NSW South Coast man before court charged over mobile phishing scam

Mobile Phishing on the South Coast: A Forensic Perspective on the Tomakin Arrest

The Australian Federal Police reports that a 36-year-old man from Tomakin on the NSW South Coast appeared before Batemans Bay Local Court following an investigation into an alleged mobile phishing operation. The case offers a useful entry point into examining how law enforcement builds digital evidence packages in contemporary cybercrime prosecutions, and where defence scrutiny is likely to focus.

The Alleged Operation and Its Discovery

According to the AFP, the telecommunications provider reported malicious cyber activity targeting its customers in mid-August 2025. The provider’s report triggered an AFP investigation commencing 20 August. Police allege the accused sent text messages to customers claiming their mobile service faced restriction due to unpaid bills, with these messages containing links to a fraudulent website designed to harvest personal and banking information.

The investigative timeline moved quickly: approximately three weeks after the initial report, on 9 September 2025, AFP officers executed a search warrant at a Tomakin residence and arrested the man. The evidentiary seizures included computers, laptops, mobile devices, and SIM cards. Notably, several mobile devices were allegedly recovered from an in-ground drainage pipe on the property.

Forensic examination of one laptop reportedly uncovered substantial quantities of files containing personally identifiable information belonging to third parties, including usernames, passwords, and credentials for multiple websites and applications. The AFP states that efforts continue to determine the origin of these files and to identify potential victims of fraud or identity theft.

Charges and Legislative Framework

The man faces two Commonwealth offences. The first, under section 478.4(1) of the Criminal Code, alleges producing, supplying, or obtaining data with intent to commit a computer offence, carrying a maximum three-year term. The second, under section 480.4, alleges dishonestly obtaining or dealing in personal financial information, with a maximum penalty of five years’ imprisonment.

These provisions sit within the cybercrime offences inserted into the Criminal Code by the Cybercrime Legislation Amendment Act 2012, which implemented Australia’s obligations under the Council of Europe Convention on Cybercrime. Section 478.4 targets preparatory conduct, criminalising the handling of data where that handling is directed toward facilitating a computer offence. Section 480.4 specifically protects personal financial information, reflecting Parliament’s recognition of the particular harm flowing from compromised banking credentials.

Forensic Recovery and the Drainage Pipe Seizure

The recovery of devices from an in-ground drainage pipe presents immediate forensic considerations. Environmental exposure to water, soil chemistry, and temperature fluctuation can degrade both hardware and stored data. Solid-state storage in modern mobile devices is more resilient than traditional magnetic media, but corrosion of circuit boards, connectors, and power management components remains a significant risk.

From an expert witness perspective, the chain of custody documentation becomes critical here. When were the devices removed from the drainage pipe? What environmental conditions existed between seizure and laboratory examination? Was any attempt made to power on devices before forensic imaging, risking write operations to storage? The AFP’s forensic teams typically follow ACPO guidelines (now superseded by the UK Forensic Science Regulator’s codes, though still influential in Australian practice) prioritising preservation over immediate examination, but defence experts would properly examine whether those protocols were adhered to in this unconventional recovery scenario.

The laptop examination reportedly revealed credential files in substantial quantity. The provenance of these files matters significantly. Were they stored in plain text, encrypted containers, or browser credential stores? What timestamps and filesystem metadata attach to their creation, modification, and access? Can the prosecution exclude the possibility that some or all of this material arrived through automated means, malware infection, or file-sharing activity unrelated to the alleged phishing scheme?

Attribution and the Single-Operator Theory

The AFP’s media release presents the matter as a single-individual operation. Attribution in phishing cases rarely rests on one data point. The defence expert would properly examine the totality of the evidence linking the accused