Liverpool man stole £140k in phishing scam

Two men from Liverpool and Bury who stole millions of customer data and sold it online were jailed on Monday 14 February at Liverpool Crown Court after pleading guilty to selling personal data in exchange for cryptocurrency. 

Gary Kelly, aged 32 of Caldy Road, Aintree, Liverpool was sentenced to three years and four months imprisonment.

Craig Gorton, age 30 of Bury was sentenced to two years imprisonment suspended for two years and was given a 20-day rehabilitation activity requirement and must complete 100 hours of unpaid work.

Detectives from the Dark Web Operations Team at the North West Regional Organised Crime Unit searched their home addresses back in July and December 2019 after being alerted to their illegal activity online. A number of devices were seized and after being forensically examined, were found to contain stolen customer databases.  

Kelly and Gorton were responsible for running a number of phishing campaigns which involved sending millions of emails to people portraying to be from Apple, Netflix and Spotify. Once the victim provided their personal and financial details, the duo sold their information on a website called ‘Mirashop.’

During the course of the investigation, data related to over 64,000 credit cards and 24,000 Apple IDs was recovered and safeguarded. 

It’s estimated that they earned more than £140,000 in cryptocurrency. 

Detective Inspector Chris McClellan from the North West Regional Organised Crime Unit’s Cyber Crime unit said, “It’s really important that if you believe you may have been a victim of this phishing scam, or any other, that you carry out some simple steps to protect your personal and financial data. 

  • Change your passwords if you have an Apple, Netflix or Spotify accounts
  • Run your email or phone number through Have I Been Pwned: Check if your email has been compromised in a data breach   If it displays as red, it will inform you of where the breach was identified.  Don’t panic! Just change the passwords to the affected sites. 
  • Apply Two Factor Authentication (2FA) where possible.  This simply means adding extra encryption (security) to your accounts. – For further advice on creating secure passwords visit  Cyber Aware – NCSC.GOV.UK
  • If you think you have victim of a scam, inform your bank immediately and report to Reporting fraud and cyber-crime | Action Fraud
  • If you receive a unsolicited email or text and you are not sure whether it is a genuine message – #Take Five, go make a brew and go back to the email or message later.  If you are unsure of it’s provenance, do not click on it.  Think first – do you have this type of account?  If you don’t,  DO NOT CLICK ON IT.  Forward the email to  or suspicious texts forward to 7726.
  • If you do have this type of account, only contact them through these trusted channels – DO NOT CLICK ON ANY LINKS in the email or message.
  • Do not share passwords, bank account details, pins or online account details.”

Image: Karolina Grabowska

Why not follow on Facebook and Twitter? You can also send story ideas to

Share this

Subscribe to our FREE newsletter

Facebook comments

Latest news