Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Smishing Triad global smishing campaign with rapid domain churn

Campaign
First reported
Last updated
Happening score
H score 33
3 unique sources, 3 articles

Summary

Hide ▲

Smishing Triad is a large-scale, ongoing smishing campaign tied to more than 194,000 malicious domains registered since January 1, 2024 and used to push fraudulent toll and delivery lures at global scale. Reporting also links the broader ecosystem to Lighthouse, a phishing-as-a-service (PhaaS) platform, and says Google filed a lawsuit on 2025-11-12 to dismantle the infrastructure behind the kit. The campaign has affected over 1 million victims across 120 countries, and related scams have been associated with theft of up to 115 million payment cards in the U.S. between July 2023 and October 2024.

Related Happenings

Lucifer DaaS’s evolution into a commission-based drainer service platform

Threat Actor Meta
First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: **Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...

Open Happening

Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions

Threat Actor Meta
First: 14.04.2026 15:00 Last: 14.04.2026 15:00 Sources 1

About this happening: **Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...

Open Happening

Triad Nexus investment scam and brand impersonation campaign targeting emerging markets

Campaign
First: 14.04.2026 15:00 Last: 14.04.2026 15:00 Sources 1

About this happening: The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...

Open Happening

DPRK-linked cryptoasset theft campaign continuing into 2026

Campaign
First: 03.04.2026 11:35 Last: 03.04.2026 11:35 Sources 1

About this happening: The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

Timeline

  1. 12.11.2025 22:59 1 articles · 6mo ago

    Google files lawsuit against Lighthouse PhaaS

    Legal Policy Action Update

    Google filed a lawsuit on 2025-11-12 to dismantle Lighthouse, a phishing-as-a-service platform used in smishing campaigns impersonating USPS and E-ZPass, alleging that the infrastructure affected over 1 million victims across 120 countries and seeking to shut down the website support behind the kit.

    Show sources
    Open in new tab
  2. 24.10.2025 21:35 2 articles · 7mo ago

    Smishing Triad campaign begins broad smishing activity

    Campaign Scope Update

    The Smishing Triad campaign was active since January 1, 2024, using fraudulent toll violation and package misdelivery notices to pressure mobile users into taking immediate action and submitting sensitive information across a wide range of services worldwide.

    Show sources
    Open in new tab
  3. 24.10.2025 21:35 1 articles · 7mo ago

    Unit 42 and Fortra disclose infrastructure scale and brokerage targeting

    Technical Analysis Update

    Unit 42 and Fortra reported that the Smishing Triad operation had evolved into a phishing-as-a-service ecosystem with nearly 93,200 of 136,933 root domains registered under Dominet (HK) Limited, 194,345 FQDNs resolving to as many as 43,494 unique IP addresses, and attack infrastructure concentrated on Cloudflare (AS13335) and other U.S. cloud services; Fortra also said phishing kits were increasingly targeting brokerage accounts to steal banking credentials and authentication codes, with attacks on those accounts rising fivefold in Q2 2025 compared with the same period last year.

    Show sources
    Open in new tab