Chinese cybercriminals breached the security of as many as 115 million payment cards in the United States.

A sophisticated Chinese cybercriminal syndicate has orchestrated one of the most devastating payment card fraud operations in recorded history, potentially compromising between 12.7 million and 115 million payment cards across the United States between July 2023 and October 2024. This operation signifies a fundamental paradigm shift in financial cybercrime, merging advanced SMS phishing techniques with strategic exploitation of digital wallet systems to bypass traditional fraud detection mechanisms. Emerging in early 2023, this criminal enterprise evolved from simple package delivery scams that previously targeted services like Royal Mail during the COVID-19 pandemic. Unlike their predecessors, these Chinese-speaking threat actors developed a systematic approach that transforms stolen payment card credentials into tokenised assets within Apple Pay and Google Wallet ecosystems. This innovative methodology effectively circumvents existing security frameworks that monitor direct card usage patterns, creating an entirely new category of financial crime. The scale and sophistication of the operation became evident through comprehensive monitoring of over 32,094 distinct USPS-themed smishing domains deployed during the campaign period.

SecAlliance analysts identified the criminal ecosystem as operating with the efficiency and scalability of legitimate software-as-a-service businesses, with estimated financial losses reaching into the billions of dollars. The investigation revealed an extensive infrastructure that combines SMS, RCS, and iMessage-based social engineering with real-time multi-factor authentication bypass capabilities. Research documented the operational evolution from rudimentary scams to sophisticated phishing-as-a-service platforms, fake e-commerce operations, and recent expansion into brokerage account takeover schemes. The primary threat actor, operating under the pseudonym “Lao Wang,” established what appears to be the first successful digital wallet-focused smishing platform, subsequently spawning a diverse ecosystem of threat actors including Chen Lun, PepsiDog, and Darcula, who have contributed unique capabilities while targeting different market segments globally. The criminal syndicate’s technical infrastructure demonstrates remarkable sophistication through their “Lighthouse” platform, introduced in August 2024 as a significant advancement over earlier “v1” phishing kits. This platform incorporates comprehensive defensive capabilities, including geofencing mechanisms that restrict access to targeted geographic regions and mobile user-agent enforcement, ensuring only mobile devices can interact with phishing pages.