Arrests made after huge HMRC scam campaign hit 100,000 accounts
The Romanian nationals are accused of having used stolen data to make fraudulent claims


Romanian police have arrested 13 people believed to have been behind a phishing campaign on HM Revenue and Customs (HMRC) that cost millions in bogus tax refunds.
The men and women, aged between 23 and 53, are suspected of having stolen data then used to submit millions of pounds worth of fraudulent PAYE claims, as well as VAT repayments and child benefit payments.
The arrests were carried out by criminal investigators from HMRC, together with more than 100 Romanian police officers, in the Romanian counties of Ilfov, Giurgiu, and Calarasi.
30% off Keeper Security's Business Starter and Business plans
Keeper Security is trusted and valued by thousands of businesses and millions of employees. Why not join them and protect your most important assets while taking advantage of this special offer?
“These arrests show we work across borders with our international partners to combat tax crime in all its forms. We have a number of live criminal investigations, and we are grateful to our Romanian partners for their support," said Simon Grunwell, operational lead in HMRC’s Fraud Investigation Service.
“We have already acted to protect customers after identifying attempts to access a very small minority of tax accounts, and we continue to work with other law enforcement agencies both in the UK and overseas to bring those responsible to justice.”
Two other men, aged 27 and 36, were arrested in Bucharest in November on suspicion of cyber crime and fraud offences, with investigations still ongoing.
Last month, HMRC revealed that scammers had apparently netted £47 million by compromising around 100,000 taxpayer accounts. The tax office revealed a 38-year-old man has been arrested in Preston, apparently in connection with that attack.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“This was organized crime phishing for identity data outwith of HMRC systems, so stuff that banks and others will also unfortunately experience, and then trying to use that data to create PAYE accounts to pay themselves a repayment and/or access an existing account,” said HMRC chief executive, John-Paul Marks.
What happened with the HMRC campaign?
The attack, which took place last year, was only revealed in June - drawing criticism from treasury select committee chair Dame Meg Hillier, who told HMRC that its failure to report details of the breach was ‘unacceptable’.
HMRC said it wrote to those affected in June and that it had locked down affected accounts and deleted login credentials - including Government Gateway user ID and passwords - to prevent future unauthorized access.
The tax office also revealed it removed any incorrect information from tax records.
"Tax scams are one of the biggest risks to citizens in the UK as criminals are adopting tactics to make them highly convincing, often using a mix of emails, post and SMS to send out fraudulent comms," said William Wright, CEO of Closed Door Security.
"The correspondence often looks genuine and it takes a very savvy consumer to question its authenticity, especially as criminals often hijack on key tax dates, such as the self-assessment deadline in January."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Public sector cyber leaders are tired of clunky, outdated tools
News Cybersecurity practitioners in the public sector need more powerful tools to contend with a growing array of threats
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain
News Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
AI means cyber teams are rethinking their approach to insider threats
News Nearly two-thirds of European cybersecurity professionals see insider threats as their biggest security risk – and AI is making things worse.
-
74% of companies admit insecure code caused a security breach
News A large number of data breaches are linked to insecure code, prompting calls for better training
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Cyber pros say the buck stops with the board when it comes to security failings
News Fines, sanctions, and even prosecution are all on the table when it comes to cyber failings, practitioners believe
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malware
News Researchers say the tool is already achieving the “gold standard” in malware classification
-
Employee distraction is now your biggest cybersecurity risk
News Workplace distraction is the top reason organizations fall victim to cyber attacks, according to new research.
-
Apple just released an emergency patch for a zero-day exploited in the wild – here’s why you need to update now
News Apple is warning millions of users of iPhones, iPads and Macs to update their software to protect against an out-of-bounds write vulnerability
-
Cyber teams are struggling to keep up with a torrent of security alerts
News Fragmented identity security processes are creating blind spots, and the proliferation of tools doesn't help