Chinese-Backed Smishing Steals Credentials via OTT

Large-scale smishing campaigns, directly backed by Chinese-language services, are quietly targeting individuals worldwide. These operations exploit both Over-The-Top (OTT) messaging applications and traditional SMS to steal personal and financial credentials. A new comprehensive report, titled “<a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-

These operations have grown well beyond regional limits, making them one of the most organized and active threats in the current cyber threat landscape.

Phishing-as-a-service, commonly known as PhaaS, has changed how cybercriminals carry out fraud. Instead of building tools from scratch, criminals now rent ready-made phishing kits that include templates, backend panels, and even technical support.

Chinese-language PhaaS platforms have quickly become major players in this space, enabling individuals with limited technical skills to run large-scale credential theft campaigns targeting victims across multiple countries at the same time.

Researchers at urlscan.io identified several of the most active Chinese-language PhaaS ecosystems currently in operation.

Their findings, published on April 27, 2026, show that these services use a combination of SMS-based smishing and over-the-top (OTT) messaging platforms, including Apple iMessage and Rich Communication Services (RCS), to reach potential victims.

The use of legitimate messaging channels makes these attacks harder to detect and block, giving attackers a notably higher chance of success with each campaign run.

The scale of these campaigns is striking. Data from organizations including APWG and Microsoft show sharp increases in domain registrations linked to these frameworks, alongside a rise in phishing kit deployments and overall phishing scan volume worldwide.

Firms such as Group-IB, Resecurity, and GSMA have all documented the rapid growth of these ecosystems, noting that they operate on affiliate-based business models similar to those used by legitimate software companies.

The speed at which these platforms are expanding strongly suggests that a large portion of the SMS-based credential theft activity seen globally today traces back, directly or indirectly, to Chinese-language PhaaS operations.

What makes these services particularly effective is their ability to run cross-border campaigns without changing their core infrastructure.

A single backend platform can support dozens of phishing page templates designed to imitate banks, postal services, toll payment systems, and government agencies in different countries at once.

This allows one operator to target victims in the United States, the United Kingdom, Australia, and Japan within the same campaign window.

As financial rewards continue to grow, more threat groups are already building and adapting their own versions of these frameworks, creating a competitive underground market that shows no sign of slowing down.

How SIM Box Infrastructure Scales the Attack

One of the key delivery methods behind these campaigns is the use of SIM box infrastructure to send fraudulent messages at high volume.

A SIM box is a device that holds multiple physical SIM cards and connects to the internet, allowing it to send large numbers of SMS messages that appear to come from regular mobile numbers rather than commercial bulk-sending platforms.

This setup makes the messages far more likely to slip past spam filters and carrier-level detection systems, which typically flag mass sends from known commercial gateways.

Threat actors behind these operations often deploy SIM box networks across multiple countries to distribute the sending load and avoid generating clear detection patterns.

Law enforcement agencies and telecommunications regulators have flagged this infrastructure in several investigations, but the distributed nature of these setups makes them hard to shut down entirely.

When one node is taken offline, operators quickly shift to new SIM card supplies and alternate routing paths to keep campaigns running without major disruption.

Individuals should avoid clicking links in unsolicited SMS or OTT messages, especially those requesting login credentials, payment details, or personal identity information.

Any message that looks official but arrives unexpectedly through a mobile messaging app should be verified through official channels before any action is taken.

Security teams at organizations are also advised to actively monitor for newly registered domains imitating known brands, as early detection of phishing infrastructure can stop a campaign before it reaches a large number of intended targets.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.