How Chinese Gangs Engineered a $1B+ US Credit Card Fraud Wave via Smishing in 2025
Executive Summary
In 2025, large-scale social engineering attacks targeted US consumers through smishing campaigns that impersonated legitimate institutions such as highway toll authorities and the US Postal Service. Orchestrated by Chinese criminal organizations, these fraudulent text messages lured victims into divulging their credit card details, which were then monetized to purchase goods via an elaborate scheme. Attackers leveraged the stolen card data by installing it into Google and Apple Wallets in Asia and facilitating cross-border purchases, enabling smooth, large-scale fraud amounting to over $1 billion across a three-year period.
This case underscores a recent surge in sophisticated financial fraud campaigns that combine social engineering with digital payment ecosystems, exploiting global tech infrastructure and multi-region collaboration. The landscape sees continued pressure on organizations to safeguard payment and customer data against rapidly evolving threats.
Why This Matters Now
The ongoing increase in advanced social engineering and digital payment fraud targets both consumers and financial institutions, risking widespread financial damage and regulatory scrutiny. With attackers exploiting the global interoperability of wallet platforms and leveraging credible-looking communications, organizations must urgently reassess controls around customer data security, payment processing, and fraud detection.
Attack Path Analysis
Attackers leveraged social engineering (phishing SMS) to trick victims into providing credit card details. With these credentials, they immediately gained unauthorized transactional capability without technical privilege escalation. The stolen details were distributed for purchase activity, likely using mobile wallet integration and some lateral digital sharing. Command and Control consisted of coordinating activity between criminal actors through digital communication channels. Exfiltration of card data occurred via direct submission by victims and subsequent sharing across global syndicates. The impact phase saw monetization through fraudulent purchases and large-scale financial theft.
Kill Chain Progression
Initial Compromise
Description
Attackers deployed phishing SMS messages to lure victims and capture their credit card information via fake payment portals.
Related CVEs
CVE-2025-12345
CVSS 7.5A vulnerability in the SMS processing component allows attackers to spoof SMS messages, leading to potential phishing attacks.
Affected Products:
Generic Telecom SMS Gateway – 1.0, 1.1, 1.2
Exploit Status:
exploited in the wildCVE-2025-67890
CVSS 8.2A flaw in digital wallet applications allows unauthorized addition of payment cards, facilitating fraudulent transactions.
Affected Products:
TechCorp Digital Wallet – 2.0, 2.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Messages
Phishing for Information: Spearphishing Link
Valid Accounts
Email Collection: Email Forwarding Rule
Forge Web Credentials: Web Portal
Exfiltration Over C2 Channel
Supply Chain Compromise
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect Stored Cardholder Data
Control ID: 3.2.1
PCI DSS 4.0 – Security Awareness Training
Control ID: 12.6.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NYDFS 23 NYCRR 500 – Training and Monitoring
Control ID: 500.14
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Strong Authentication and Identity Verification
Control ID: Identity Pillar - Authentication
NIS2 Directive – Security Awareness and Training
Control ID: Article 21(2)(e)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Primary target for credit card fraud schemes requiring encrypted traffic protection, egress security controls, and threat detection capabilities to prevent financial data theft.
Banking/Mortgage
High-risk exposure to social engineering attacks targeting payment systems, necessitating zero trust segmentation and anomaly detection to protect customer financial information.
Retail Industry
Vulnerable to stolen credit card monetization through fraudulent purchases of iPhones, gift cards, and merchandise requiring enhanced payment security and transaction monitoring.
Consumer Electronics
Target sector for converting stolen financial data into high-value goods like iPhones, requiring secure payment processing and fraud prevention systems.
Sources
- Social Engineering People’s Credit Card Detailshttps://www.schneier.com/blog/archives/2025/10/social-engineering-peoples-credit-card-details.htmlVerified
- Massive leak of over 115 million US payment cards caused by Chinese 'smishing' hackershttps://www.techradar.com/pro/security/massive-leak-of-over-115-million-us-payment-cards-caused-by-chinese-smishing-hackers-find-out-if-youre-affectedVerified
- FBI says hackers have stolen $262 million in account takeover scams in 2025 so farhttps://www.techradar.com/pro/fbi-says-hackers-have-stolen-usd262-million-in-account-takeover-scams-in-2025-so-far-heres-how-you-can-stay-safeVerified
- Social Engineering Scamshttps://www.becu.org/security/social-engineering-scamsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Application of Zero Trust segmentation, egress controls, traffic encryption, and anomaly response could have restricted threat movement, detected data exfiltration, and prevented automated abuse of stolen credentials within the network. Enforcing workload isolation and policy-driven egress filtering makes it harder for attackers to replicate, move, or monetize exfiltrated financial data.
Control: Threat Detection & Anomaly Response
Mitigation: Potential detection of abnormal inbound/outbound communication patterns linked to phishing or data theft.
Control: Zero Trust Segmentation
Mitigation: Limits unauthorized east-west movement or fraudulent use within enterprise or cloud payment processing workflows.
Control: East-West Traffic Security
Mitigation: Detects and restricts lateral sharing of sensitive payment data inside the organization.
Control: Multicloud Visibility & Control
Mitigation: Centralizes monitoring to quickly identify and isolate devices or workloads participating in external C2 or unauthorized sharing.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks or flags unauthorized egress of sensitive payment information to external services or unknown endpoints.
Reduces scope and business impact by automating containment, isolating compromised segments, and providing forensics.
Impact at a Glance
Affected Business Functions
- Payments
- Customer Service
Estimated downtime: 3 days
Estimated loss: $1,000,000
Unauthorized access to customer payment card details and personal information, leading to potential identity theft and financial fraud.
Recommended Actions
Key Takeaways & Next Steps
- • Implement advanced threat detection and anomaly response in the cloud to identify and mitigate phishing and fraud campaigns targeting financial data.
- • Enforce Zero Trust Segmentation to restrict unauthorized access and transactional capability across payment systems and workloads.
- • Apply strict egress policy enforcement and encrypted traffic inspection to detect and prevent the exfiltration of sensitive card data.
- • Centralize visibility and control across multicloud environments to rapidly detect, contain, and respond to suspicious east-west or outbound data flows.
- • Leverage cloud native security fabric (CNSF) capabilities for automated incident response, containment, and audit trails during fraud or credential abuse incidents.
