Executive Summary

The Smishing Triad represents a sophisticated, China-linked cybercrime syndicate orchestrating one of the largest global phishing operations ever observed, leveraging over 194,000 malicious domains since early 2024. This campaign primarily exploits SMS-based phishing, or smishing, to target mobile users across more than 120 countries, including the United States, Germany, the United Kingdom, France, and numerous others. By impersonating trusted entities such as USPS, E-ZPass, IRS, and major financial institutions, the group deceives victims into divulging sensitive credentials, financial data, and even facilitating malware installation. The infrastructure supporting this operation is highly decentralized, utilizing rapid domain churn, U.S.-based cloud services, and a robust Phishing-as-a-Service (PhaaS) ecosystem to evade detection and maximize reach. The financial impact is staggering, with illicit gains estimated to exceed $1 billion over the past three years. This report provides a comprehensive technical analysis of the Smishing Triad’s tactics, techniques, and procedures (TTPs), observed exploitation in the wild, victimology, and actionable mitigation strategies for organizations seeking to defend against this evolving threat.

Threat Actor Profile

The Smishing Triad is a financially motivated, China-linked cybercrime group operating with a high degree of organization and technical sophistication. Unlike traditional Advanced Persistent Threat (APT) groups focused on espionage, the Smishing Triad is structured as a PhaaS consortium, enabling rapid scaling and global reach. The group’s operations are characterized by the following attributes: a decentralized infrastructure with domain registration and hosting distributed across Hong Kong, China, Singapore, and the United States; a modular ecosystem involving phishing kit developers, data brokers, domain sellers, hosting providers, SMS spammers, and liveness/blocklist scanners; and a focus on monetization through credential theft, account takeover, and stock market manipulation. While not directly mapped to a specific MITRE APT group, the Smishing Triad shares TTPs with other Chinese eCrime collectives and is referenced in open-source threat intelligence repositories such as Malpedia and Silent Push.

Technical Analysis of Malware/TTPs

The Smishing Triad’s attack chain is initiated via SMS messages crafted to impersonate legitimate organizations, including USPS, E-ZPass, IRS, and various banks and government agencies. These messages employ urgent social engineering lures—such as toll violation notices, package delivery issues, unpaid government fees, and brokerage account alerts—to prompt recipients to click embedded links. The links direct victims to phishing sites hosted on rapidly-rotating domains, with an average lifespan of less than one week. These domains are predominantly registered through Dominet (HK) Limited, with Chinese nameservers and U.S.-based hosting, particularly leveraging Cloudflare (AS13335) for content delivery and obfuscation.

The phishing sites are engineered to harvest a wide array of sensitive data, including login credentials, multi-factor authentication codes, and personal identification information. In some cases, the sites deploy additional malware under the guise of CAPTCHA or “ClickFix” solutions, tricking users into executing malicious code on their devices. For compromised brokerage accounts, the Smishing Triad has been observed conducting “ramp and dump” stock manipulation schemes, using stolen access to artificially inflate or deflate stock prices for profit.

The group’s infrastructure is highly automated, with over 194,345 fully qualified domain names (FQDNs) and 136,933 root domains registered to date. Domain churn is a key evasion tactic: 29% of domains are active for two days or less, 71% for one week or less, and 83% for two weeks or less. The campaign utilizes at least 43,494 unique IP addresses, with a significant concentration in U.S. cloud environments. The PhaaS model enables the Smishing Triad to scale operations rapidly, with distinct actors responsible for kit development, SMS delivery, infrastructure management, and data monetization.

Exploitation in the Wild

The Smishing Triad campaign has resulted in widespread exploitation across multiple sectors and geographies. Financial institutions, postal and delivery services, government agencies, and brokerage platforms are among the most frequently impersonated targets. Notably, USPS-themed phishing domains account for over 28,000 FQDNs, while toll and transportation-related lures comprise nearly 90,000 domains. The campaign’s global reach is evidenced by active targeting in North America, Europe, Asia, and beyond, with over 121 countries affected.

Victims are typically lured into providing credentials and financial information, which are then used for direct fraud, account takeover, and, in the case of brokerage accounts, market manipulation. The financial impact is severe, with over $1 billion in losses attributed to the campaign, including a fivefold increase in brokerage account targeting in the second quarter of 2025. The use of ephemeral infrastructure and anonymized services ensures minimal forensic traceability, complicating law enforcement efforts and prolonging the campaign’s longevity.

Victimology and Targeting

The Smishing Triad targets a broad spectrum of sectors, including banking and financial services, cryptocurrency platforms, e-commerce, healthcare, law enforcement, social media, state and federal government agencies, postal and delivery services, toll and transportation agencies, hospitality, carpooling, gaming, and cloud services. The group’s targeting is opportunistic, focusing on regions with high mobile device penetration and digital infrastructure. The United States is the primary focus, particularly through impersonation of USPS, E-ZPass, and state agencies, but significant activity has also been observed in Germany, the United Kingdom, France, the Netherlands, Italy, Spain, Sweden, Malaysia, Mexico, Argentina, Australia, Canada, Ireland, Israel, Russia, Poland, and Lithuania.

The attack does not discriminate by device type or software version; any user of an SMS-capable mobile device is a potential target. The social engineering nature of the campaign means that technical controls alone are insufficient—user awareness and vigilance are critical components of defense.

Mitigation and Countermeasures

To defend against the Smishing Triad and similar large-scale smishing campaigns, organizations should implement a multi-layered security strategy. Proactive domain monitoring and blocking are essential, particularly for domains registered via Dominet (HK) Limited and those exhibiting rapid churn patterns. Advanced DNS and URL filtering solutions should be deployed to prevent access to known and newly registered malicious domains. Integration of real-time threat intelligence feeds from sources such as Palo Alto Networks Unit 42, Fortra, and The Hacker News will ensure timely detection of emerging indicators of compromise (IOCs).

User education is paramount: organizations must conduct targeted awareness campaigns to train employees and customers to recognize and report suspicious SMS messages, especially those involving urgent requests for payment, account verification, or delivery confirmation. Collaboration with mobile network operators can facilitate the detection and blocking of smishing messages at the carrier level. For high-risk sectors such as financial services and brokerage platforms, continuous monitoring for anomalous logins and trading activity is recommended.

Technical controls should include the use of CAPTCHAs that do not require client-side code execution, robust incident response procedures tailored to smishing incidents, and regular monitoring for IOCs across network and endpoint environments. Organizations should also encourage users to verify urgent requests through official channels rather than clicking on links received via SMS.

References

• The Hacker News: Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation

• Palo Alto Networks Unit 42: The Smishing Deluge

• Fortra Report on Brokerage Account Targeting

• Wall Street Journal: $1B Smishing Fraud

• Malpedia: Smishing Triad

• Silent Push: Smishing Triad

• Cisco Talos: Unraveling the U.S. toll road smishing scams

• MITRE ATT&CK Framework

For a full list of IOCs and ongoing updates, please contact Rescana Threat Intelligence or subscribe to Unit 42 and Fortra threat feeds.

About Rescana

Rescana is a leader in third-party risk management, providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring resilience in an ever-evolving digital landscape. For more information about our solutions or to discuss this advisory, we are happy to answer questions at ops@rescana.com.