The Billion-Dollar Smishing Empire: How Chinese Syndicates Are Hacking Apple & Google Wallets

A sweeping investigation by Security Alliance has uncovered a vast, evolving cybercriminal infrastructure driven by Chinese-speaking smishing syndicates. These operations are revolutionizing payment fraud by exploiting digital wallets like Apple Pay and Google Wallet, bypassing traditional security controls at unprecedented scale.

In what researchers describe as “the most sophisticated and financially damaging smishing operation in recorded history,” Chinese-speaking threat actors have transformed basic SMS phishing into a global cybercrime juggernaut. What began as low-tech package delivery scams during the COVID-19 pandemic has matured into phishing-as-a-service platforms with real-time multi-factor authentication (MFA) bypass, digital wallet tokenization abuse, and even financial market manipulation.

“These operations represent a paradigm shift in payment card fraud,” the report states, “combining advanced SMS, RCS, and iMessage-based social engineering with sophisticated phishing infrastructure.”

Security Alliance estimates that between 12.7 million and 115 million U.S. payment cards may have been compromised between July 2023 and October 2024. Financial losses are believed to be in the billions.

At the heart of this underground economy is a developer known as “Lao Wang”, or “Wang Duo Yu,” who created a Telegram-based platform called “dy_tongbu.” The group evolved into a phishing-as-a-service (PhaaS) marketplace offering:

• Subscription-based phishing kits (~$200/month)
• MFA bypass capabilities
• Extensive tutorials and operational playbooks
• Kits supporting over 80 countries

By August 2024, Lao Wang’s group had launched the “Lighthouse” platform, a modular backend supporting multiple brands and languages. It offered integrated BIN databases, keystroke logging, AJAX-based real-time data exfiltration, and WordPress/WooCommerce plugins for fake online stores.

The attackers’ innovation lies in their use of digital wallet provisioning as a fraud vector. Once they collect a victim’s card data and one-time passcode (OTP), they immediately provision the card into a wallet on attacker-controlled devices, often older iPhones (6, 7, 8 series) to avoid modern security features.

“This approach effectively bypasses traditional fraud detection systems… creating a new category of financial crime,” the report warns.

The tokenized card is then used for:

• Tap-to-pay purchases at physical terminals
• App-based online shopping
• ATM withdrawals via NFC relay attacks

Some fraudsters wait 60–90 days to activate stolen cards, evading fraud monitoring systems.

These syndicates have industrialized fraud, offering:

• Bulk pre-provisioned phones for sale (minimum orders of 10)
• Fraudulent Stripe/PayPal/Flutterwave merchant accounts
• Tap-to-pay terminals for laundering
• Real-time advertising on Meta, TikTok, and Google for fake e-commerce stores

A screenshot from a Chinese phishing group shows a rack of iPhones with stolen Credit Agricole cards provisioned and ready to cash out.

Lao Wang may have started it all, but the cybercrime landscape is now teeming with competitors:

• Darcula (Magic Cat): Supports 300+ brands globally and is responsible for 80–90% of smishing URLs observed in 2024–2025.
• PepsiDog (Xiū Gou): Uses Git branching and GitHub for fast campaign shifts.
• Chen Lun: A protégé of Lao Wang targeting European markets.
• XinXin (Lucid) and Mouse (Haozi): Offer branded phishing kits with global reach.

Security Alliance notes, “This criminal ecosystem represents a fundamental challenge to traditional law enforcement approaches.”

In August 2024, threat actors began operating fake e-commerce shops using legitimate-looking websites, complete with WooCommerce integrations and real advertising. These sites lure customers searching for real products, then phish their card and PayPal credentials using the same backend tech as smishing kits.

In 2025, attackers shifted toward brokerage account takeovers, targeting global firms with phishing pages to hijack accounts, transfer funds, or execute stock manipulation schemes.

“This approach enables market manipulation while obscuring the connection between the original account compromise and the ultimate beneficiaries,” the report explains.

“The strategic exploitation of digital wallet tokenization has created a new category of financial crime that bypasses traditional security controls,” Security Alliance concludes.

With smishing evolving from crude scams into a full-fledged, scalable cybercrime-as-a-service model, the global financial system faces a rapidly advancing threat. Apple, Google, banks, and consumers must all adapt—fast.

Related Posts:

• Meta Invests $14.3 Billion in Scale AI, Recruits Founder Alexandr Wang for Superintelligence Lab
• Panda Shop Smishing Syndicate: China-Backed Cybercrime-as-a-Service Hits Millions Globally
• Smishing Triad Targets Pakistan with Large-Scale Banking Scam
• Cyber Alert: Smishing Triad Gang’s Fake UAE Authority SMS Scam
• Smishing Triad: eCrime Group Targets 121+ Countries with Advanced Smishing