This research presents an analysis of sophisticated smishing campaigns orchestrated by Chinese cybercriminal syndicates that have systematically targeted victims worldwide since early 2023. These operations represent a paradigm shift in payment card fraud, combining advanced SMS, RCS, and iMessage-based social engineering with sophisticated phishing infrastructure and real-time multi-factor authentication bypass techniques. The primary innovation lies in their strategic exploitation of digital wallet tokenization systems, particularly Apple Pay and Google Wallet, to circumvent traditional fraud detection mechanisms.
Our investigation reveals an extensive criminal ecosystem that may have compromised between 12.7 million and 115 million payment cards in the United States alone between July 2023 and October 2024, with estimated financial losses reaching into the billions of dollars. The research documents the operational evolution from simple package delivery scams to sophisticated phishing-as-a-service platforms, fake e-commerce operations, and most recently, brokerage account takeover schemes.
The landscape of SMS-based phishing attacks underwent a dramatic transformation in August 2023, marking the emergence of what we now believe is the most sophisticated and financially damaging smishing operation in recorded history. While SMS phishing has existed for years, and the COVID-19 pandemic initially created opportunities for package delivery scams targeting services like RoyalMail in the United Kingdom during 2020-2021, these early campaigns were relatively unsophisticated, short-lived, and didn’t utilize digital wallet monetization.
The current wave of attacks, predominantly orchestrated by Chinese-speaking threat actors, represents a fundamental evolution in both technical sophistication and strategic approach. The defining characteristic of these operations is their deliberate and systematic exploitation of digital wallet provisioning processes, transforming stolen payment card credentials into tokenized assets within Apple Pay and Google Wallet ecosystems. This approach effectively bypasses traditional fraud detection systems that rely on monitoring direct card usage patterns, creating a new category of financial crime that existing security frameworks struggle to address.
Our investigation, spanning nearly two years of continuous monitoring and analysis, has uncovered a vast criminal infrastructure that operates with the efficiency and scalability of legitimate software-as-a-service businesses and whose implications extend far beyond individual financial losses.
