Smishing Triad: The Scam Group Stealing the World’s Riches
Credit to Author: Matt Burgess| Date: Mon, 14 Apr 2025 10:00:00 +0000
The scam text messages follow a similar pattern: You need to pay an outstanding toll road fee, or a parcel can’t be properly delivered, they say. “The USPS package arrived at the warehouse but could not be delivered due to incomplete address information,” reads one typical message.
A link in the message points to a realistic website where you are asked to enter more details and make a small payment—while behind the scenes, cybercriminals hoover up your information and credit card digits in real time.
These messages originate from one prolific collection of loosely linked cybercriminals: “smishing” syndicates.
This article is part of WIRED's Guide to the Most Dangerous Hackers You've Never Heard Of. You can read the rest of the series here.
Over the past three years, these Chinese-speaking fraudsters have developed and operated the world’s foremost smishing operation, spamming millions of people with text messages and likely stealing millions of dollars in the process. The term “smishing” is a mashup of SMS and phishing emails, which try to trick people into handing over personal details. Text messages, though, add a layer of urgency and may catch people off-guard as they go about their busy day.
Now, these groups are quickly adapting their methods and expanding their scamming, security experts say.
“They operate very similar to a [legitimate] business in a lot of ways,” says Grant Smith, the founder of offensive cybersecurity firm Phantom Security who last year hacked one Chinese-language group and uncovered how its internal phishing kits function.
“The vast majority of the kits I see nowadays are surprisingly well put together,” Smith says. “They are constantly developing these, constantly updating them, making them look better, making them more secure.”
Multiple Chinese-speaking smishing groups and individual actors are involved in the ongoing development of new techniques and running the large-scale fraud. Often, groups will even sell the kits they develop to less sophisticated cybercriminals to easily operate.
Ford Merrill, a security researcher at SecAlliance, part of the CSIS Security Group, has been tracking the syndicates for two years and says there are now seven “major” Chinese “phishing-as-a-service” actors. “They have been enabling global SMS-based phishing campaigns at a massive scale since early 2023 onwards,” he tells WIRED.
Criminals will create websites impersonating companies or brands—such as postal services, tax authorities, telecoms, utilities companies, and increasingly payment providers—and then send texts (either SMS, encrypted iMessage, or RCS) that entice people to enter their personal information and bank cards on the fraudulent websites. This process requires the fraudsters to register thousands of domains and use Apple iCloud accounts.
One of the most prominent of the smishing actors is often referred to as the Smishing Triad—although security researchers group Chinese-speaking threat actors and affiliates in different ways—which has impersonated organizations and brands in at least 121 countries, according to recent research by security company Silent Push.
Around 200,000 domains have been used by the group in recent years, the research says, with around 187 top-level domains—such as .top, .world, and .vip—being used. Across one recent 20-day period, there were more than 1 million page visits to scam websites used by the Smishing Triad, according to Silent Push.
Besides collecting names, emails, addresses, and bank card details, the websites also prompt people to enter one-time passwords or authentication codes that allow the criminals to add bank cards to Apple Pay or Google Wallet, allowing them to use the cards while on the other side of the world.
“They have effectively turned the modern digital wallet, like Apple Pay or Google Wallet, into the best card-cloning device we’ve ever invented,” Merrill says.
In Telegram groups linked to the cybercriminal organizations, some members share photos and videos of bank cards being added to digital wallets on iPhones and Androids. For instance, in one video, scammers allegedly show off dozens of virtual cards that they have added to phones they are using.
Merrill says the criminals may not make payments using the cards they’ve added to digital wallets straightaway, but it probably won’t take long.
“When we first started seeing this, they would wait between 60 and 90 days before actually stealing money from the cards,” he explains, adding that at first the criminals would let the cards “age” on a device in an attempt to look legitimate. “Nowadays you would be lucky if they wait seven days or even a couple days. Once they hit the card, they hit it hard and fast.”
“Security is core to the Google Wallet experience, and we work closely with card issuers to prevent fraud,” says Google communications manager Olivia O'Brien. “For example, banks notify customers when their card has been added to a new Wallet, and we provide signals to help issuers detect fraudulent behavior so they can decide whether to approve added cards.”
Apple did not respond to WIRED’s request for comment.
The giant scam ecosystem is powered in part by commercial underground scamming services. Findings from security firm Resecurity, which has tracked the Smishing Triad for more than two years, says the group has been using “bulk” SMS and message-sending services as it has expanded the number of messages it sends.
Meanwhile, as multiple security researchers have noted, the Smishing Triad group also uses its own software, called Lighthouse, to collect, manage, and store people's personal information and card details. A video of the Lighthouse software originally shared on Telegram and republished by Silent Push shows how the system collects card details.
The latest version of the software, which was updated in March this year, “targets dozens of financial brands” including PayPal, Mastercard, Visa, and Stripe, Silent Push says. In addition, the research says, Australian banking brands appear to be impersonated, indicating a potential further expansion of targets.
The smishing groups are constantly improving their own scamming software. Smith, the researcher who hacked a smishing gang, says he has seen groups operating their own development pipelines for their software and systems.
“Recently they were using some custom-made software that they had to basically replicate Jira and have tickets open for any issues with the platform and any customer complaints,” Smith says. “They would assign them to team members.”
Chinese smishing groups do not appear to be slowing down. The cybercriminals are behind huge waves of toll road text scams sweeping across the United States this year, says Shawn Loveland, the chief operating officer at Resecurity. “They’re increasing in their scale and their volume of attacks,” he says.
Loveland says there may be multiple ways to limit the effectiveness of smishing operations. Domain registrars could get better at detecting fraudulent websites, for example, and improved spam filtering on messages would help potential victims. Plus, law enforcement could target the platforms and systems they use to create accounts and send messages.
Making it harder for smishing groups to successfully operate could reduce profits and have a cooling effect on the surging criminal ecosystem, Loveland says.
“Criminals have a supply chain, and you don't have to go after all the components in the supply chain,” he says. “You can go after choke points in the supply chain.”