A syndicate that deliberately stayed below detection threshold — and 13 victims later, someone finally connected the dots
Thirteen victims. Five regions. Three weeks. One convicted offender who is still part of an active transnational group with international arrest warrants outstanding.
If you work in security ops, retail risk, or dispatch infrastructure, that case geometry should look familiar: it's a distributed low-frequency attack pattern across multiple sites, specifically engineered to stay below the incident threshold that triggers formal investigation at any single node. The offender, Vasile Bombonel, was sentenced at Wollongong Local Court on 25 fraud charges — targeting shoppers aged 55 to 90 near supermarkets, ATM vestibules, and car parks across regional New South Wales. ABC News reports that his associates remain at large. The retailers where those 13 incidents occurred now have an open liability question sitting in their risk registers — and most of them don't know it yet.
Why the syndicate model is specifically a data architecture problem
Organised distraction fraud groups don't cluster activity at a single location. They distribute across sites and regions, keeping per-site incident counts low — sometimes one or two events — while the aggregate pattern across the network is clear. For any individual retailer, a single incident looks like noise. For anyone with cross-site visibility, it's a signal.
This is the core problem: most retail security operations don't have cross-site data infrastructure. Observations stay in individual stores. Staff log a formal incident if something is completed and confirmed; they don't log the suspicious approach that didn't go anywhere, or the older customer who seemed disoriented near the ATM for thirty seconds before an associate appeared and then both walked off. Those micro-observations are where the pattern first becomes visible. They almost never make it into a system.
Retail crime intelligence channels run by peak bodies and state police in New South Wales exist precisely to aggregate this kind of cross-site signal. Participating in those channels — and logging that participation — is a documented reasonable precautionary step. Not participating when the tooling exists is increasingly hard to defend, especially after a conviction on 25 charges establishes that the behavioural pattern was consistent and predictable.
The duty-of-care foreseeability test and what it means for your site
Australian tort law doesn't require retailers to prevent every crime on their premises. It requires them to take reasonable steps against foreseeable risks. When a syndicate operates the same distraction playbook across supermarket ATMs in five regions over three weeks, and a court later convicts on 25 charges, "foreseeable" becomes very easy to establish retroactively.
There's also an insurance layer that operators often miss. General and public liability policies frequently carry sub-limits or explicit exclusions for transitional zones — ATM vestibules, car park exits, entry forecourts. Those are exactly the spaces distraction fraud groups use as operating ground. If an incident occurs in one of those zones and the operator can't demonstrate that reasonable precautionary measures were documented, the insurer has grounds to dispute the claim or apportion liability differently than expected.
Pro tip: Pull your current public liability policy and check whether your ATM vestibule, car park, and store entry forecourt are explicitly covered or whether they fall under a sub-limit or exclusion. If the answer is unclear, ask your broker to confirm in writing before the next policy renewal.
What "documented reasonable precaution" looks like in practice
From both a liability and an insurance standpoint, documentation is as operationally important as the controls themselves. A retailer who has a written policy identifying ATM and car park zones as elevated fraud risk for older customers, and a logged record of staff briefings naming distraction fraud as a specific threat type, is in a materially different position than one who has no record of the risk being acknowledged.
The controls themselves don't need to be expensive. They need to be consistent and logged:
- Zone-specific risk flagging in the site security plan, explicitly naming transitional zones
- Staff briefing records that reference distraction fraud as a named threat category
- CCTV coverage documentation confirming that transitional zones are included, not just the trading floor
- Near-miss and observation logs that capture suspicious approach behaviour below the threshold of a formal incident report
That last item is the one most operators don't have. Completed incidents get reported. Suspicious-but-inconclusive observations disappear. For a syndicate running a distributed low-frequency pattern, the observations that didn't result in confirmed fraud are often the earliest evidence that a foreseeable risk was present — and the most valuable data point if a claim or legal dispute arises later.
The documentation gap is solvable at the ops layer
Closing the observation logging gap doesn't require a large infrastructure investment. It requires a process that makes it as easy for a staff member to log "customer appeared disoriented near ATM, unknown male approached and both left together — no incident confirmed" as it is to log a completed theft.
XGuard's real-time marketplace and dispatch platform gives operators a structured layer for exactly this kind of observation capture — logging near-misses, flagged behaviours, and suspicious approach patterns that would otherwise go unrecorded, and surfacing them in an audit trail that holds up when insurers or courts ask what a site knew and when it knew it.
Bombonel's 13 victims were each targeted in a physical space a retailer was responsible for managing. The conviction is on record. The pattern was there to see. The liability question for those sites is still open. If you're building or running security ops infrastructure, the question is whether your logging architecture would have caught it — or whether your system is also producing clean-looking per-site incident counts while a distributed pattern runs underneath.
If you're an operator, founder, or technical lead working in retail security or dispatch infrastructure, XGuard is worth a look for what a real-time observation and audit layer can add to your stack.
Source: ABC News Australia — 2026-05-26
Originally published at marketplace.xguard.app. This version was adapted for this platform's audience; the canonical original lives at the link above.
