Find notable cyber news and cases, enriched with sources, timelines, and signals.

Smishing Triad expanding SMS phishing campaign

Campaign
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

The Smishing Triad is expanding a SMS phishing and fraud campaign that uses impersonation domains to steal data from individuals and organizations. The operation now mimics Fawry, Egypt Post, Careem, UnionPay and TikTok, broadening its lure set across consumer, payment and service brands. It also relies on Telegram promotion and customizable smishing kits that can be deployed quickly to virtual servers, increasing scale and speed.

Related Happenings

India's Ministry of Electronics and Information Technology acting under Section 69A of the IT Act Restricted access to Telegram nationwide and ordered message-editing disabled

Public Sector Action
H score71 First: 17.06.2026 16:12 Last: 17.06.2026 16:12 Sources 1

About this happening: India's **Ministry of Electronics and Information Technology** ordered a **nationwide Telegram restriction** under **Section 69A** through **June 22**, adding a separate requireme...

Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations

Threat Actor Meta
H score69 First: 12.06.2026 21:59 Last: 12.06.2026 21:59 Sources 1

About this happening: The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...

Outsider Telegram-run smishing campaign targeting Americans

Campaign
H score53 First: 12.06.2026 21:59 Last: 12.06.2026 21:59 Sources 1

About this happening: The **Outsider Enterprise** happening is a **phishing-as-a-service** campaign tied to a **Chinese cybercrime network** that used **AI** and distributed phishing kits to impersonat...

Latest development: 14.06.2026 17:36

The FBI, working with Google and Black Lotus Labs, dismantled Outsider Enterprise, a Chinese phishing-as-a-service operation that used AI and distributed phishing kits to impersonate trusted brands in texts sent through AT&T, T-Mobile and Verizon. The takedown included seizures of administration servers, a Shopify e-commerce storefront, a testing account, around $100,000 USDT and a Telegram bot linked to the service, while Google pursued civil action and coordinated with carriers to block fraudulent messages.

AI-assisted Truman Show investment fraud campaign

Campaign
H score33 First: 09.01.2026 13:00 Last: 09.01.2026 13:00 Sources 1

About this happening: The **Truman Show** operation is an **AI-assisted investment fraud campaign** that uses **fake personas** and **attacker-controlled infrastructure** to lure victims into crypto sc...

TrickyWonders Wonderland distribution campaign targeting Uzbekistan users

Campaign
H score32 First: 22.12.2025 08:11 Last: 22.12.2025 08:11 Sources 1

About this happening: The **TrickyWonders** campaign is distributing **Wonderland** through fake **Google Play** pages, **Facebook** ads, dating-app lures, and **Telegram**, expanding risk to **users i...

Timeline

  1. 25.11.2025 18:00 2 articles · 7mo ago

    Smishing Triad expands fraudulent domains and Telegram smishing kits

    Initial Disclosure

    Dark Atlas identified a growing cluster of fraudulent domains impersonating Fawry, Egypt Post and Careem, and linked the broader Smishing Triad operation to additional pages spoofing UnionPay, TikTok and other services on shared hosting in AS132203 associated with Tencent’s facilities. The campaign relies on Telegram promotion and customizable phishing-as-a-service kits that can be rapidly deployed to virtual servers and automatically unpacked with templates for DHL, Evri, UPS, AT&T, Movistar, Vodafone, USPS, GOV.UK and Egypt Post. The same advisory also associates Darcula and Darcula 3.0 with large-scale spoofed domains, anti-detection features, a card-cloning tool and AI-driven automation.

    Show sources