TL;DR: The US is experiencing a surge in scam text messages that federal investigators say has evolved into a coordinated, billion-dollar criminal enterprise with deep ties to China. What began as a nuisance of misleading messages has now grown into a global cyber operation, exploiting vulnerabilities in mobile networks, digital payment systems, and human behavior.
Security officials describe sprawling criminal ecosystems behind these fraudulent messages – networks that use industrial-scale text-sending systems, sophisticated phishing websites, and a supply chain of temporary US-based workers to withdraw stolen money and move goods across borders. The Department of Homeland Security estimates that toll payment and postal fee scams alone have generated more than $1 billion for criminal organizations over the past three years.
The text messages impersonate familiar institutions: highway agencies warning about overdue tolls, delivery carriers demanding payment for undelivered packages, or city finance departments claiming unpaid violations. The goal is to lure targets to realistic-looking websites, where victims hand over credit card details or banking information. That financial data then becomes the raw material for a carefully engineered digital pipeline that converts stolen card information into cash and goods.
One technique complicating investigations involves linking stolen card data to mobile wallets in Asia. Criminals load victims' cards into Google or Apple digital wallets and then share those credentials with on-the-ground buyers in the US. Because the information resides in a trusted payment app, the hired gig workers can use the cards at retail stores as if they owned them.
Federal investigators say this method is how the scam maintains both speed and scale. US-based workers collect modest fees per transaction, earning roughly 12 cents for every $100 spent on gift cards or merchandise – a figure that quickly adds up when replicated hundreds of times a day.
The wave of fraudulent texts is distributed through SIM farms, industrial setups filled with hundreds of networking devices, each holding dozens of SIM cards. These operations effectively multiply the messaging capacity of a single person by thousands. "One person in a room with a SIM farm can send out the number of text messages that 1,000 phone numbers could send out," Adam Parks, assistant special agent in charge at Homeland Security Investigations, told The Wall Street Journal.
Ben Coon, chief intelligence officer at the cybersecurity company Unit 221b, says there are at least 38 such SIM farms operating in US cities including Houston, Los Angeles, Phoenix, and Miami. Many run out of rented offices or makeshift setups, with some discovered in vacant buildings or small shops. Gig workers are paid to configure the devices following instructions delivered via Chinese messaging apps such as WeChat.
Cybersecurity firm Proofpoint, which monitors mobile spam, recorded a single-day record of 330,000 toll-related scam texts last month. The volume of these texts has increased to roughly three and a half times the level seen at the start of 2024.
Victims who click on the deceptive links are often directed to phishing pages that closely mimic legitimate payment sites. Investigators say these sites are frequently generated using software shared on criminal channels hosted on Telegram. The design tools allow scammers to clone corporate websites' look and feel with minimal technical skill.
Experts warn that the cloned sites not only collect names and card details but also one-time passwords from financial institutions. These temporary codes, intended to authorize small payments, are used by scammers to finalize the installation of victims' cards in foreign mobile wallets, bypassing multi-factor authentication and granting long-term access.
"It's the easiest system I've ever seen for making phishing sites," said Gary Warner, director of threat intelligence at DarkTower, whose team has tracked the infrastructure of the fraud.
Once the cards are ready for use, the criminal network needs a way to convert them into profit. Hidden marketplaces on Telegram and similar apps allow organizers to recruit hundreds of US residents daily to make purchases on their behalf. Some buy electronics, cosmetics, or iPhones directly, while others purchase gift cards, which can later be spent or sold anonymously. Physical goods are often shipped to China, creating a clean break from US law enforcement and a revenue stream for Chinese organized crime groups.
An illustrative case occurred in Kentucky, where Chinese national Heng Yin pleaded guilty in August to wire fraud and identity theft after using 107 stolen credit card numbers to buy 70 gift cards worth nearly $5,000. Investigators said Yin concealed the cards under larger grocery purchases at self-checkout lines, enabling him to drain multiple accounts through a single Android phone.
Image credit: Bleeping Computer
The spam text you ignored might be part of a billion-dollar crime wave
