Smishing Triad

Smishing Triad is a Chinese-speaking / China-linked, financially motivated cybercriminal ecosystem and phishing-as-a-service (PhaaS) operation active since at least 2023. Google refers to the group behind its Lighthouse platform as the "Lighthouse Enterprise." The group is associated with large-scale SMS phishing and broader mobile-message phishing campaigns targeting users globally, including victims in more than 120 countries. Reported lures include fraudulent toll violation notices, package delivery failures, unpaid fee alerts, fraud alerts, and other brand-impersonation themes designed to harvest credentials, banking information, payment card data, Social Security numbers, and other sensitive information. The operation is tied to phishing kits and sub-ecosystems including Lighthouse, Darcula, Lucid, and related activity described as part of the same loosely connected China-based smishing ecosystem. Content also states CoGUI shares similarities with this ecosystem, and Panda Shop builds on tactics originally associated with Smishing Triad; however, Panda Shop is described as a separate China-based smishing platform rather than explicitly as a formal subgroup. Lighthouse is repeatedly described as an offering from Smishing Triad, and Google’s reporting names the operators the "Lighthouse Enterprise." Darcula is described as operated by Smishing-Triad and used for global mass-targeting smishing via SMS, RCS, and iMessage. Targets and impersonation themes span toll road agencies, USPS and other postal/delivery services, banks, healthcare organizations, online payment platforms, law enforcement, social media services, cryptocurrency exchanges, investment and brokerage firms, government services, telecom providers, and regional service providers. Specific impersonated brands and entities mentioned in the content include E-ZPass, USPS, UPS, DHL, Google, Gmail, YouTube, Google Play, TikTok, UnionPay, GOV.UK, Egypt Post, Fawry, and Careem. Reporting also notes expansion into Egypt through spoofed domains targeting major Egyptian service providers. Tactics and tradecraft described in the content include mass smishing through SMS, Apple iMessage, Android RCS, and use of compromised Apple iCloud accounts to bypass filters; rapid domain churn; large-scale malicious domain registration; use of phishing templates and site-building tooling; Telegram-based promotion, administration, and support; infrastructure rotation and evasion features to reduce browser-warning and Safe Browsing exposure; and regional tailoring of lures using large datasets. Palo Alto Networks Unit 42 describes the ecosystem as highly decentralized, with specialized roles including phishing-kit developers, data brokers, domain sellers, hosting providers, spammers, liveness scanners, and blocklist scanners. Infrastructure and tooling details directly mentioned include use of Lighthouse to generate and deploy smishing attacks at scale; use of hundreds of counterfeit templates, including more than 100 Google-themed templates; and rapid creation of fraudulent websites. Unit 42 traced roughly 194,000-195,000 malicious domains since January 2024 to Smishing Triad activity, with USPS the most impersonated single service and toll services the largest impersonated category. Breakglass Intelligence reported the operation remained active at scale in 2026 and identified a Javalin/Kotlin-based phishing kit hosted on Alibaba Cloud in Singapore, using server-side Telegram exfiltration, wildcard DNS, rapid Let’s Encrypt issuance, Host-header-based routing, and a WebSocket admin panel. That reporting attributes Lighthouse and core tooling to Wang Duo Yu and states an obfuscated backdoor in distributed kit code exfiltrated operators’ Telegram bot tokens to infrastructure controlled by Wang Duo Yu, giving access to stolen victim data from kit deployments. The group has been linked to significant fraud outcomes. Google stated Lighthouse-related activity harmed more than 1 million victims globally and alleged theft of between 12.7 million and 115 million U.S. payment cards. Additional reporting ties Smishing Triad activity to carding, merchant fraud, brokerage-account targeting, and stock manipulation schemes after account compromise. Chainalysis highlighted an E-ZPass phishing campaign attributed to the group as part of broader industrialized fraud trends. Known aliases and related names directly mentioned in the content include Smishing-Triad and Lighthouse Enterprise.