Chinese Criminals Made More Than $1 Billion From Those Annoying Texts

Behind the con, investigators say, is a black market connecting foreign criminal networks to server farms that blast scam texts to victims. The scammers use phishing websites to collect credit-card information. They then find gig workers in the U.S. who will max out the stolen cards for a small fee.

Making the fraud possible: an ingenious trick allowing criminals to install stolen card numbers in Google and Apple Wallets in Asia, then share the cards with the people in the U.S. making purchases half a world away.

The deluge of phishing texts is getting worse. Americans reported an all-time high of 330,000 toll-scam messages in a single day last month, says Proofpoint, a company that filters mobile spam messages. The average monthly volume of toll-scam messages is about 3½ times what it was in January 2024.

Setting up SIM farms

Criminal gangs are able to flood people with text messages using so-called SIM farms, rooms jammed with boxes of networking devices. The servers are stuffed with the little white cards that mobile customers put in their new phones to begin making calls or sending texts.

“One person in a room with a SIM farm can send out the number of text messages that 1,000 phone numbers could send out,” said Adam Parks, an assistant special agent in charge at Homeland Security Investigations, the investigative arm of DHS.

Criminal gangs overseas typically operate the farms remotely, but hire gig workers in the U.S. to set them up. The gangs recruit the workers via the WeChat messaging app, Parks said. Workers needing help have instruction manuals and live technical support.

At least 200 SIM boxes are operating in at least 38 farms across the U.S., in cities such as Houston, Los Angeles, Phoenix and Miami, said Ben Coon, chief intelligence officer with the cybersecurity company Unit 221b, who has investigated the messaging fraud.

Coon has discovered SIM farms in shared office spaces, crack houses and an auto-repair shop.

Fake E-ZPass bill leads to a phishing site

Consumers receiving a scam toll text are asked to visit a website where they can pay their bill, after providing their name and credit-card or bank information.

Most people know to ignore the messages, but the fraction that click then enter a phishing site.

Texts seeking payment for an outstanding balance on E-ZPass tolls are ploys that criminal gangs in China have used to obtain sensitive credit-card information from unsuspecting Americans.

Some gangs set up sites using software found in criminal channels on the Telegram messaging app, investigators say. Through the sites, the scammers can watch every keystroke the victims type, and enter the same information into wallets on their own smartphones.

“It’s the easiest system I’ve ever seen for making phishing sites,” said Gary Warner, director of threat intelligence with the cybersecurity firm DarkTower.

The phishing sites ask their victims to submit a one-time password from their financial institution. But the point of this password isn’t to pay toll fees. The criminals use it, along with the other stolen information, as a final step to install the victims’ cards into mobile phone wallets located in Asia.

Pennies for every $100 gift card

The criminals find people in the U.S. willing to make purchases through Telegram channels. On any given day scammers employ 400 to 500 of the mules. The workers are paid around 12 cents for every $100 gift card they buy, Parks said.

The scammers use remote tap-to-pay software to create “a virtual bridge between the phone in China and a phone in the United States,” Parks said.

The trick allows the gig buyers to tap their phones at a store’s checkout to make a purchase, as if they were using their own credit card.

“Having these cards put into digital wallets is so powerful because multi-factor authentication is never needed again,” said Ford Merrill, a researcher at the threat intelligence firm SecAlliance. “You’ve effectively told your bank that you trust this device.”

Sometimes the gig workers buy products like iPhones, clothing and cosmetics directly. But to further cover their tracks, they often get gift cards that are later used to buy goods, which they then ship to China.

“Once it’s shipped to China, it’s sold in China, and all that money goes to Chinese organized crime groups,” Parks said.

An undated video that Warner, the cybercrime investigator, viewed earlier this year shows a man walk up to a point-of-sale system and then use a single Android phone to drain funds from more than a dozen different card accounts.

In another case, a Chinese national named Heng Yin pleaded guilty in August to wire fraud and identity theft charges in a federal court in Kentucky, and is scheduled to be sentenced next month.

Yin purchased 70 gift cards worth $4,825 using 107 different credit-card numbers loaded onto his phone’s Tap-to-Pay method at a Meijer grocery store in the Lexington, Ky., region, according to his plea agreement. To conceal all the gift cards, Yin covered the cards with larger items at self-checkout.

Write to Robert McMillan at robert.mcmillan@wsj.com