A new wave of text-message scams has gone viral, but not the TikTok kind. Palo Alto Networks’ Unit 42 has uncovered a massive, ongoing smishing operation that’s been spinning up more than 194,000 malicious URLs across about 136,000 root domains since January 2024, estimated more than US $1 billion by luring victims into fake toll-fee and delivery-notice traps.
The culprit? A syndicate believed to be linked to Chinese-registered nameservers dubbed the “Smishing Triad.” Think of it as a cybercrime startup running a full-blown Phishing-as-a-Service (PhaaS) empire. The group registers thousands of throwaway domains through a Hong Kong-based registrar using Chinese nameservers, but hides behind U.S. cloud infrastructure, primarily Cloudflare, to stay invisible and unstoppable.
Unit 42’s analysis shows the scale of the chaos: 68 percent of the domains were tied to Dominet (HK) Limited, with most vanishing in under a week to dodge blocklists. The scammers mostly impersonate the U.S. Postal Service (28 000+ fake domains) and toll services (approximately about 90 000), sending texts that scream “urgent payment” or “missed delivery” to bait users into leaking their banking info or MFA codes.
Researchers say the Triad has evolved from selling phishing kits to running an industrial-grade ecosystem. Behind the scenes are kit developers, data brokers, spammers, and hosting providers, basically, a cyber-factory churning out scams faster than they can be taken down.
The campaign extends globally (120+ countries/regions), and in Q2 2025 alone, brokerage-account attacks tied to this infrastructure jumped five-fold compared to Q2 2024. Some hacked accounts were even used for “ramp-and-dump” stock manipulation, turning stolen logins into market-moving cash.
Security experts warn that the campaign’s short-lived domains and decentralized structure make takedowns a game of whack-a-mole. The best defense? Don’t trust “urgent” texts. Verify messages through official apps, and remember: if your phone pings in panic, pause before you tap.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
