Chinese Hackers Compromised Up To 115 Million Payment Cards In The US

Cyber Security News

A sophisticated Chinese cybercriminal syndicate has orchestrated one of the most devastating payment card fraud operations in recorded history, potentially compromising between 12.7 million and 115 million payment cards across the United States between July 2023 and October 2024.

The operation represents a fundamental paradigm shift in financial cybercrime, combining advanced SMS phishing techniques with strategic exploitation of digital wallet systems to bypass traditional fraud detection mechanisms.

The criminal enterprise emerged in early 2023 as an evolution of simple package delivery scams that had previously targeted services like Royal Mail during the COVID-19 pandemic.

However, unlike their predecessors, these Chinese-speaking threat actors developed a systematic approach that transforms stolen payment card credentials into tokenized assets within Apple Pay and Google Wallet ecosystems.

This innovative methodology effectively circumvents existing security frameworks that monitor direct card usage patterns, creating an entirely new category of financial crime.

The scale and sophistication of the operation became apparent through comprehensive monitoring of over 32,094 distinct USPS-themed smishing domains deployed during the campaign period.

SecAlliance analysts identified the criminal ecosystem as operating with the efficiency and scalability of legitimate software-as-a-service businesses, with estimated financial losses reaching into the billions of dollars.

The investigation revealed an extensive infrastructure that combines SMS, RCS, and iMessage-based social engineering with real-time multi-factor authentication bypass capabilities.

The research documented the operational evolution from rudimentary scams to sophisticated phishing-as-a-service platforms, fake e-commerce operations, and recent expansion into brokerage account takeover schemes.

The dy_tongbu channel on Telegram where Lao Wang (Source – SecAlliance)

The primary threat actor, operating under the pseudonym “Lao Wang,” established what appears to be the first successful digital wallet-focused smishing platform, subsequently spawning a diverse ecosystem of threat actors including Chen Lun, PepsiDog, Darcula, and others who have contributed unique capabilities while targeting different market segments globally.

Advanced Technical Infrastructure and Digital Wallet Exploitation

The criminal syndicate’s technical infrastructure demonstrates remarkable sophistication through their “Lighthouse” platform, introduced in August 2024 as a significant advancement over earlier “v1” phishing kits.

Examples of common US based smishing lures (Source – SecAlliance)

The platform incorporates comprehensive defensive capabilities including geofencing mechanisms that restrict access to targeted geographic regions and mobile user-agent enforcement ensuring only mobile devices can interact with phishing pages.

The phishing kit architecture employs sophisticated countermeasures designed to evade detection and analysis.

Part of the index.php file showing surveillance countermeasures such as geo-fencing and user-agent ältering from one of Lao Wang’s original phishing kits ‘v1’ (Source – SecAlliance)

The system blocks IP addresses from known hosting providers, security vendor ranges, and Tor exit nodes while utilizing a distributed architecture that separates front-end phishing interfaces from back-end data collection systems.

This separation provides resilience against takedown attempts and enables rapid scaling across multiple target brands without requiring extensive code modifications.

if ($allow_pc == 0) {
    if (!preg_match('/(phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile)/i', $user_agent)) {
        header('location: https://usps.com/');
        exit;
    }
}

The core innovation lies in the systematic exploitation of digital wallet provisioning processes.

Once payment card credentials are harvested, threat actors immediately provision these cards to digital wallets on attacker-controlled devices, typically older iPhone models including the iPhone 6, 7, and 8 series.

Wallet Exploitation (Source – SecAlliance)

This approach eliminates additional authentication requirements for individual transactions since the initial provisioning validates the cardholder’s identity through multi-factor authentication bypass techniques.

The operators employ sophisticated device management strategies, provisioning 4 to 7 cards per device for US victims and 7 to 10 cards for UK victims, reflecting their deep understanding of regional fraud detection variations and digital wallet provisioning policies.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial

The post Chinese Hackers Compromised Up To 115 Million Payment Cards In The US appeared first on Cyber Security News.

cybersecuritynews.com