A security expert has revealed how criminal gangs are spiking the drinks of unwitting strip club punters to rinse their bank accounts for tens of thousands of pounds.
His comments come after a Soho strip club Vanity had its licence revoked for three months this week after allegations that 10 patrons woke up after being ‘spiked’ to find a total of £250,000 missing from their accounts.
One man even said he had £98,000 taken in a series of fraudulent transactions after his drink was spiked – and others claimed they had no memory of the night and woke to find payments of thousands of pounds had been made from their banks accounts.
But this is not an isolated incident, according to one of the UK’s leading digital fraud experts Professor of security engineering Ross Anderson, who said these scams could end in a ‘murder trial’ after a decade of inaction by banks and the police against fraudsters.
How strip club spikers operate to steal thousands from patrons using ‘pre-play attacks’ after they enter their pin into a hacked chip & pin terminal
Westminster City Council suspended the licence of Vanity strip club (CCTV pictured) in Soho after the Met Police submitted evidence of breaches of its conditions to trade
Vanity Bar and Nightclub (pictured) in Soho, London has had its licence suspended for three months amid a Metropolitan Police probe into allegations that customers were fleeced of some £250,000
Prof Anderson, of the Universities of Cambridge and Edinburgh, told MailOnline that some strip clubs – often with gang connections – are drugging and defrauding customers for tens of thousands of pounds using hacked chip & pin terminals.
Digital security expert Professor Ross Anderson (pictured) said strip club spikings will lead to a ‘murder trial’
‘This has been going on for about ten years now and we’ve tried to get both police and banks to pay more attention, as it’s eventually going to lead to a murder,’ Prof Anderson warned.
‘If you anaesthetise drunken punters and leave them to sleep it off on a sofa in a brothel with full stomachs and no medical monitoring, then eventually one of them will vomit, inhale it and die.’
As many as 43,000 people may have been spiked by drink or drugs in 2021, according to campaigners.
While spiking is more commonly used as a means to sexually exploit victims with ‘date rape’ drugs – they are also used by thieves and fraudsters to subdue their victims.
One alleged victim said he woke up in a brothel after a trip to the Vanity in Soho and discovered that £98,000 had been transferred from his bank accounts.
Another man said he woke up on a street near his home after after he blacked out during a visit to the strip club in the most recent incident on November 26 last year.
He bought a drink but could not remember anything else until he woke up the next day – and found he had transferred more than £19,000 to several unknown bank accounts.
Prof Anderson, Professor of Security Engineering at Cambridge and Edinburgh universities, first saw alleged strip club scams in the UK, after the Spearmint Rhino in Bournemouth was accused of ‘exploiting’ customers in 2013 and 2014 by charging them large sums they could not remember spending.
The professor told MailOnline he believes the ‘modus operandi’ was imported from eastern Europe – mostly Poland and the Baltic states based on reports he has received.
Some 10 men have claimed they have lost £250,000 during visits to Vanity in central London. Pictured: CCTV of a stripper and a patron in Vanity included in Westminster City Council’s report on Vanity
Gil David, a man visiting from Northern Ireland for a friend’s stag do ended up spending £7,500 – a third of his annual salary – in one night at the venue after drinking 30 drinks in 12 hours.
He woke up – barely remembering the night before – after finding the credit card bills in his hotel room for the lavish night, which included tips to the girls totalling £1,800.
But two years later, Mr David received a settlement from Spearmint Rhino after he tried to sue the club.
Other claims were made at the club – which Prof Anderson looked into for a local councillor David Smith, who was dealing with the case after reports from constituents.
These included: a mentally disabled man who lost his £7,000 life savings; a man claiming his drink was spiked and lost over £3,000 in four hours; and a student who lost £2,000 – most of his student loan, the Bournemouth Echo reported at the time.
The local council’s licencing committee allowed the venue to continue operating, returning their licence after a six-month probation period – leaving Cllr Smith incredibly frustrated at his colleagues for not taking strong enough action.
Spearmint Rhino in Bournemouth continued to trade until it was bought out by a new investor in October 2021 and renamed Temptation, the Bournemouth Echo reports. There is no suggestion that the new club or other Spearmint Rhino venues is involved in any criminality mentioned.
Similar cases have been reported in the UK and abroad since 2014, but as far as Prof Anderson is aware, no one has ever been charged by the police for fraud or spiking patrons and no clubs have been permanently shut down after the reports.
Gil David said he stayed at the Bournemouth branch of Spearmint Rhino (pictured) until 5am, racking up a bill that included £1,800 in tips to the girls in 2013
‘Pre-play attacks’: How strip clubs spikers fleece you for £1000s with hacked chip & pin terminals
- Strip club patrons buy a drink with their card on a hacked chip & pin terminal – this could be for 100 times what customer thinks they’re paying
- Card machine harvests authentication codes which is how banks verify a transaction is genuine
- Terminal ‘pre-plays’ multiple transactions of up to several thousands of pounds – which will be cashed at intervals over the night
- Patron is spiked – possibly via the drink they have just bought
- The incognisant customer is kept at the club while money is bled from their account
- Scammers get the customer to use their other cards in the hacked chip & pin terminal
- Customer wakes up with no memory of the previous night, but finds they have lost thousands of pounds
And Prof Anderson has said victims have contacted him after they were rinsed for thousands in similar schemes after heading to Europe mostly Poland and the Baltics but also Spain – and several people in Spain for stag nights.
He said that one way the scam is perpetrated is through a hacked chip & pin terminal in a ‘pre-play attack’.
He said that before chip & pin was introduced, fraudsters could mostly only steal smaller amounts from lots of people by cloning magnetic strips on cards.
But as chip & pin transactions have high limits – or sometimes none at all – they ‘bad guys’, as Prof Anderson calls them, can target fewer victims for larger amounts.
He said: ‘Since chip & pin came along I can now spend £20,000 to buy my wife a Mini,’ something which he did on card last month.
‘The fact is that you can now scam large amounts of money from a small number of people,’ lowering the barrier to entry for potential card fraudsters.
A pre-play attack works by harvesting autorisation codes – how banks verify a card transaction is legitimate – after the customer uses their card and enters their pin to pay for something.
But the the hacked terminal can show a customer is buying a drink for £20, but in reality be charging them £2,000 – and scammers then use the saved authorisation codes to queue up multiple cashouts throughout the night.
Scammers will not put through one massive transaction at once as they have clued onto the fact that banks block single large transactions as a fraud check – calling the customer to ensure it is legitimate before allowing it to go through.
So fraudsters will ‘pre-play’ multiple smaller transactions using the harvest authorisation codes.
But banks also perform ‘velocity checks’ which flag possible fraud if multiple transactions are performed in quick succession from the same card.
To counter this, scammers will queue up the transactions over the course of a few hours, rather than in quick succession. But this makes it easier for customers to make a successful fraud claims to the bank – as they can’t have paid a £2,000 tip to a stripper if they were tucked away in bed at the time the payment took place.
So to stop patrons leaving, someone at the club will spike them with drugs such as chloral hydrate or Rohypnol.
‘If you store up ten transactions and plan to replay them over the next ten hours, then you don’t want the punter to go to the bar next door and break the time series,’ said Prof Anderson.
Before chip & pin was introduced, fraudsters could mostly only steal smaller amounts from lots of people by cloning magnetic strips on cards, says Prof Anderson (stock photo)
Drugging patrons also gives the venue the opportunity to rinse bank accounts connected to the other cards in their wallets, so victims can be taken for everything they are worth – or more if they have an overdraft facility.
And victims will often face barricades to being refunded, firstly because ‘most punters don’t complain as they are too embarrassed,’ Prof Anderson said.
But even if a victim decides to report the scam through the proper channels, to the banks and the police, they still have their work cut out for them if they intend on getting their money refunded.
Regulations state that if a customer hasn’t authorised a payment, the bank should refund the money – so long as the customer hasn’t acted fraudulently, or with intent or ‘gross negligence’, the Financial Ombudsman Service says.
Therefore genuine victims of strip club scammers should be able to tell their bank at the earliest opportunity and have their money refunded.
But Prof Anderson says that banks will almost always initially refuse to reimburse fraud victims. ‘The banks almost always say it wasn’t fraud,’ he says. If banks do not accept the fraud was genuine then they will not repay the customer their stolen money.
He also said that police across the country have not put enough resources into fighting this scam for the last decade as it is a difficult crime to fully investigate and it is easier to focus on other crimes.
‘Police should be investigating these allegations more vigorously, by seizing terminals that may have been tampered with,’ Prof Anderson said.
‘Investigations like this should be led by the police and supported by the banks – and that means when someone reports fraud police should get transaction data from the banks.
‘If the banks get lots of complaints from one establishment they should inform the police and if evidence of fraud is found they should remove them from the Visa and Mastercard payment networks.’
He said banks were enabling fraudulent merchants, effectively allowing them to rip off customers by refusing accept fraud has taken place.
Prof Anderson said the Payment Services Regulator should put more pressure on banks to refund victims of fraud where they haven’t consciously made those transactions either ‘because that terminal was doctored or the victim was administered a sedative’.
He said that police should invite complainants to take drug tests if they believe they have been spiked and defrauded – and if something is found in their system officers should raid the premises.
Prof Anderson suspects the practice is fairly widespread across the country but added that it was impossible to know how prevalent it is because little to no data is kept by banks and police on incidents like this.
He said that not all strip club scams use the pre-play attack, with some using a SIM card like device in a ‘man-in-the-middle attack’ to change details of the payment before it goes out – and sometimes ‘girls watch men enter their pin and use their card when they’re sedated’.
Prof Anderson did have a recommendation for anyone intending to visit one of Britain’s strip clubs.
He said: ‘If you feel the need to visit red-light establishments rather than using your dating app of choice, leave your cards at home and only bring the cash with you are intending to spend.
‘That way the most they can fleece you for is what is in your pants.’
A Met Police spokesperson confirmed there is an ongoing investigation linked to Vanity nightclub.
They said there are currently there are ongoing investigations into three allegations of theft or robbery. The force said there have been no arrests and enquiries continue.
Vanity Bar and Nightclub in Soho has been contacted for comment. Spearmint Rhino has been contacted regarding the historic allegations at the Bournemouth venue.
A government spokesperson said: ‘This government is absolutely committed to cracking down on fraud and economic crime, spending an additional £400 million over the next three years to bolster law enforcement’s response.
‘We will shortly publish our Fraud Strategy, which will establish a unified and co-ordinated response from government, law enforcement and the private sector to better protect the public.’