Chinese Hackers Breach Exposes 115 Million U.S. Payment Cards

Security researchers have uncovered a highly advanced network of Chinese-speaking cybercriminal syndicates orchestrating smishing attacks that exploit digital wallet tokenization, potentially compromising up to 115 million payment cards in the United States alone.

These operations, which evolved dramatically since August 2023, leverage phishing-as-a-service (PaaS) platforms to harvest credentials and bypass multi-factor authentication (MFA) mechanisms, transforming stolen card data into tokenized assets within ecosystems like Apple Pay and Google Wallet.

Smishing Operations Target Digital Wallets

Unlike traditional card-not-present (CNP) fraud, this method circumvents legacy fraud detection systems by provisioning cards on attacker-controlled devices, enabling seamless contactless payments, online transactions, and even NFC relay attacks for global monetization without direct card usage patterns triggering alerts.

The syndicates, led by actors such as “Lao Wang” (alias Wang Duo Yu), have developed resilient phishing kits featuring geofencing, mobile user-agent enforcement, and IP blocking to evade detection from security vendors and Tor networks.

Initial lures via SMS, iMessage, or RCS messages impersonate services like USPS or toll payments, guiding victims through multi-stage data collection processes that capture personally identifiable information (PII), card details enriched via integrated Bank Identification Number (BIN) databases, and real-time OTP codes for wallet provisioning.

By August 2024, Lao Wang’s “Lighthouse” platform introduced modular frontends, role-based access control (RBAC), and AJAX-based keystroke capture, supporting over 80 countries and expanding from 17 to hundreds of targeted brands.

According to the report, this SaaS-like infrastructure includes WordPress and WooCommerce integrations for fake e-commerce sites, where victims input credentials during seemingly legitimate checkouts, further enhanced by PayPal account takeover modules.

Evolving Monetization Tactics

Monetization strategies demonstrate deep technical acumen, with operators provisioning 4-7 cards per device for U.S. victims and 7-10 for U.K. targets on older iPhone models to exploit weaker security features.

Fraudulent activities include high-velocity transactions post a 2-10 day dormancy period, physical POS laundering via malicious merchant accounts on platforms like Stripe or Flutterwave, and wholesale sales of pre-loaded devices shipped via air freight.

The ecosystem has spawned competitors like Chen Lun, PepsiDog, Darcula (handling 80-90% of observed smishing URLs), XinXin, Panda Shop, and Mouse, each specializing in regional targets and employing Git-based versioning for rapid brand switching.

Recent expansions into brokerage phishing for account takeovers enable wire transfer exfiltration or pump-and-dump schemes using compromised accounts to manipulate penny stocks.

Impact assessments, drawing from domain analysis of 32,094 USPS-themed sites between July 2023 and October 2024, estimate 12.7 to 115 million compromised cards, factoring averages of 387-3,485 cards per domain from independent studies.

This unprecedented scale imposes massive costs on financial institutions for card reissuance, investigations, and remediation, exacerbated by the syndicates’ shift to fake e-shops advertised on Meta, TikTok, and Google, undermining traditional user awareness training.

To counter these threats, experts recommend overhauling digital wallet provisioning with app-based authentication, device binding to banking apps, real-time provisioning alerts, and customer controls like provisioning freezes.

Cross-industry collaboration among banks, tech giants like Apple and Google, and telecom providers is crucial for threat intelligence sharing and pattern detection.

Without these reforms, the adaptable nature of these syndicates evident in their progression from basic scams to global PaaS empires poses an existential risk to digital payment security, demanding immediate coordinated action to mitigate ongoing and future losses.

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free