ARTICLE AD BOX
LONDON — Politicians, officials and journalists working in the U.K. parliament are being targeted with alluring personalized messages and explicit images in what experts believe is a clear attempt to compromise them.
POLITICO has so far identified six men — four staffers, a political journalist and one senior Labour MP — who all received unsolicited WhatsApp messages from two suspicious mobile numbers between October 2023 and February this year.
All the messages were sent by one of two mobile phone numbers, by users calling themselves alternatively “Abi” or “Charlie.”
A seventh man, a Tory MP, has reported similarly-worded messages to the police, according to one staffer who saw the messages; POLITICO has been unable to speak directly with the MP concerned.
Many of the messages contain striking similarities, including personalized references to the victims’ appearances at U.K. political events and drinking spots. In several cases explicit photos were also sent — and in at least one case, the victim reciprocated.
A dossier of evidence compiled by POLITICO has been reviewed by four cybersecurity experts who agreed people in key positions in parliament are being targeted with ill intent.
Dominik Wojtczak, head of the Cybersecurity Institute at the University of Liverpool, said he believed the messages were part of a “spear phishing attack” — a highly personalized form of “phishing,” meaning to gather compromising information on a victim.
“The purpose is most likely to simply obtain indecent images of the victims and then blackmail them,” Wojtczak said.
‘We had a little flirt’
The suspicious WhatsApp conversations reviewed by POLITICO tend to start the same way.
The sender claims to have met the recipient at a recent political event or venue — such as a Westminster bar, a party conference or on a local by-election campaign.
The sender then typically voices faux-embarrassment at not being remembered by their target.
In three cases, the sender uses near-identical language, claiming they and their target previously “had a little flirt.” In four cases, the sender quickly turns the conversation sexual and in at least three of these, sends explicit images.
Strikingly, the sender or senders of the messages often displays extensive knowledge of their target and their movements within the narrow world of Westminster politics.
Two people were sent references to their work on the Mid Bedfordshire by-election of October 2023. One received a message discussing their work on “the Nandy campaign” (Labour MP Lisa Nandy stood for the party leadership in 2020.) The other was sent a WhatsApp referring to the breakdown of a recent relationship.
A third person was told they had previously met the message-sender in the “Sports” — a nickname for Parliament’s Woolsack bar, formerly the Sports and Social Club. A fourth was told they met the sender at the annual Labour Party conference in Manchester. A fifth was asked if they still worked for their current boss.
The person sending messages from one of the numbers would alternatively refer to themselves as a man called Charlie — when contacting two gay men — or a woman, when contacting two straight men. To one of these straight men, the sender said their name was short for “Charlotte.” The sender’s profile picture showed a man and woman together, making both identities plausible.
‘Long time no speak! Still single?’
In the most extreme case POLITICO has seen, a Labour Party staff member was contacted by “Charlotte.” The sender insisted they had met at party conference, telling him: “Long time no speak! How’re you? Still single?”
“Charlotte” said they had discussed the man’s past work with a trade union, and claimed he had convinced her to also join a union. The man initially felt confident this interaction had not taken place, but later concluded it was plausible.
The conversation quickly became sexual after “Charlotte” sent several explicit images, to which the man reciprocated. He asked if she wanted to meet, and she replied she was busy playing netball. “If you’re lucky, I’ll slip you a picture of me in my gym shorts x,” she added.
When the man became suspicious about her identity, he tried several times to call her phone number, but she did not pick up. He then asked for her Instagram account, which she failed to provide.
Despite this, they carried on speaking and the recipient — by this point suspicious — invited “Charlotte” to meet at a pub. She agreed, but did not show up.
The man has not received any threats or demands, but has been left shaken by his experience. He said: “It was very convincing, there was so much specific information and the way they were texting was just so believable for a woman in their 20s.”
He added: “I’ve been pretty shook up, anxious and worried about what could happen, and just embarrassed that I fell for it.
“This sounds so obvious now, but don’t send pictures to someone you don’t know and trust — particularly if you’re in a politically-exposed position, like working for an MP. If the conversation escalates to sexting quickly, that’s definitely a red flag.”
‘Romance scam’
The other sender gave their name as “Abi” and contacted three men, including one who would later also be contacted by “Charlie” on the other number involved. Messages from both numbers followed a broadly similar pattern — including the shared phrase “had a little flirt.”
When POLITICO later phoned the “Charlie” number, a man unconnected to the messages answered and said he had recently started using the number through TextMe — the U.S. based app supplies its users with temporary “assigned numbers” allowing them to send text messages. There is no suggestion of wrongdoing by the firm.
The “Abi” number, meanwhile, has already been flagged multiple times as suspicious on the website who-called.co.uk, which gathers user reports of unsolicited numbers. Users variously claimed it was linked to a “romance scam,” “catfishing” and a “bloke pretending to be a girl.”
John Scott Railton, a senior researcher in phishing at the Citizen Lab at the University of Toronto, told POLITICO neither of the two phone numbers was registered to a mainstream mobile phone network.
He said: “This shows numerous signs of being non-genuine. But the level of sophistication, compartmentation, is not necessarily that high. These were actions that would inevitably result in them getting rumbled — and clearly they have been.”
Wojtczak, of the University of Liverpool, agreed that this “does not look like a sophisticated attack” and that re-using the same phone number for different phishing attempts showed a “laziness” on the attacker’s part.
Daniel Prince, a professor of cybersecurity at Lancaster University, compared the technique to grooming, where an “innocuous interaction is then slowly escalated to build rapport with the intended victim, until the final goal is achieved.”
Given the identities of those receiving the messages, he added, “this would probably be considered some form of honey-trap, or catfishing.”
The rise of instant messaging and social networks makes targeted attacks easier to carry out, he added, with malign actors able to create virtual numbers and buy cheap SIM cards on the high street.
Such activity ranges from fraudulent romantic messages to “classic nation-state espionage,” Prince said. But the speed at which this particular sender or senders moved to exchanging explicit photos suggests it was less sophisticated, he added.
“I wouldn’t be surprised if it was just a criminal gang that had just found a rich group of targets,” he said.
‘Trust your instincts’
The messages are revealed after the U.K. government blamed “Chinese state-affiliated actors” for two “malicious cyber-campaigns” targeting the British political system — one against the Electoral Commission, and the other against a group of MPs and peers.
But there is no suggestion the two matters are linked, and POLITICO has been unable to identify who sent the messages.
Ciaran Martin, the former chief executive of the U.K.’s National Cyber Security Centre, said: “Malicious actors, including nation states, have a history of using digital messaging to try to cultivate relationships with people they think have political influence. Some of this activity is high quality and convincing. Some of it can be spotted a mile away.
“The key message is that anyone working in Westminster can expect stuff like this … trust your own instincts, don’t respond, and report it if you’re concerned.”
Wojtczak said he suspected one person’s social media account had been compromised and then used to gather others’ phone numbers.
The process “starts by collecting all the public information available from the web and social media about a given individual,” he added. “These attacks typically target high-profile figures” due to the effort they require, “though AI can be used to start the process.”
“Using WhatsApp for these attacks can make them more effective,” added Wojtczak. “Such a message can feel more personal than email. It is easier to catch someone off-guard when on a mobile device, and malware protection may not be as good as [when] using an email client.”
The U.K. parliamentary authorities offer MPs and staff a cyber-advisory service, and encourage any victims of suspicious messages to contact either them or the police.
A spokesperson for the House of Commons declined to comment on any specific cybersecurity incidents.