DEV Community: marwood

The London Rental Scam That Nobody Investigates

marwood — Mon, 11 May 2026 21:15:54 +0000

A friend lost a month's rent to a London rental scam recently. The police told them, politely, that they would not be investigating. That wasn't a failure of their specific case. It was the national policy. It's worth understanding why before you waste your energy in the wrong place.

Here's what happened. They found a room online. Decent photos, fair price for the area, friendly listing. They messaged. The reply came back warm and quick. Voice notes were exchanged. The landlord sent a driving licence and a utility bill, both addressed to the property. They answered questions about bills, the neighbours, the commute. Nothing felt off.

Then, near the end, a small twist. Could my friend pay an extra month upfront? Someone else was about to take the room and willing to pay full whack, but the landlord preferred them. The extra month would lock it in. It was framed as a favour, not a demand. They paid.

A meeting was scheduled to collect keys. The landlord didn't show. There had been a death in the family. Apologies. Another meeting was scheduled. Didn't show again. Then the messages slowed, then stopped.

They called the police. The police took the report and gently said they would not be investigating.

The part most victims don't realise

This scam is not improvised. The polite tone, the plausible ID documents, the extra month justified by a competing tenant, the bereavement, the second silent appointment: this is a script.

The BBC ran an investigation in October 2025 that named multiple London victims who heard the exact same death in the family excuse from the exact same operator. Academic research has analysed the persuasion techniques. Action Fraud has a dedicated rental scam page. The Home Office launched a public campaign in March 2025 because the numbers wouldn't stop climbing.

Action Fraud logged around 5,000 rental scam reports in 2024 and £9 million in losses. Those figures count only the small fraction of victims who report. Roughly three quarters of reported victims were between 18 and 39. London is the biggest hotspot.

If you fell for this, you fell for something built by people who do it professionally, often as part of organised operations the City of London Police confirmed in January 2026 it was actively investigating. That knowledge doesn't recover the money. But it should land before the self-blame does.

Why the police won't help

This is the bit that feels like an injustice. It isn't, exactly. It's a policy decision that's been documented and criticised for years.

Action Fraud is not an investigative body. It's a reporting front door. Your report goes to the National Fraud Intelligence Bureau, which scores cases algorithmically and passes a small fraction to local forces. The Public Accounts Committee found in March 2023 that less than 1% of cases reported to Action Fraud result in a charge. Of the 800,000+ frauds reported in 2020 to 2021, only about 7% were even disseminated for investigation. HMICFRS found one force filing 96% of those disseminated cases with no further action.

The Victims' Commissioner summed it up: a reporting victim has roughly a 1 in 30 chance of investigation and a 1 in 200 chance of any sanction. Detective Superintendent Oliver Little of City of London Police said openly in 2025 that it isn't realistic to respond to fraud by locking people up.

The UK's strategy quietly shifted years ago. Fraud isn't being prosecuted. It's being absorbed by banks and platforms. That sounds bleak, and in some ways it is. But it has one practical consequence that most victims don't know.

You have stronger rights against your bank than against the scammer

Since 7 October 2024, the Payment Systems Regulator's mandatory reimbursement rules require UK banks to refund victims of authorised push payment fraud. That covers most rental scam transfers. Up to £85,000 per claim, paid within 5 business days, claim window of 13 months from the last payment. The bank can only refuse if it can prove gross negligence, which is a high legal bar.

99.8% of cases fall under the cap. This is the actual recovery route.

The order of operations, if it's just happened to you:

Call your bank's fraud line today, or dial 159, a free hotline that routes safely to most UK banks. Lodge an APP fraud reimbursement claim. Cite the PSR rules effective 7 October 2024 if the first agent doesn't know them.
Report to Action Fraud at reportfraud.police.uk or 0300 123 2040. You need a crime reference number for the bank claim. Don't expect anything else from this step.
Apply for CIFAS Protective Registration if you sent ID documents. £30 for two years, flags your identity across most UK banks and lenders for extra checks. Pull free credit reports from Experian, Equifax and TransUnion.
If any of the money went on a credit card, file a Section 75 Consumer Credit Act claim with the card issuer. For debit cards, request a chargeback within 120 days.
If the bank stalls or refuses past 5 business days, demand a final response letter and escalate free to the Financial Ombudsman Service on 0800 023 4567.
Report the listing on whatever platform hosted it, so it gets removed before the next person finds it.

One warning. In the weeks after a scam, victims often get contacted by "asset recovery" specialists offering to get the money back for an upfront fee. That's the second wave. The Ombudsman is free, your bank's fraud team is free, Victim Support on 0808 16 89 111 is free.

The AI part

The reason these scams scaled so fast is partly technical. Cifas's Fraudscape 2025 report named AI-driven identity fraud as the most prevalent fraud type in the UK last year, with fake documents now making up 30% of all reported cases. A Polish security researcher demonstrated in 2025 that ChatGPT's image generation could produce a convincing fake passport in five minutes, good enough to pass many automated checks. The driving licence and utility bill my friend received were almost certainly generated this way. A year ago this would have required Photoshop skills and a few hours. Today it requires a prompt.

That changes the calculus for every renter. The old advice, ask for ID and verify the address, still matters, but it's no longer sufficient on its own. The only reliable check left is meeting the person at the property, ideally with a neighbour or letting agent who can confirm they actually live there. Anything before that point, no matter how plausible the documents look, has to be treated as unverified.

What next?

The UK has effectively decided not to investigate individual frauds. It has, in return, pushed the cost of fraud onto banks. The result is a system where the police feel useless, because they are, and the bank is the actual lever, even though no one tells you that at the point of reporting.

If you've just been scammed, the most useful thing anyone can say is this. Stop trying to make the police care. They can't, and the reform timelines are years out. Go to your bank, today, and use a law that's been on the books for just over a year and that most victims and even some bank staff still don't know exists.

I Built a Production Agent Orchestrator. Then Claude Code's Source Leaked and I Saw the Same Architecture

marwood — Wed, 01 Apr 2026 07:56:30 +0000

On March 31st, someone discovered that version 2.1.88 of Claude Code's npm package shipped with an unobfuscated source map pointing to Anthropic's entire TypeScript codebase. Around 1,900 files. Over half a million lines of code. Everything.

I've spent the better part of a year building a production system that uses Claude as the brain of a voice controlled automation tool. Five specialist agents, an Opus orchestrator, over 1,400 tests across 22 major versions. When I read through what the leak revealed, I wasn't looking for secrets. I wanted to know: did they arrive at the same patterns? Turns out the answer was yes.

The orchestrator and specialists pattern

The most important architectural decision in any agent system is how you split work between a coordinator and its specialists. A high capability model (Opus) handles strategic decisions: what needs to happen, which agent should do it, how to combine results. Lower cost models (Sonnet) handle tactical execution: read these files, run these tests, update this documentation. The orchestrator thinks. The specialists do.

The leaked coordinator code confirms Anthropic built the same thing. Their orchestrator delegates to specialists with focused tool access and scoped responsibilities. The coordinator prompt even echoes guidance I'd written independently: don't be vaguely deferential when delegating, specify exactly what to do. This isn't a coincidence. It's convergent engineering. Orchestrators need to preserve their context window for coordination.

Specialists need to burn through context freely and return only a concise summary. If the specialist pollutes the orchestrator's context, the orchestrator drowns. If the orchestrator tries to do the specialist's job, it runs out of room for strategy.

Subagents don't inherit your configuration

Here's the most important thing I learned the hard way. Custom subagents do not inherit your project configuration. I spent weeks debugging why specialists ignored conventions documented in my main configuration file. The orchestrator followed them perfectly. The specialists acted like they'd never seen them. Because they hadn't. Each specialist gets its own context window. It starts fresh.

The leaked code confirms this is by design. Each specialist prompt needs to be a complete behavioral contract: who it is, what it can do, what files it owns, what format to return results in, and when to stop. If a specialist needs your coding conventions, those conventions go in the specialist prompt itself.

This is the number one mistake in agent systems. People write beautiful CLAUDE.md files and wonder why their spawned agents ignore every rule. Now you know why.

Guardrails that actually work

Early on, I tried to enforce critical rules through prompt wording. Don't modify files outside your scope. Don't add features that weren't requested. I capitalised things. I wrote "MUST" and "NEVER" in important places.

It didn't work. Not reliably. The agent would follow the rules most of the time, then occasionally blow past them without warning. The failure rate was low enough to be dangerous.

The leaked permission engine shows Anthropic solved this the same way I did: with code, not words. Critical restrictions are enforced by a permission engine that checks before every operation, not by prompt instructions the model might or might not follow. Hooks fire deterministically. Deny rules block operations regardless of what the model wants to do.

I call this deterministic guardrails over probabilistic compliance. You cannot rely on the model remembering to do something consistently. A linter that blocks bad imports beats a coding guideline. A verification script that runs automatically beats a prompt that says "remember to run tests." Rules enforced by tools are always followed. Rules enforced by discipline are followed until something goes wrong.

The most critical rules in Claude Code are not in the system prompt. They're in the permission engine.

Graduated autonomy

I assign freedom levels to each specialist based on risk. Low freedom agents that touch critical infrastructure get exact formats, narrow file ownership, and explicit boundaries. My testing agent can read source code and run tests, but cannot edit source files. If it finds a bug, it reports it. It does not fix it. High freedom agents like the orchestrator get goals, constraints, and heuristics.

Anthropic's agent architecture maps to the same spectrum. A doc reviewer gets read access only, a test runner gets read and execute but no edit, a code modifier gets full read and write but no command execution. The leak further confirms that subagents cannot spawn other subagents, preventing scope creep and infinite nesting.

Most people give every agent the same autonomy. That's like giving every employee the same security clearance.

What surprised me

Not everything confirmed what I already knew. Some of it sent me back to rethink my own architecture.

The leaked code references KAIROS, an autonomous daemon mode with "autoDream" memory consolidation that periodically reviews, consolidates, and prunes stored memories to prevent context bloat. I had been handling memory reactively. This proactive approach is something I'm planning to adopt.

The source apparently injects fake tool definitions into system prompts to poison competitor training data. Whatever you think about the ethics, it's fascinating adversarial engineering. If you're building systems that call LLM APIs, responses you receive might contain deliberate noise designed for purposes that have nothing to do with your query.

And then there's "Undercover Mode," which instructs Claude to never reveal it's an AI when contributing to public repositories. This has generated the most controversy, understandably. But from an engineering perspective, it reveals that Anthropic treats agent identity as a configurable property, not a fixed trait.

Interesting architectural choice regardless of whether you agree with how they used it.

The real lesson

Most coverage of this leak has focused on the controversial parts. But for anyone building agent systems, the deeper story is quieter and more useful.

The patterns in Claude Code are not novel. Orchestrator plus specialists. Context isolation. Deterministic enforcement. Graduated autonomy. These are the engineering reality of building systems where AI agents need to coordinate reliably, and anyone working seriously with agent orchestration arrives at them through trial and error.

What's encouraging is that the leak lowers the barrier. Before, you had to discover these patterns through months of mistakes. Now the reference implementation is on GitHub with 30,000 stars. You can read how Anthropic's team solved the same problems you're going to face, and skip the worst of the dead ends.

The patterns aren't the hard part though. Knowing when to apply them, which tradeoffs matter for your system, and how to debug failures that don't show up in any architecture diagram — that's still something you learn by building. The leak gives you a map. You still have to walk the territory.