Smishing Triad Threat Actor
A large-scale smishing campaign has been linked to over 194,000 malicious domains since January 1, 2024, targeting a wide range of services worldwide. The campaign leverages deceptive SMS messages to trick users into divulging sensitive information, often posing as toll violations or misdelivered packages.
Despite the domains being registered through a Hong Kong-based registrar and using Chinese nameservers, the attack infrastructure primarily operates from U.S.-hosted cloud services, reflecting a globally distributed setup.
Table of Contents
The Smishing Triad: China-Linked Threat Actors
The campaign is attributed to a China-linked group known as the Smishing Triad, notorious for flooding mobile devices with fraudulent notices. Over the past three years, these campaigns have proven highly profitable, generating more than $1 billion for the threat actors.
Recent findings highlight a significant evolution in their tactics. Phishing kits are increasingly targeting brokerage accounts to steal banking credentials and authentication codes. Attacks on these accounts rose fivefold in Q2 2025 compared to the same period in 2024. Once compromised, attackers manipulate stock prices using 'ramp and dump' schemes, leaving minimal paper trails.
Phishing-as-a-Service: A Well-Oiled Criminal Ecosystem
The Smishing Triad has transformed from a simple phishing kit provider into a highly active Phishing-as-a-Service (PhaaS) community, comprising multiple specialized actors:
- Phishing kit developers – create the tools.
- Data brokers – supply target phone numbers.
- Domain sellers – register disposable domains for hosting phishing sites.
- Hosting providers – maintain servers.
- Spammers – distribute fraudulent messages at scale.
- Liveness scanners – verify active phone numbers.
- Blocklist scanners – check domains against blocklists for rotation.
This ecosystem allows for rapid deployment and constant adaptation, making detection and disruption challenging.
Domain Registration and Churn Strategy
Analysis reveals that nearly 93,200 of 136,933 root domains (68.06%) are registered under Dominet (HK) Limited. The majority of these use the .com prefix, although there has been a rise in .gov domain registrations in recent months.
The campaign relies heavily on rapid domain turnover:
- 29.19% of domains were active for two days or less
- 71.3% were active for under a week
- 82.6% were active for two weeks or less
- Less than 6% survived beyond three months
This churn, combined with 194,345 FQDNs resolving to 43,494 unique IPs (mostly in the U.S. on Cloudflare), allows the threat actors to continuously evade detection.
Infrastructure Insights and Global Reach
Key findings from the campaign's infrastructure analysis include:
- U.S. Postal Service is the most impersonated service, with 28,045 FQDNs.
- Toll service lures dominate, with roughly 90,000 phishing FQDNs.
- Domains generating the highest traffic are hosted primarily in the U.S., followed by China and Singapore.
Victims are targeted across multiple sectors, including banks, cryptocurrency exchanges, delivery services, police forces, state-owned enterprises, toll services, carpooling apps, hospitality services, social media, and e-commerce platforms in countries like Russia, Poland, and Lithuania.
Government impersonation campaigns often redirect users to landing pages claiming unpaid tolls or service charges, sometimes leveraging ClickFix lures to trick users into executing malicious code disguised as CAPTCHA verifications.
Decentralized Threat with Global Impact
The Smishing Triad campaign demonstrates global reach and decentralization. Attackers register and cycle through thousands of domains daily, mimicking diverse services to maximize impact. Smishing campaigns targeting U.S. toll services represent just one facet of a vast, highly adaptive, and profitable criminal enterprise that continues to evolve at scale.
