from a shop opposite. We were quite inebriated by then.

‘I was approached by two teenagers who started talking to me. I put my phone tightly in my fist but they then they got either side of me like bookends while a third teenager ran through and just grabbed the phone, and they all ran away.’

Alex believes his phone was locked but the thieves had watched him punch in his passcode earlier, a practice called ‘shoulder surfing’. He went to his home in west London and for an hour tried to access his iPhone’s ‘Find My’ function to lock the device and protect everything on it, but he couldn’t get in.

‘They had probably already changed the passcode, but I was foolish enough to think these kids would just sell or scrap the phone,’ he says. He went to bed.

After eight hours interviewing job applicants the next day, Alex accessed his emails for the first time since the robbery and had messages from his two banks saying thieves had applied for 20 online loans, where instant decisions are made based on the applicant’s banking history and credit rating.

They succeeded in getting two totalling £15,000, which they used to buy more crypto that was immediately transferred from Alex’s wallet. ‘It was all my savings, all my investments, and it was just before Christmas,’ he says. ‘I felt terrible, horrible.’

One of the reasons Alex felt so bad was that he works in IT – and has helped a number of cryptocurrency start-up companies.

Jacob Raki, 23, had his home raided and was a conspirator in the gang

‘I should never have left so much crypto on my phone,’ he says. ‘I should have kept it on a ‘cold wallet’ and put the code inside a safety deposit box at the bank. I’ll do that in future – and I would urge others to do the same.’

A cold wallet is a physical device unconnected to the internet, that contains the codes to access the cryptocurrency. If a crypto wallet isn’t connected to the internet, it can’t be hacked.

Another crypto mugging victim, Kush Chaudary, 36, also works for an IT company, as a team manager. Police are concerned that if this can happen to such smart tech executives as Alex and Kush, people with limited crypto knowledge could be easier prey.

Kush was targeted in 2023 after he left a bar in Soho at 2am.

‘I was with two friends and we’d had dinner and then drinks,’ he told the Mail. ‘One of my friends went to a corner shop to buy something, and this tall skinny man approached me and started a conversation. I was checking my phone, deciding whether to go home, when the guy grabbed my phone and put it in his pocket.’

The skinny man denied taking the device but slipped it to an accomplice behind him. When one of Kush’s friends took a picture of the thief, he and the accomplice ran away. Kush and his friend ran after them but were threatened by the thieves with a bottle.

Fortunately, plain clothes police had seen the commotion and they caught the skinny one. The other got away with Kush’s phone.

‘I was shaken but grateful,’ says Kush. ‘After making a statement, I didn’t get home until about 4am and assumed I had just been the victim of a petty theft – they had just stolen my phone and, while a huge inconvenience, it wasn’t the end of the world.’

Joseph Serry-Kamal, 23, was one of the thieves who targeted Kush Chaudary and stole his phone

However, the next morning when he checked his emails on his computer, he saw he had received a notification that his phone’s passcode had been changed at 2.08am. The picture of the skinny man that his friend had taken was timed at 2.07am – the thieves had gained total access to his phone, apps and the crypto wallet on the phone in just one minute.

They transferred £5,000 from his crypto wallet and several thousands more from his bank accounts. Later, they used the Apple Pay function on his phone to spend £4,000 on other phones at an Apple store and on £4,000 of high-end goods at Selfridges that included a Louis Vuitton hat and scarf. The total loss to Kush was around £16,500. But the crooks also took out instant loans for £22,000 in his name.

‘I was complacent and I’m annoyed about that,’ he says. ‘I had a false sense of security about my Apple iPhone. It’s the industry standard so you’re sure it’s totally secure, but I’m afraid that isn’t an assumption you want to make in today’s world. Things like Apple Pay make it easy and convenient for you to buy things, but we have to question ‘How is that convenience balanced by security?’ ‘

In the early days of phone crypto thefts, police found it almost impossible to find the perpetrators. But, because of their growing experience, the increasing availability of crypto-tracing software, and co-operation from big crypto exchanges such as Coinbase and Binance where currencies are bought and sold, officers are enjoying more success.

They are also tipping off other forces about techniques they are using, techniques they do not want highlighting in this article. This exercise is called Operation HoPI, where HoPI stands for ‘harvesting of personal information’.

Recently, in the first crypto case of its kind, the Met smashed a gang targeting Londoners. One of them was the ‘skinny man’ who stole Kush’s phone, and the sidekick to whom he passed it.

They were Joseph Serry-Kamal, 23, and Smon Tecle, 19, both from south London.

Inquiries found links with other robberies that resulted in raids on their homes and those of other conspirators, Jacob Raki, 23, and Herman Solomon, 34, also from south London. Detectives believe the gang was involved in up to 60 phone robberies between December 2022 and November 2023. The evidence led to two hearings and more than two dozen charges relating to conspiracy to rob, theft, handling stolen goods, dangerous driving, fraud, robbery and possessing a knife.

Smon Tecle, 19, was the other conspirator who stole Kush Chaudary’s phone

The gang was jailed for a total of more than eight years – the value of all the crimes was £225,000.

‘We’re very proud of what we achieved as a whole team – not just us, but all of the officers and entry teams who went on raids, and the digital forensics analysts,’ says DS Isabella Grotto, who led the investigation with colleagues DS Corser and DC Darryl Hunt.

Solomon and Tecle had previous convictions for drug possession and fraud. Raki and Serry-Kamal had only driving offences.

One aspect of the case that struck detectives was the involvement of Raki, apparently as the brains of the outfit.

‘He presents well as a young man, very well spoken and really quite smart,’ says DS Grotto.

‘He comes from a loving and supportive family. He’s a really bright young man who has loads of potential and seems to have fallen in with the wrong crowd. He’s still quite young, so hopefully he can turn his life around.’

Detectives tell me they believe phone companies should be doing more to protect customers,

particularly Apple. Almost 93 per cent of all crypto mugging crimes recorded involve Apple iPhones. These have a function called ‘Stolen Device Protection’ which recognises when a phone isn’t in a familiar location, such as home or work, and requires another layer of security – face or touch ID – so thieves can’t gain access even if they know the phone’s passcode.

It creates a delay before passcodes can be changed, giving victims time to block the phone.

However, Stolen Device Protection is inactive unless a user switches it on. Police say its existence has not adequately been brought to the public’s attention. Detectives believe it should be an ‘opt out’ decision. So, too, does UK Finance, which represents all the big banks.

Apple won’t commit to making this extra security a default setting that is always on. It said: ‘We sympathise with people who have had this experience and we take all attacks on our users very seriously, no matter how rare.’

This story, however, has a happy ending. Through a combination of fast police work, specialised software, and good contacts in the crypto sector, Alex and Kush got all their money back.

Alex’s case is still being investigated but his cryptocurrency has been traced and frozen, awaiting return. Kush was reimbursed by his bank for the thefts from his account, and the loans in his name were cancelled. Initially, his cryptocurrency exchange, Coinbase, refused to reimburse him, though it later relented when Kush argued that the security on his phone app was poor.

I asked Coinbase, which has a good record of cooperating with law enforcement, if other customers could expect the same treatment. After all, banks compensate victims of fraud. It did not reply.

Crypto muggers will continue to prey on the vulnerable, hoping tonight’s stolen phones will contain millions. The difference now is that they aren’t guaranteed to get away with their ill-gotten gains.