Smishing Triad Uncovered: 194,000+ Malicious Domains Power Global Phishing-as-a-Service Campaign

Researchers from Palo Alto Networks’ Unit 42 have uncovered a massive, fast-evolving smishing campaign tied to a threat group known as the Smishing Triad. The campaign impersonates postal, banking, and government services worldwide, with evidence of over 194,000 malicious domains registered since early 2024.

In what began as a series of toll violation and package misdelivery scams, Unit 42’s latest investigation has exposed a sprawling, phishing-as-a-service (PhaaS) ecosystem operating across multiple critical sectors.

“We are attributing an ongoing smishing (phishing via text message) campaign of fraudulent toll violation and package misdelivery notices to a group widely known as the Smishing Triad,” Unit 42 stated in its report.

The campaign, which has targeted U.S. residents since April 2024, now shows clear signs of global expansion. The researchers warn that the Smishing Triad “is evolving their tactics by expanding their reach globally, improving the social engineering tactics used in smishing for delivery.”

The attackers are impersonating services across a wide range of industries — banking, cryptocurrency, healthcare, e-commerce, social media, and even law enforcement — with realistic phishing pages designed to steal sensitive data such as national IDs, payment information, and login credentials.

One of the key findings is the scale and sophistication of the Triad’s infrastructure. The campaign is “highly decentralized, lacking a single point of control, and uses a large number of domains and a diverse set of hosting infrastructure.”

According to Unit 42, this strategy allows the attackers to evade detection through sheer volume: “Churning through thousands of domains weekly makes detection more difficult.”

Between January and September 2025, researchers identified 194,345 fully qualified domain names (FQDNs) spanning 136,933 root domains, the majority of which were registered through a Hong Kong-based registrar, Dominet (HK) Limited. Interestingly, while domain registrations and nameservers are located in China, the hosting infrastructure is concentrated in the U.S., particularly within popular cloud service providers.

The Smishing Triad’s campaigns are notable not only for their global scale but also for their localized deception. Victims receive SMS messages that appear to come from familiar organizations — from U.S. state tax agencies and postal services to European toll systems and Middle Eastern police departments.

These messages are highly tailored to the victims to compel immediate action. “By employing targeted personal information and incorporating technical or legal jargon they can appear more legitimate,” the report notes.

In total, Unit 42 identified smishing pages impersonating dozens of entities, including:

• USPS and state toll authorities (the most impersonated U.S. brands, with nearly 90,000 domains)
• German investment banks and savings institutions
• Police departments in the United Arab Emirates
• Mail and delivery services in France, Israel, Australia, and Canada
• Cryptocurrency exchanges and online payment platforms in Russia and Poland
• Gaming-related marketplaces and social media brands

A striking detail in the report highlights how domain names are crafted for deception. Examples such as irs.gov-addpayment[.]info exploit typosquatting and subdomain structures that trick users into believing they are visiting official websites.

Unit 42’s analysis also reveals how the Smishing Triad has built a thriving PhaaS ecosystem on Telegram. Over the past six months, their Telegram channel has evolved “from a dedicated phishing kit marketplace into a highly active community that gathers diverse threat actors.”

In this underground supply chain, threat actors operate in specialized roles:

• Data brokers sell stolen phone numbers.
• Domain sellers and hosting providers supply disposable infrastructure.
• Phishing kit developers maintain backend dashboards for credential harvesting.
• SMS and RCS spammers deliver phishing messages at scale.
• Blocklist scanners and liveness checkers ensure domains and targets remain active and unflagged.

“Threat actors specialize in different stages of the smishing supply chain, enabling them to launch attacks more efficiently and scalably,” Unit 42 explained.

This division of labor allows the group to continuously rotate domains, distribute kits, and evade detection, mirroring the operational maturity of commercial software-as-a-service businesses — but for phishing.

Although many of the Smishing Triad’s domain registrations trace back to Asia, their network traffic and hosting infrastructure are dominated by U.S.-based IP ranges. More than 50% of DNS query volume came from domains hosted in the United States, particularly within Autonomous System AS13335, a subnet associated with Cloudflare.

This hybrid setup — Chinese domain registration with U.S. hosting — gives the attackers resilience and plausible deniability, while allowing them to exploit reputable cloud providers’ bandwidth and uptime guarantees

Related Posts:

• Smishing Triad Targets Pakistan with Large-Scale Banking Scam
• Cyber Alert: Smishing Triad Gang’s Fake UAE Authority SMS Scam
• Smishing Triad: eCrime Group Targets 121+ Countries with Advanced Smishing
• Panda Shop Smishing Syndicate: China-Backed Cybercrime-as-a-Service Hits Millions Globally
• Smishing Triad Expands Fraud Campaign, Targets Toll Payment Services