Smishing Triad global smishing campaign with rapid domain churn
Campaign
Summary
Hide ▲
Show ▼
Smishing Triad is a large-scale, ongoing smishing campaign tied to more than 194,000 malicious domains registered since January 1, 2024 and used to push fraudulent toll and delivery lures at global scale. Reporting also links the broader ecosystem to Lighthouse, a phishing-as-a-service (PhaaS) platform, and says Google filed a lawsuit on 2025-11-12 to dismantle the infrastructure behind the kit. The campaign has affected over 1 million victims across 120 countries, and related scams have been associated with theft of up to 115 million payment cards in the U.S. between July 2023 and October 2024.
Related Happenings
Vo1d botnet campaign targeting unofficial Android-based TV boxes
Campaign
H score88
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
CampaignAbout this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Latest development: 03.07.2026 12:35
Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.
GitBait phishing campaign targeting Mexican banks
Campaign
H score20
First: 17.06.2026 17:00
Last: 17.06.2026 17:00
Sources 1
About this happening:
A **long-running GitBait phishing campaign** is stealing **banking credentials** from customers of **Mexican financial institutions**, using **GitHub Pages** and **SheetBest** to...
GitBait phishing campaign targeting Mexican banks
CampaignAbout this happening: A **long-running GitBait phishing campaign** is stealing **banking credentials** from customers of **Mexican financial institutions**, using **GitHub Pages** and **SheetBest** to...
Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score69
First: 12.06.2026 21:59
Last: 12.06.2026 21:59
Sources 1
About this happening:
The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...
Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...
Outsider Telegram-run smishing campaign targeting Americans
Campaign
H score53
First: 12.06.2026 21:59
Last: 12.06.2026 21:59
Sources 1
About this happening:
The **Outsider Enterprise** happening is a **phishing-as-a-service** campaign tied to a **Chinese cybercrime network** that used **AI** and distributed phishing kits to impersonat...
Outsider Telegram-run smishing campaign targeting Americans
CampaignAbout this happening: The **Outsider Enterprise** happening is a **phishing-as-a-service** campaign tied to a **Chinese cybercrime network** that used **AI** and distributed phishing kits to impersonat...
Latest development: 14.06.2026 17:36
The FBI, working with Google and Black Lotus Labs, dismantled Outsider Enterprise, a Chinese phishing-as-a-service operation that used AI and distributed phishing kits to impersonate trusted brands in texts sent through AT&T, T-Mobile and Verizon. The takedown included seizures of administration servers, a Shopify e-commerce storefront, a testing account, around $100,000 USDT and a Telegram bot linked to the service, while Google pursued civil action and coordinated with carriers to block fraudulent messages.
FBI public service announcement on fake FIFA websites
Public Sector Action
H score21
First: 28.05.2026 22:08
Last: 28.05.2026 22:08
Sources 1
About this happening:
The **FBI** and security researchers warn that **FIFA-themed fraud** is already targeting **World Cup 2026** fans ahead of the **June 11 kickoff**. Reported activity includes **mo...
FBI public service announcement on fake FIFA websites
Public Sector ActionAbout this happening: The **FBI** and security researchers warn that **FIFA-themed fraud** is already targeting **World Cup 2026** fans ahead of the **June 11 kickoff**. Reported activity includes **mo...
Timeline
-
12.11.2025 22:59 1 articles · 7mo ago
Google files lawsuit against Lighthouse PhaaS
Legal Policy Action UpdateGoogle filed a lawsuit on 2025-11-12 to dismantle Lighthouse, a phishing-as-a-service platform used in smishing campaigns impersonating USPS and E-ZPass, alleging that the infrastructure affected over 1 million victims across 120 countries and seeking to shut down the website support behind the kit.
Show sources
- Google sues to dismantle Chinese platform behind global toll scams — www.bleepingcomputer.com — 12.11.2025 22:59
-
24.10.2025 21:35 2 articles · 8mo ago
Smishing Triad campaign begins broad smishing activity
Campaign Scope UpdateThe Smishing Triad campaign was active since January 1, 2024, using fraudulent toll violation and package misdelivery notices to pressure mobile users into taking immediate action and submitting sensitive information across a wide range of services worldwide.
Show sources
- Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation — thehackernews.com — 24.10.2025 21:35
- SMS Fraud Losses Set to Decline 11% in 2026 — www.infosecurity-magazine.com — 05.11.2025 12:15
-
24.10.2025 21:35 1 articles · 8mo ago
Unit 42 and Fortra disclose infrastructure scale and brokerage targeting
Technical Analysis UpdateUnit 42 and Fortra reported that the Smishing Triad operation had evolved into a phishing-as-a-service ecosystem with nearly 93,200 of 136,933 root domains registered under Dominet (HK) Limited, 194,345 FQDNs resolving to as many as 43,494 unique IP addresses, and attack infrastructure concentrated on Cloudflare (AS13335) and other U.S. cloud services; Fortra also said phishing kits were increasingly targeting brokerage accounts to steal banking credentials and authentication codes, with attacks on those accounts rising fivefold in Q2 2025 compared with the same period last year.
Show sources
- Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation — thehackernews.com — 24.10.2025 21:35