A sprawling fraud operation, a Dubai-based millionaire – and a £4bn company looking the other way.
When former police officer John Oliver drove into Leamington Spa one Saturday with his partner and friends, their first challenge, as ever, was finding somewhere to park.
This article was written by Simon Lock and originally published by The Bureau Of Investigative Journalism.
He eventually found a spot, but the pay machine did not take cash or card. Instead, it offered a QR code linking to an app. So he downloaded it, entered his card details and paid the £3 fee.
“I gave it no more thought whatsoever,” Oliver recalled, “until some weeks later my credit card was blocked by my bank. And of course I got in touch with them, asking what was going on. And they said, well, we think that someone’s trying to scam you.”
Appearing on his bank statement was a mysterious website called inn2flix.com, which had tried to make an unauthorised £40 transaction. The next month, the same thing happened again.
Oliver is one of hundreds of people in the UK who’ve been targeted by this rapidly growing type of scam. Fake QR codes, intending to trick victims into handing over their card details, have swept through publicly owned parking sites across the country. These so-called “quishing” scams have hit almost one in every three local authorities in the past year, the Bureau of Investigative Journalism (TBIJ) has found.
And the QR code scams are just the beginning. Our investigation can link some of them to a far larger and more sinister operation. The findings are part of the Dirty Payments investigation conducted by TBIJ and 20 international media partners led and coordinated by the network European Investigative Collaborations (EIC), based on confidential documents and data obtained by EIC.
Using internal documents, interviews and digital forensics, TBIJ, with ITV News, the Netherlands’ NRC, Germany’s Der Spiegel and Denmark’s Politiken, can reveal:
- The car park scam that targeted Oliver is part of an international fraud network centring around a business in Dubai
- The operation uses shell companies in the UK and Cyprus to extract cash from targets around the world
- At the heart of the network is a millionaire with a mansion in Ibiza and business links to the UK
- The transactions were facilitated by the multinational payment company Worldline, where there was evidence of an internal cover-up
Presented with our findings, Phil Brickell, Labour MP for Bolton West and member of the all-party parliamentary group on anti-corruption, told us: “We simply can’t accept that British shell companies are being used to rip off British people.
“That has to mean closing down the loopholes which continue to allow fake companies to be set up in our own backyard. And empowering Companies House to actually enforce the rules we already have.”
The scam network
The car park scams across the UK are run by all sorts of fraudsters and opportunists. But in the case of Oliver, we were able to trace the scheme back to a huge operation that stretches from the UAE to the Philippines. And that trail begins with the website that tried to take his money: inn2flix.com.
“It was ostensibly a bit like Netflix,” said Oliver, “where they were promising to provide some films or TV programmes that we could download.” Except he had never visited it before, let alone signed up. Posts to the reviews site TrustPilot describe other users finding unexpected payments from their accounts. Some connected these to a suspicious parking QR code they scanned; others said they had been tricked into entering card details by a social media ad.
Inn2flix.com could have remained just another faceless scam. But it’s named in internal documents and data from the payment services company Worldline obtained as part of this investigation.
In the data, inn2flix.com is listed as part of Aether Group, a corporate group of more than 1,000 websites and 300 different companies that have used Worldline’s services as a “high-risk” client.
Through the internal data we were able to link inn2flix.com to a plethora of other websites. At first glance they all looked quite similar, and digging deeper we found that they were largely created using the same website builder and use identical sets of tools, some of which appear to be custom made.
Many also share the same behind-the-scenes setups, including hosts, IP addresses and registrars. All these characteristics build a digital footprint.
By looking for other sites with the same hidden features, we were able to uncover a total of nearly 3,000 sites linked to the Aether network. They include two that featured in a BBC News report this year after a 70-year-old woman was scammed while parking near a hospital.
Although we don’t know what portion of these sites contribute to UK parking scams, online reviews from sites such as TrustPilot claim that over a dozen websites and companies connected to Aether were involved in this type of scheme.
A screenshot of Inn2flix.comAnd the parking scams are just the tip of the iceberg. We also discovered thousands of suspicious-looking links from a different set of websites whose primary purpose is to lure customers into handing over card details.
Screenshots show pages offering extraordinary discount deals on MacBooks, 4K TVs, iPhones and Bluetooth earphones. Some pose as delivery companies requiring credit card info for packages. The pages are in numerous languages including Japanese, Hebrew, Dutch and French. But their objective is always the same – to steal money from unwitting victims.
Another set of websites focus on online sex chats, where customers buy credits to exchange sexts with women. The set-up is again fake, the profile photos seemingly lifted from elsewhere and the “chats” managed by agents in the Philippines.
Other parts of the network offer a glimpse into the conveyor belt of fake sites Aether has created. Many appear not to have gone live yet, displaying their company address as “Dummy Corp” and operating from “Random Street” in “Fictive Town”.
The Aether-linked websites are owned by hundreds of letterbox companies, mostly based in the UK or Cyprus. The owners and directors of these companies appear to be nominees, scattered across the country with no obvious pattern. When we spoke to two of the directors, both said they had no idea what their business was being used for.
An Aether-linked website showing a dummy business addressBen Cowdock, senior investigations lead at Transparency International UK, said our findings offered “a stark reminder that our corporate transparency laws have dangerous loopholes”.
He added: “The [people] who created and maintained these fraudulent entities should face immediate investigation
“We also need urgent action on so-called ‘nominee directors’ – a practice that has no basis in UK law yet can allow criminals to hide behind proxies.”
Aether told TBIJ: “Aether Group categorically denies any involvement in unlawful or fraudulent activity. The allegations being made are baseless and rely heavily on conjecture, flawed assumptions, and undisclosed sources – not credible evidence.”
The company says it creates websites for clients but does not own the sites. It said it prohibits unlawful behaviour by its clients and does not tolerate any breaches.
It said: “Any claim that Aether Group is the ultimate beneficial owner of a network of shell companies is categorically false.”
The Cyprus-based company that owns inn2flix.com denied being part of any scam.
‘The agency’
From its base of operations in one of Dubai’s skyscrapers, Aether Group – which was called Linkmedia until the end of 2023 – claims to have offices on three continents and clients across the globe. On social media and in interviews, employees have described a strong collegiate atmosphere, lavish parties and swanky offices.
To the outside world, Aether is a consultancy helping clients gain exposure through its expertise in digital advertising and “omnichannel marketing”. However, internal documents and our digital forensics investigation show that Aether forms a central node in a multimillion-pound scam operation, the trading name for a cluster of entities based in the UAE, the Netherlands and the Philippines. The “clients” it boasts of are websites and shell companies apparently set up on Aether’s behalf.
Speaking to NRC and Spiegel reporters in an out-of-town Dubai shopping mall, one former employee opened up about the true nature of the business. They said they started as a customer service agent at what they thought was an online marketing firm. At this time, it was still called Linkmedia.
They said their team leader was clear right away: they were going to work with scam websites. Day in and day out, they emailed and chatted with “customers” who had no idea why they’d suddenly been signed up to a movies, music or fitness subscription.
Victims had clicked on an ad saying they had won a new iPhone, entered their credit card information and been signed up as members, said the ex-employee. This type of scam is called advance fee fraud, and was the network’s modus operandi.
They said their job was to lie to confused punters. “Usually they [had by then had] a membership for a few months. And if someone really insisted or started threatening, we would cancel the last two months.”
Angry victims vented at them daily, but the company looked after its employees. “Each team had a monthly budget to go out for dinner or go bowling or something,” they said.
Some teams went to Ski Dubai, an indoor ski hall in one of the shopping centres. Others went on desert safaris.
The perks made it harder to quit. “Of course we knew it wasn’t right. But the rent on the apartment also had to be paid, and it wasn’t that easy to find a good job in Dubai.”
The man at the top
But who exactly is behind Aether? Throughout our investigation, one figure came up time and time again: a man called Kristian Møller.
Møller told us he categorically denies any suggestion of unlawful or fraudulent conduct and business dealings have always complied with all applicable laws. But internet records and public sources show how his operations evolved from porn sites to eventually founding Linkmedia.
Originally from Denmark, 40-year-old Møller has a limited online presence. He is based in Dubai but owns a multimillion-pound mansion in Ibiza. The property is owned via a holding company in the UK, where Companies House also lists him as owner and director of a now-defunct entity called Burlington Ad Factory (formerly AdBaum Interactive) and co-owner of a third company, AdBaum Advertising.
Using website registration records, we linked AdBaum to numerous porn, prize-draw and customer support sites created as early as 2008. Some were originally registered in Møller’s name.
Several of these websites contain reference to – and share a digital footprint with – another set of scam websites set up around 2011.
Kristian Møller, the man at the heart of the operationThis new iteration of Møller’s empire targeted consumers in Scandinavia and included jukebux.com, owned by Janibank Investment Ltd, a Cyprus-based company that was subject to a 2015 warning by the Cypriot financial regulator saying it was not permitted to operate in the country.
Further analysis by TBIJ found that jukebux.com shared digital infrastructure with similar dubious websites, which in turn overlap with some of the earliest Aether Group scam sites found in the Worldline data, starting around 2015.
The year after regulator’s investor warning, Linkmedia, the forerunner to Aether Group, came into being. Its owner: Kristian Møller.
The enablers
With offices in Dubai, dozens of employees and thousands of websites, Aether’s infrastructure was considerable. But it couldn’t operate alone. For Møller’s scheme to work at scale, it relied on digital transactions. That’s where one of the world’s biggest payment processing firms comes in.
Worldline makes nearly £4bn in annual revenue for providing an inconspicuous, everyday service: facilitating card transactions. If you buy a bottle of water in a supermarket, there’s a good chance it’s Worldline’s logo on the card reader. And for every payment it enables, the company takes a small cut.
It has handled millions of transactions for Aether Group – nearly £50m worth in a single year. And our investigation, which examined data about Worldline’s high-risk clients from 2023, shows how the company continued to facilitate the scams despite internal concerns.
Internal reports show that a Worldline compliance unit ignored the huge risks attached to Aether, and that a company risk team sought to reduce fraud, only to be overruled.
The reports suggest the source of the problem lay with Worldline’s close relationship with another PSP based in the UK, called eMerchantPay, which also specialised in high-risk merchants like Aether Group. From 2014, Aether had an agreement to refer its clients to Worldline – and documents show that the arrangement was incredibly lucrative.
Several internal documents raise red flags about the business carried out between Worldline and eMerchantPay. Minutes from 2020 show that when Worldline was under pressure from payment card giant Visa to lower its so-called fraud ratio – the proportion of transactions or claims that are flagged as fraudulent – the company sought to “ask eMerchantPay to help us with cleaner transactions (eg, load balancing)”. The implication was that Worldline wanted to increase the total number of transactions in order to lower its fraud ratio, rather than attempt to tackle the fraud itself.
In another case the following year, documents show how Worldline decided to onboard more than 130 Aether merchants via eMerchantPay, using a “fast-track onboarding process” in which due diligence would be done afterwards. The compliance unit, despite internal opposition, accepted the proposal.
Most damning of all however, was an internal investigation of eMerchantPay by Worldline in 2023. The resulting report raised a litany of concerns about possible legal breaches and governance failures, including that eMerchantPay was handling funds when it shouldn’t have been, and that Worldline had made no spot-checks on how the funds were handled.
Worse still, a risk team within Worldline found clear evidence of suspicious activity, and the report even went as far as flagging possible indications of money-laundering.
There was also evidence of an internal cover-up. The report outlines how a “1st Line of Defense” risk team had been instructed not to disclose any reference to Aether Group, adding that Worldline “should not have any knowledge of them”, even though Aether Group was involved in on-boarding hundreds of merchants.
In a statement sent after this article was published, eMerchantPay said our reporting “fundamentally misrepresent[s] the facts”. It said it has always complied with all applicable laws.
“We take such matters extremely seriously,” the company said. “We have initiated an internal review to understand the full context of the claims to ensure we respond appropriately.”
Data suggests that, within a year of the report, Worldline had ended its business relationship with eMerchantPay. And in 2023, German financial regulator BaFin announced that it was looking into Worldline as well.
But for many victims, the damage had already been done.
No accountability
Worldline told TBIJ it has improved its risk monitoring since 2023 and ended some business relationships accordingly. It said its fraud ratio is now below the industry average.
But the story isn’t over for those caught in the scams. Complaints about scams tied to Aether Group have continued into 2025. As have reports of car-park QR code fraud across the UK.
“There must be hundreds, thousands of people who have done exactly what I did and [it] cost them lots of money,” reflected Oliver, the driver targeted in Leamington Spa.
John Oliver was targeted by a ‘quishing’ scam in Leamington SpaITV NewsWe’ve found instances of these codes reported in St Ives in Cornwall, Luton airport, Plymouth, and Ardnamurchan in Scotland, all in the past 12 months. They have also cropped up in Canada and the US.
In one instance, a member of the public reported that over £300 had been taken from their account through repeated transactions. Even without Worldline’s assistance, it appears the scams continue unabated.
“I am a retired Metropolitan police officer,” said Oliver. “I consider myself to be quite worldly. And although I know that scammers are very clever, I didn’t think I’d fall for something like this. But I did.”
