
Telegram channel for a popular Chinese smishing kit vendor shows 10 mobile phones for sale, each loaded with 4-6 digital wallets from different U.K. financial institutions (Krebs article)
A new report from Silent Push has uncovered the extensive operations of Smishing Triad, a Chinese eCrime group conducting widespread SMS phishing (“smishing”) campaigns. This threat actor has leveraged sophisticated phishing kits and industrial-scale domain infrastructure to target victims across 121 countries, impersonating brands from USPS to HSBC.
The group’s smishing lures are cleverly crafted—posing as package delivery updates, toll road notifications, or urgent banking alerts. Their phishing messages lead to legitimate-looking pages that harvest credentials, banking info, and even 2FA codes.
In March 2025, the group debuted a new phishing kit called “Lighthouse”, aimed at banking institutions across Australia and the broader APAC region.
“The most powerful synchronization backend… supports OTP verification, APP verification, PIN verification, 3DS verification, contacting banks… with a real interface, high bit rate, and stable operation.”
Smishing Triad’s infrastructure is huge:
- 200,000+ unique domains used since 2023
- 50,000 phishing page visits per day
- Over 1 million page views in a single 20-day period
- Domains frequently hosted on Tencent and Alibaba IP blocks
“Silent Push researchers have seen approximately 25,000 domains online during any 8-day period.”
These domains impersonate global giants like Amazon, DHL, FedEx, Visa, HSBC, USPS, and even national post offices in over 40 countries.
The phishing infrastructure is maintained and marketed by a developer known as Wang Duo Yu, who communicates with affiliates via Telegram under the handle @wangduoyu0. His new kit “Lighthouse” has “300+ front desk staff worldwide” supporting fraud and cash-out schemes.
Screenshots of the backend show admin tools that allow:
- Geo-targeted delivery of phishing content
- Real-time updates and OTP harvesting
- Fake payment portals and QR code manipulation
- Device-based rendering to spoof mobile environments
The Lighthouse kit includes phishing templates for dozens of financial institutions, including:
- PayPal, Visa, Mastercard
- Commonwealth Bank of Australia, Westpac, ING Bank
- Citigroup, HSBC, Macquarie Bank
- Stripe, Bank of Sydney, Police Bank, and more.
Phishing pages simulate SMS verification, QR code prompts, PIN entry, and mobile app approvals, tricking victims into believing they’re interacting with real institutions.
Smishing Triad exploits geo-targeting by embedding country and area codes into SMS messages. This enables region-specific scams, such as toll scams in California or postal lures in Spain.
“Smishing Triad… has systematically targeted organizations in at least 121 countries… including postal, logistics, telecommunications, transportation, finance, retail, and public sectors.”
The group’s abuse of iMessage, SMS, and “email-to-SMS” tricks lets them impersonate legitimate services like USPS, Royal Mail, La Poste, and more, often bypassing spam filters.
Smishing Triad is no ordinary threat actor—it is a global fraud enterprise, using modern developer practices, scalable architecture, and clever psychological lures to compromise victims at industrial scale. With phishing kits being sold to affiliates and new tools like Lighthouse emerging, the group’s influence is expanding fast.
Related Posts:
- Cyber Alert: Smishing Triad Gang’s Fake UAE Authority SMS Scam
- Smishing Triad Targets Pakistan with Large-Scale Banking Scam
- Smishing Triad Expands Fraud Campaign, Targets Toll Payment Services
- EncryptHub Exposed: 600+ Targets Hit by LARVA-208