Introduction: The Rise of Smishing
Smishing—SMS phishing—has rapidly become one of the most dangerous forms of cybercrime. Exploiting the trust people place in text messages, attackers use smishing to steal sensitive information such as bank details, passwords, and even control of digital wallets. At the heart of this global threat is a sophisticated group dubbed the Smishing Triad.
Who is the Smishing Triad?
Security researchers, including those at cybersecurity firm Silent Push, have traced a major share of global smishing activity back to a loosely connected group of Chinese-speaking threat actors collectively referred to as the Smishing Triad. This group has impersonated organizations in over 121 countries, making it one of the most far-reaching cybercrime collectives in the smishing ecosystem.
Massive Infrastructure: 200,000 Domains and Counting
According to Silent Push, the Smishing Triad has used around 200,000 domains across 187 top-level domain extensions like .top, .vip, and .world to host their scam operations. In just a 20-day period, over 1 million visits were recorded to these malicious websites, underscoring the scale and reach of the group.
These sites are crafted to look like official banking or retail portals, prompting users to input personal details, including one-time passwords (OTPs) and authentication codes.
The Digital Wallet Exploit: A New Form of Card Cloning
One of the group’s most alarming tactics is exploiting digital wallets like Apple Pay and Google Wallet. Once a victim unknowingly inputs their card details and verification codes, criminals add these cards to wallets on devices halfway across the globe.
“They have effectively turned the modern digital wallet into the best card-cloning device we’ve ever invented,” says cybersecurity expert Merrill.
Previously, attackers would allow cards to “age” for 60–90 days to avoid detection. Today, they act within days or even hours, draining funds as quickly as possible.
Google responded by saying it collaborates with issuers to detect fraud and sends real-time alerts when a new card is added. Apple has remained silent on the issue.
Telegram as a Marketplace for Fraud
The cybercriminal underworld thrives on Telegram, where members of the Smishing Triad reportedly share videos and images of digital wallets filled with cloned cards. These channels act as open forums for fraud tactics, showcasing the audacity and transparency of the operation.
This mirrors trends seen in other cybercriminal circles, where platforms like Telegram have replaced the dark web as a hub for selling data and tools.
Fraud at Scale: The Role of Automation and Software Tools
The Smishing Triad is not only organized but also highly automated. According to cybersecurity company Resecurity, the group leverages bulk SMS platforms and their own proprietary software, Lighthouse, to scale attacks.
Lighthouse is used to collect, store, and manage data stolen from victims. A recent version of the software, updated as of March this year, targets major financial entities like:
PayPal
Visa
Mastercard
Stripe
Silent Push’s analysis even shows impersonations of Australian banking brands, hinting at an expansion of the group’s global footprint.
The Global Impact and Targeted Brands
With a continuously growing list of impersonated entities and compromised users, the implications for both consumers and businesses are vast. The Smishing Triad’s campaigns now span financial, retail, and tech brands, showing a deliberate attempt to broaden the target surface across industries.
How Businesses and Users Can Protect Themselves
Here are a few best practices that users and businesses can follow:
For Individuals:
Never click links from unsolicited SMS messages.
Use multi-factor authentication apps instead of SMS-based codes.
Regularly monitor bank and wallet activity for unusual behavior.
For Businesses:
Implement robust phishing detection systems.
Educate employees and customers on recognizing smishing attempts.
Monitor brand impersonations online using threat intelligence platforms.
Trenzest’s Take: Why Small Businesses Need to Stay Alert
At Trenzest, we believe that cybersecurity is not just for the big players. Small businesses are increasingly becoming targets due to their often limited security infrastructure.
Our blog regularly shares tips and tools to help startups and entrepreneurs secure their operations in a cost-effective way. In an era where even digital wallets can be hijacked, it’s critical to remain one step ahead.
Whether you’re a solo entrepreneur or running a growing team, adopting a proactive mindset towards cybersecurity will save time, money, and customer trust.
Conclusion: Staying Ahead of the Threat
The Smishing Triad’s operations demonstrate a disturbing evolution in cybercrime—highly scalable, global, and tech-savvy. Their ability to exploit digital wallets, impersonate trusted brands, and operate openly through platforms like Telegram signals the urgent need for stronger defenses at every level.
Stay informed, stay alert. #Trenzest
