A major smishing campaign, linked to a China-based group called the Smishing Triad, has utilized an immense infrastructure of over 194,000 malicious domains since the start of 2024 to target users globally. The group is notorious for flooding mobile devices with fraudulent text messages, often impersonating toll violation or package delivery notices to compel users to immediately click a link and provide personal data. While the domains are registered through a Hong Kong-based registrar and use Chinese nameservers, the operational security apparatus is primarily hosted on popular U.S. cloud services. This tactic has proven extremely profitable for the Smishing Triad, with reports suggesting they have earned more than $1 billion over the last three years.
The Smishing Triad has recently broadened its focus, according to Fortra, with associated phishing kits increasingly used to target brokerage accounts to steal banking credentials and authentication codes. Attacks aimed at these financial accounts saw a dramatic fivefold increase in the second quarter of 2025 compared to the previous year. Once an account is compromised, the attackers manipulate stock market prices using “ramp and dump” schemes, a method that leaves almost no financial paper trail. The threat collective has evolved from simply selling phishing kits to becoming a “highly active community,” operating a comprehensive phishing-as-a-service (PhaaS) ecosystem that recruits various specialized actors, including kit developers, data brokers, domain sellers, and large-scale spammers.
The sheer scale of the operation is evident in the domain registration data, with nearly 93,200 of the root domains registered through Dominet (HK) Limited. A significant majority of the malicious domains use the “.com” prefix, although “gov” domain registrations have been increasing recently. The short lifespan of the phishing sites is a core element of the group’s evasion strategy: nearly 71.3% of the identified domains were active for less than a week, and less than 6% remained active beyond three months. This rapid domain churn ensures a continuous stream of new infrastructure to constantly bypass security defenses. Furthermore, the 194,345 fully qualified domain names (FQDNs) used in the campaign resolve to over 43,494 unique IP addresses, most of which are located in the U.S. and hosted on Cloudflare.
An analysis of the lures shows that the U.S. Postal Service (USPS) is the single most impersonated service, accounting for 28,045 FQDNs. The largest category of all impersonated services, however, is toll services, with approximately 90,000 dedicated phishing FQDNs. Though the bulk of the attack infrastructure generating the largest volume of traffic is located in the U.S., followed by China and Singapore, the campaigns have a truly global reach. They have mimicked a vast array of services in countries like Russia, Poland, and Lithuania, targeting banks, cryptocurrency exchanges, police forces, and carpooling applications.
In campaigns impersonating government services, victims are typically redirected to landing pages that demand payment for unpaid tolls or other charges. In some sophisticated instances, the attackers use ClickFix lures to trick users into running malicious code under the guise of completing a CAPTCHA security check. This smishing operation is not a set of isolated events but rather a massive, highly decentralized campaign with a global footprint, constantly impersonating services across numerous sectors and registering and rapidly discarding thousands of domains daily to remain elusive.
Reference:
