Panda Shop Smishing Syndicate: China-Backed Cybercrime-as-a-Service Hits Millions Globally
Ddos 
Image: Resecurity
In a disturbing evolution of cybercrime, threat intelligence firm Resecurity has unveiled the inner workings of a China-based cybercriminal syndicate operating under the name “Panda Shop”—a sophisticated smishing operation offering Crime-as-a-Service (CaaS) tools and infrastructure to fraudsters worldwide.
Building on tactics originally used by the Smishing Triad, the “Panda Shop” network now fuels carding, merchant fraud, and mass-scale personal data theft through internet-based messaging platforms like Apple iMessage and Android RCS, reaching hundreds of millions of potential victims.
“On March 22, 2025, Resecurity identified a new smishing kit known as ‘Panda Shop,’ based on the same principles used by the Smishing Triad,” the report states.
The Panda Shop operation offers a customizable smishing kit, complete with Telegram bots, interactive manuals, and a suite of pre-built phishing templates impersonating brands like:
- USPS
- UPS
- DHL
- Vodafone
- Bank of America
- UK government portals
- And more
Unlike traditional SMS phishing, which depends on mobile carriers, these actors exploit internet-based messaging systems. According to Resecurity: “Cybercriminals prefer modern messaging platforms because they provide a richer set of tools for creating convincing attacks, better engagement features, and more sophisticated methods of deception.”
By leveraging compromised Apple and Gmail accounts, the group bypasses SMS carrier detection and enhances delivery via encrypted messaging services. Their infrastructure includes a smishing kit installable on virtual servers, with credentials distributed via Telegram customer support.
Resecurity found that the smishing campaigns tied to Panda Shop funnel stolen credentials into underground carding shops, often through administrative panels used to track victims and intercept OTPs.
“Resecurity identified multiple actors leveraging the Panda Shop smishing kit for Google Wallet and Apple Pay, harvesting traditional credit card and PII data.”
This network fuels NFC-enabled fraud, where tools like Z-NFC and UFO NFC are used to mimic legitimate transactions, bypassing POS and ATM security. The stolen funds are then laundered through merchant fraud schemes and money mule networks.
The investigation exposed telltale signs of Chinese origin:
- The web server hosting the kit stored credentials referencing NACOS, a Chinese service platform by Alibaba
- The server’s timezone was set to Shanghai
- The domain was registered by Beijing Lanhai Jiye Technology, previously cited by ICANN for abuse
One actor boasted about the ability to send 2 million smishing messages per day, which, Resecurity notes, “could easily target up to 60,000,000 victims per month.”
“Residing in China, they enjoy complete freedom of action… These cybercriminals have everything needed to scale and avoid law enforcement,” the report states.
Although U.S. law enforcement, including DHS HSI’s Project Red Hook, has targeted smishing operations, the core perpetrators behind Panda Shop remain out of jurisdiction due to geopolitical barriers. Most arrests, Resecurity notes, are “money mules” who facilitate withdrawals or merchant fraud—not the actual operators.
The Panda Shop operation underscores the rapid industrialization of fraud-as-a-service ecosystems in China. With mass reach, automation, and near-impunity, these networks threaten consumers and enterprises alike.
“This activity generates millions in losses annually,” warns Resecurity. “It is driven by the number of victims and the automation of illegal transactions.”
Donate