A prevalent Chinese cybercrime group, dubbed Smishing Triad, has launched an extensive global cyberattack, targeting users in over 120 countries through sophisticated phishing campaigns.
Security analysts at Silent Push have uncovered evidence of the group’s systematic SMS phishing, or “smishing,” operations, which have infiltrated industries including banking, logistics, telecommunications, and government sectors.
These campaigns primarily aim to acquire sensitive banking credentials from unsuspecting victims by tricking them into visiting fraudulent sites.
The Smishing Triad leverages a rotating infrastructure of approximately 25,000 phishing domains active within eight-day periods, with over a million page visits logged in less than three weeks indicating significant user targeting and engagement.
Advanced Tools and Techniques
Most recently, in March 2025, the group released a new phishing toolkit referred to as “Lighthouse,” unveiled through a Telegram channel by the developer identified as Wang Duo Yu.
The toolkit showcases advanced features designed to target banks and financial organizations, particularly in Australia and the broader Asia-Pacific region. Major Western financial institutions are also included in its crosshairs.
Key capabilities of the Lighthouse phishing kit include one-click setup for customized verifications, real-time synchronization between front-end interfaces and back-end databases, and mechanisms to bypass multiple layers of security, including OTP (one-time password), PIN, and 3DS verifications.
The kit is sold to other malicious groups through Telegram, further amplifying its reach and operational scope.
The infrastructure supporting these campaigns is anchored in Chinese hosting providers Tencent and Alibaba, which host over 50% of the phishing domains.
These domains are frequently rotated to evade detection, demonstrating an evolving and resilient campaign.
Global Scope of Operations
The Smishing Triad campaigns have covered nearly two-thirds of the globe, impacting users in diverse regions including North and South America, Europe, Asia-Pacific, and the Middle East.
The group employs SMS-based lures that impersonate credible organizations, such as national postal services, toll collection systems, and financial institutions, to steal user data.
Victims are duped into believing they need to verify packages, pay tolls, or confirm banking credentials.
Notable brands and entities targeted include USPS, HSBC, PayPal, Mastercard, and several national banks in Australia, such as ANZ, Commonwealth Bank, and Westpac.
According to the Report, Smishing messages often direct recipients to phishing pages where personal information and banking credentials are harvested.
Silent Push researchers have attributed the creation of the Lighthouse kit and prior phishing kits to Wang Duo Yu, a developer communicating in Mandarin via Telegram.
Evidence points to the kits being developed in China, with scripts and tools containing distinct Chinese text.
Their phishing domains display weak server configurations, sometimes inadvertently leaking logs of stolen card data.
The scale of these operations is bolstered by Smishing Triad’s reported global workforce of over 300 individuals, supporting various facets of these campaigns, from development to fraud execution.
While initial targets were Australia-based, the campaigns have rapidly expanded to include additional regions and industries.
Security experts encourage organizations and users to remain vigilant, particularly against phishing messages claiming to be from trusted entities.
Silent Push continues to track and analyze the group’s infrastructure, sharing indicators of future attacks with the cybersecurity community to facilitate takedowns.
This case underscores the growing sophistication of phishing operations and their potential to exploit global digital infrastructure.
Effective mitigation requires international cooperation amongst stakeholders to disrupt such pervasive cybercrime networks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
