Chinese smishing syndicates may have compromised up to 115 million payment cards in the US between July 2023 and October 2024.
Researchers from SecAlliance estimated that these compromises have resulted in billions of dollars in financial losses.
The SecAlliance report highlighted the sophisticated nature of these campaigns, which involved the strategic exploitation of digital wallet tokenization, particularly Apple Pay and Google Wallet, to circumvent traditional fraud detection mechanisms.
“These operations represent a paradigm shift in payment card fraud, combining advanced SMS, RCS and iMessage based social engineering with sophisticated phishing infrastructure and real-time multi-factor authentication (MFA) bypass techniques,” the researchers noted.
The investigation, which spanned nearly two years, observed that the campaigns are orchestrated by Chinese cybercriminal syndicates, which have systematically targeted victims worldwide since early 2023.
Between 12.7 million and 115 million payment cards have been compromised in these campaigns in the US based on research from independent security researchers and SecAlliance’s own analysis of domain activity patterns.
Read now: Smishing Triad Upgrades Tools and Tactics for Global Attacks
Major Evolution in Phishing Infrastructure
The report, published on August 5, demonstrates how the campaigns have evolved from simple package delivery scams to sophisticated phishing-as-a-service (PaaS) latforms, fake e-commerce operations, and most recently, brokerage account takeover schemes.
The investigation initially identified a Chinese-speaking developer operating under the name “Lao Wang,” who is believed to have established one of the first popular PaaS operations with an integration to support digital wallet exploitation.
A Telegram channel dubbed “dy-tongbu” is operated by the same individual, it was established in February 2023.
This channel has evolved into a huge marketplace for phishing services, growing from around 2800 members in August 2023 to over 4400 by early 2025.
The phishing kits available on this platform contain sophisticated defensive capabilities, primarily designed to hinder the ability of security researchers from analyzing and categorizing these phishing pages, as well as resiliency against takedowns.
These measures include geofencing mechanisms to restrict access to targeted geographic regions, IP blocking of known hosting providers, Tor exit nodes and mobile user-agent enforcement to ensure that only mobile devices can interact with the phishing pages.
This approach also ensures that victims are phished on the same mobile devices that will ultimately receive one-time password (OTP) messages to circumvent MFA.
MySQL is used as a database to store victim data and configuration parameters.
The success of Lao Wang’s smishing platform led to numerous over Chinese-speaking actors developing their own digital-wallet focused smishing platforms, the researchers observed.
How the Smishing Attacks Work
The attacks begin with SMS, iMessage or RCS messages being sent to victims. These employ social engineering lures related to package deliveries, toll road payments, tax refunds, vehicle registrations or other urgent matters that require immediate attention.
The links in these messages direct victims to mobile-optimized phishing pages. These pages request that the targets input personally identifiable information, including full names, physical addresses, email addresses and phone numbers, under the pretense of being required for service verification or delivery coordination.
The next step involves payment card information collection, typically justified by small fees for package redelivery, toll payments or processing charges.
Finally, the phishing pages capture OTP codes from the victim, typically initiated when threat actors attempt to provision the stolen card information to digital wallets on attacker-controlled devices
Shift to Digital Wallet Compromise
The researchers said that these operations’ focus on the exploitation of digital wallet tokenization systems represents a “fundamental shift” in payment card fraud methodology.
Traditional ‘card not present’ fraud relies on direct use of stolen card numbers on platforms that contain fraud detection systems.
With digital wallet tokenization, once payment card credentials are harvested, threat actors immediately provision these cards to digital wallets on attacker-controlled devices.
This approach eliminates additional authentication requirements for individual transactions, as the initial provisioning process validates the card holder’s identity through the MFA bypass.
“The monetization opportunities created by this approach are extensive. Contactless payments at physical point-of-sale terminals enable purchases via legitimate retail channels. Online purchases through applications that support digital wallet payments provide access to further goods and services. In some locations, tap-to-pay ATM withdrawals provide direct cash access without requiring physical card possession,” the researchers explained.
Threat actors have been observed creating malicious merchant accounts with legitimate payment processors, including Stripe, PayPal, HitPay and Flutterwave.
Syndicates Moving Beyond Smishing
The criminal ecosystem has evolved to include the sale of pre-positioned devices loaded with multiple stolen cards.
The SecAlliance researchers said this development indicates the existence of downstream criminal networks that specialize in monetizing provisioned cards on devices.
Another significant evolution in these criminal operations occurred in August 2024, with the emergence of fake e-commerce websites. Unlike traditional smishing campaigns that rely on unsolicited messages to drive traffic, these fake shopping operations target users who are actively seeking products and services through apparently legitimate channels.
Threat actors employ a sophisticated advertising strategy for these fake shops, including purchasing advertising space of platforms including Meta, TikTok and Google.
The most recent evolution observed involved the targeting of major global brokerage firms, with these phishing pages designed to facilitate account takeovers in the financial sector rather than card theft.