Chinese Groups Stole 115 Million US Cards in 16-Month Smishing Campaign

A new report from cybersecurity firm SecAlliance has revealed a highly organized criminal operation run by Chinese syndicates that may have compromised as many as 115 million payment cards in the United States. According to the research, these attacks, which occurred between July 2023 and October 2024, have resulted in billions of dollars in losses. 

The report, published on August 5, highlights a fundamental change in how these hackers operate. They turn stolen credit card details into digital tokens for mobile wallets like Apple Pay and Google Wallet. This shows a shift from basic scams involving text messages pretending to be from delivery companies or toll services to large-scale, professional criminal enterprise. 

Researchers explain that a key figure, operating under the name “Lao Wang,” created one of the first phishing-as-a-service platforms. This basically created a marketplace on a Telegram channel called ‘dy-tongbu,’ which grew from around 2,800 members to over 4,400 quickly, with its focus shifting from simple text messages to creating fake e-commerce websites that were advertised on platforms like Meta, TikTok, and Google.

According to the company’s report, the syndicate’s operations have even evolved to include selling pre-loaded devices with multiple stolen cards, and most recently, attacking brokerage accounts to steal from the financial sector.

The core of the scam is ‘smishing,’ or phishing through text messages. Hackers send a text message with a link that leads to a fake, mobile-friendly website. Victims are tricked into entering their personal information, and then their payment card details. 

Researchers monitored over 32,000 fake websites to understand the scale of the operation. They also found a network of other criminals, including those known as Chen Lun, PepsiDog (also known as Xiū Gou), and Darcula.

The crucial part of the scam is that the hackers then bypass multi-factor authentication, a security step that usually requires a one-time code. They do this to add the stolen payment card to their own digital wallets, such as Apple Pay or Google Wallet. 

“The defining characteristic of these operations is their deliberate and systematic exploitation of digital wallet provisioning processes, transforming stolen payment card credentials into tokenized assets within Apple Pay and Google Wallet ecosystems. This approach effectively bypasses traditional fraud detection systems that rely on monitoring direct card usage patterns, creating a new category of financial crime that existing security frameworks struggle to address.”

SecAlliance

To avoid triggering fraud alerts, the operators use a clever strategy of adding 4 to 7 cards per device for US victims and a different number, 7 to 10, for UK victims. This allows them to use the stolen cards for contactless payments and online shopping without triggering security alerts that traditional fraud detection systems would normally catch.

The report states that this new approach improves payment card fraud to such a level that makes it harder than ever for banks to spot the theft. Nevertheless, the full report is available for download on SecAlliance’s website and is highly recommended, as it contains much more information about these scams.