UK government suspects ‘lone wolf’ behind MP sexting scandal

LONDON — The Westminster ‘honey trap’ sexting scandal saw at least two dozen people targeted in U.K. politics, and has now cost a senior MP the Tory whip.

But the biggest question remains unanswered. Who did it?

While no options have been ruled out, victims and U.K. officials who spoke to POLITICO are growing increasingly suspicious that a lone wolf — rather than a hostile state — is to blame.

“It’s plausible it could be someone on their own doing it for kicks,” said Ciaran Martin, the former chief executive of the National Cyber Security Centre, part of the U.K. government’s online spy agency GCHQ.

“The information they’ve sought via extortion isn’t what you’d expect from a nation state. But we just don’t know.”

POLITICO revealed last week that MPs, staffers and journalists in Westminster had been targeted with unsolicited WhatsApp messages from two phone numbers alternatively using the names “Charlie” or “Abi.” The exchanges would begin with mild flirting and, in several cases, quickly escalated to the sending of explicit photos. 

Prime Minister Rishi Sunak responded to the scandal Wednesday by warning there are “lots of bad actors, as we’re seeing around the world, who are trying to cause damage to our democratic processes.”

Yet the attack is not currently being viewed inside government as the work of a hostile state, four people with knowledge of the situation told POLITICO.  

Neither the government nor the Metropolitan Police, which is leading an investigation aided by intelligence officials, have commented on who could be responsible.

Martin said: “This doesn’t look like any of the digital espionage or human influence operations we’ve seen from hostile states in the past. That’s not to say a nation state isn’t behind these actions. We just don’t know, from the information that’s been made publicly available, anyway.”

Inconsistent

POLITICO has so far verified 22 people in U.K. politics who received messages from these numbers, and a further three who were contacted by “Charlie” on gay dating app Grindr. A man has contacted police after “Charlie” stole Facebook photos from his account to set up the fake profile.

POLITICO has so far verified 22 people in U.K. politics who received messages from these numbers, and a further three who were contacted by “Charlie” on gay dating app Grindr | Leon Neal/Getty Images

As more detail has emerged, key elements have struck victims and experts as being inconsistent with a hostile state attack.

First, the testimony of William Wragg. The Conservative MP resigned the whip Tuesday after admitting he gave “some” colleagues’ phone numbers to a man he met on Grindr. Yet neither he, nor a Labour staffer who sent explicit photos to “Abi,” have said they were extorted in any other way — such as for intelligence from inside parliament.

Martin said: “It would be a bit odd for a sophisticated state blackmailer to have an MP over a barrel and only demand other MPs’ phone numbers, as seems to have happened here.”

Second, “Charlie’s” pattern of behavior appears to have changed over time. As POLITICO reported Monday, “Charlie” messaged attendees at September’s Lib Dem conference, on Grindr, and October’s Labour conference, on a mixture of Grindr and WhatsApp.

POLITICO has spoken to six people who received messages from “Charlie” at party conferences. In these, “Charlie” was generally seeking gossip about other people, and expressing a desire to have sex with MPs. 

A seventh person at Labour conference received explicit Grindr messages from “Charlie,” inconsistent with the tone of other messages seen by POLITICO. These described a supposed threesome with a politician in extremely graphic detail. POLITICO has been unable to speak directly to the recipient.

POLITICO has spoken to six people who received messages from “Charlie” at party conferences. In these, “Charlie” was generally seeking gossip about other people, and expressing a desire to have sex with MPs | Oli Scarff/Getty Images

The tone of later WhatsApp messages was very different, focusing wholly on the recipients instead of wider gossip.

Victim profiling

Thirdly, the known targets’ appearances all follow a clear profile — yet their positions within the political eco-system do not.

All 25 targets verified by POLITICO are male, and aged generally from their mid 20s to their early 40s. Yet they span all three parties and have no consistency in seniority. (A 26th possible target, Tory MP Andrea Jenkyns, has said she was also targeted, and would be the first woman known to be involved. However she has failed to respond to POLITICO’s requests to view the messages she received.)

Those Westminster figures known to have been previously targeted by hostile state attacks all had knowledge of sensitive information, such as the former head of MI6 Richard Dearlove or the SNP MP Stewart McDonald, who is a member of the Inter-Parliamentary Alliance on China.

Lastly, the attacker used simple WhatsApp messages rather than emails or other communications designed to hack into victims’ phones or accounts — instead using “social engineering” to expand their network of contacts.

Dominik Wojtczak, head of the Cybersecurity Institute at the University of Liverpool, said: “It is really hard to say with a high degree of certainty who may be responsible and what the goal really was” — but that a “’lone wolf’ idea makes sense.”

All 25 targets verified by POLITICO are male, and aged generally from their mid 20s to their early 40s | Christopher Furlong/Getty Images

He added: “The attack clearly lacks any sophistication. Apart from doing some background research about the targets, it follows the same repetitive pattern and reuses the same mobile numbers. 

“One thing that this shows is how easy it is for such targeted attacks to be successful, and hopefully MPs and the general public will learn from this and be more wary in the future.”

Daniel Prince, professor of Cybersecurity at Lancaster University, said the information currently available suggests the approaches “fall below the level of sophistication” that would indicate hostile state activity.

He added: “This lends more credence to the notion that this is more likely to be a lone actor or smaller group, motivated by immediate personal benefit — but full attribution remains challenging and is a perennial issue in these cases.”

But he warned: “Regardless of who is behind this attack, it should be considered a warning as to the potential issues facing the U.K.’s democratic processes and institutions.”

The BBC revealed Thursday that the Met Police were first made aware of suspicious messages targeting men in Westminster in late 2023 — but the alarm was only raised with MPs after POLITICO’s story last week.

A Met Police spokesperson said: “The Met had previously received reports from two victims — the first in October with subsequent reports in November and March — about the unsolicited sending of explicit images to MPs.”

“There was nothing to suggest that those incidents were part of a wider pattern of offending that would have necessitated any sort of warning to Parliamentarians and staff.”

“The scale and coordinated nature of this matter became apparent following the receipt of a number of further allegations prompted by recent media reporting. Our investigation is considering all reports in a coordinated way and is ongoing.”