In a stunning revelation that underscores the evolving sophistication of cyber threats, security researchers have uncovered a massive operation by Chinese-speaking hackers who compromised between 12.7 million and 115 million U.S. payment cards without ever breaching a single bank’s firewall. This campaign, spanning from July 2023 to October 2024, relied on smishing—SMS-based phishing attacks—to trick victims into revealing sensitive information, which was then exploited to tokenize cards for fraudulent use in digital wallets like Apple Pay and Google Wallet.

The hackers built an elaborate underground network on Telegram, coordinating efforts through specialized channels that facilitated the distribution of smishing kits and the sharing of stolen data. According to a detailed report from TechRadar, these syndicates scaled their operations with infrastructure designed to evade detection, including automated platforms that sent millions of deceptive text messages posing as legitimate bank alerts.

Unraveling the Smishing Ecosystem: How Hackers Bypassed Traditional Defenses and Built a Shadow Economy

What makes this breach particularly alarming for industry insiders is the hackers’ exploitation of tokenization processes in mobile payment systems. By obtaining card details through smishing and then provisioning them onto virtual devices, the criminals bypassed multi-factor authentication (MFA) safeguards that banks typically rely on. Insights from GBHackers highlight how these groups, operating primarily in Chinese, orchestrated attacks that led to billions in financial losses, with stolen cards used for high-value transactions before detection.

The operation’s scale is unprecedented, potentially affecting a significant portion of the U.S. population. Researchers estimate that the lower bound of 12.7 million cards represents confirmed compromises, while the upper figure of 115 million accounts for suspected exposures based on the volume of smishing attempts. As detailed in Cyber Security News, the syndicates employed advanced evasion tactics, such as rotating phone numbers and using AI-driven bots to personalize phishing messages, making them harder to filter out.

The Human Element: Victims, Vectors, and the Role of Digital Wallets in Amplifying Risks

Victims often received texts claiming urgent account issues, prompting them to click links that led to fake login pages harvesting credentials. Once in possession of this data, hackers could add cards to digital wallets without triggering bank alerts, as tokenization creates a virtual card number separate from the physical one. A report by Hackread explains how this method allowed fraudsters to conduct transactions seamlessly, often draining accounts before users noticed.

For financial institutions, this exposes critical vulnerabilities in the tokenization ecosystem, where trust between banks, payment processors, and tech giants like Apple and Google is paramount. Industry experts note that while tokenization was designed to enhance security by replacing sensitive data with unique identifiers, it inadvertently created a loophole when combined with social engineering attacks like smishing.

Checking for Exposure: Tools, Precautions, and Broader Implications for Cybersecurity Strategies

To determine if you’re affected, experts recommend monitoring bank statements for unauthorized transactions and using services like Have I Been Pwned or credit monitoring tools from agencies such as Experian. SC Media advises enabling transaction alerts and avoiding responses to unsolicited texts, even if they appear legitimate.

The fallout from this incident could reshape regulatory approaches, with calls for stricter oversight on digital wallet provisioning and enhanced SMS filtering by carriers. As cybercriminals continue to innovate, banks and tech firms must collaborate more closely to fortify defenses against such hybrid threats, ensuring that the convenience of mobile payments doesn’t come at the cost of widespread vulnerability. This breach serves as a wake-up call, reminding insiders that the next frontier in cyber defense lies in countering human-targeted exploits as much as technological ones.