Team Cybercrime Rotterdam (TCC Rotterdam) recently dismantled a facilitator network behind large scale helpdesk fraud. The operation offers a rare inside look at how modern digital evidence techniques reconstruct a criminal modus operandi—and how Digital Forensics as a Service (DFaaS) accelerates that process.
Facilitators supplied everything the callers needed: phishing portals, victim lead lists, VOIP infrastructure and laundering pathways. When simultaneous raids were executed, investigators seized a sizeable collection of smartphones, laptops and an external drive—multi terabytes of potential evidence. To move from raw data to actionable insight within investigative time lines, the team relied on Hansken, the open DFaaS platform developed by the Netherlands Forensic Institute (NFI).
Applying the “eat your own dogfood” principle, an NFI Hansken engineer embedded with frontline investigators. Operational pain points became feature tweaks while deep platform knowledge accelerated evidence discovery. After forensic imaging and upload in the digital forensic lab, Hansken’s automated parsers exposed millions of artefacts—messages, geolocations, browser remnants—across every device. A single query (e.g., a victim’s IBAN) surfaced hits everywhere; timeline stitching revealed when callers prepared scripts, contacted victims and moved funds; geo pivoting placed seized phones at suspected call centre locations during critical windows.
Three strands weave through our talk:
1. Technical: how DFaaS indexing, deduplication and permissions management condensed weeks of manual work into days while maintaining chain of custody and privacy safeguards.
2. Investigative: concrete examples of artefact correlation, timeline analysis and geo linking that exposed the facilitators’ workflow from lead acquisition to cash out.
3. Developmental: how live feedback shaped Hansken’s search helpers and timeline views, and why embedding developers with investigators should become standard practice.
Attendees will leave with actionable strategies for using digital traces to reconstruct modus operandi in complex helpdesk fraud cases, along with insights on leveraging DFaaS platforms like Hansken as powerful accelerators that keep investigators—rather than technology—at the centre of the investigation.
