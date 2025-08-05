Chinese smishing syndicates may have compromised up to 115 million payment cards in the US between July 2023 and October 2024.

Researchers from SecAlliance estimated that these compromises have resulted in billions of dollars in financial losses.

The SecAlliance report highlighted the sophisticated nature of these campaigns, which involved the strategic exploitation of digital wallet tokenization, particularly Apple Pay and Google Wallet, to circumvent traditional fraud detection mechanisms.

“These operations represent a paradigm shift in payment card fraud, combining advanced SMS, RCS and iMessage based social engineering with sophisticated phishing infrastructure and real-time multi-factor authentication (MFA) bypass techniques,” the researchers noted.

The investigation, which spanned nearly two years, observed that the campaigns are orchestrated by Chinese cybercriminal syndicates, which have systematically targeted victims worldwide since early 2023.

Between 12.7 million and 115 million payment cards have been compromised in these campaigns in the US based on research from independent security researchers and SecAlliance’s own analysis of domain activity patterns.

Major Evolution in Phishing Infrastructure

The report, published on August 5, demonstrates how the campaigns have evolved from simple package delivery scams to sophisticated phishing-as-a-service (PaaS) latforms, fake e-commerce operations, and most recently, brokerage account takeover schemes.

The investigation initially identified a Chinese-speaking developer operating under the name “Lao Wang,” who is believed to have established one of the first popular PaaS operations with an integration to support digital wallet exploitation.

A Telegram channel dubbed “dy-tongbu” is operated by the same individual, it was established in February 2023.

This channel has evolved into a huge marketplace for phishing services, growing from around 2800 members in August 2023 to over 4400 by early 2025.

The phishing kits available on this platform contain sophisticated defensive capabilities, primarily designed to hinder the ability of security researchers from analyzing and categorizing these phishing pages, as well as resiliency against takedowns.