Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover Now
RESOURCES TYPES
Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover NowJANUARY 4, 2026
The Smishing Triad has become one of the most widely spread and immensely trafficked/organized cybercrime syndicates active in 2024–2025 with high volume smishing (text message phishing) attacks and fraud on the global Postal/Logistics/Financial Service Providers. Smishing Triad uses more advanced techniques/tools than other commonly known cybercriminals/APTs to carry out the smishing crimes. While the majority of APTs have a traditional espionage motive operating in this manner, the Smishing Triad is more of a hybrid operation with its primary focus being on financially-based gains versus just a state-sponsored agenda as the majority of the industry has been historically associated with. Because of its focus on making massive amounts of money by scamming consumers through attempts to take advantage of the customer’s trust in public service brand names (e.g., USPS – United States Postal Service; India Post, Egypt Post, etc.) that were originally established in the East Asian region (i.e., China to Southeast Asia) but have now expanded globally to encompass virtually every region throughout the Middle East and North America, as well as every country in between.
The Smishing Triad is considered to have a transnational cybercriminal affiliation and is based out of China and Southeast Asia with affiliates located in the UAE, Egypt and India. Although the group does not receive funding directly from state sponsors, the methods of operation and structure of the Smishing Triad group have many similarities to those of APT groups, which indicates that there is a high level of coordination among these groups within the operational space.
The year 2022, with a dramatic increase in its global activity by the mid-2024 period.
The main intention of the Smishing Triad is to profit from the harvesting of credentials on a large scale for use in payment fraud and identity theft, with the selling of such data for profit (in the form of laundering it on darknet marketplaces) being a secondary motivation for the group.
Initial Access and Lures
The Smishing Triad sends text messages pretending to be legitimate postal and banking organizations and include links to malicious websites. The messages are usually related to package deliveries, tax refunds, or bank verification and after being clicked on will send the victim(s) to a fake website where their personal information, such as credit cards, Personal Identification Numbers (PINs), and One-Time Passwords (OTPs) will be captured.
Infrastructure and Tooling
The Smishing Triad is involved with the underground economy through the creation and distribution of kits that replicate USPS (United States Postal Service), India Post, Dubai Police, and Egypt Post, to name a few. These kits are networked using Telegram bots and transmit real-time information from the victim(s) back to the operator.
Malware & Payloads
In addition to using smishing to conduct basic phishing, the Smishing Triad has included APK (Android Package Kit) disguised as Package Tracking Applications. These APKs contain info-stealers that can gain access to victim’s SMS messages, contacts, and stored credentials; thus, enabling SIM Swapping and multi-factor authentication (MFA) bypass attacks.
Persistence & Monetization
The Smishing Triad uses stolen information to create databases and sells access to these databases on Telegram and on the dark web. The group has also been linked to the recruitment of money mules and the laundering of stolen assets through cryptocurrencies in regions including the UAE and Egypt.
By late 2024, the Smishing Triad is evolving to include artificial intelligence-based phishing tool automation, which utilizes botnets and SMS gateways to enable an organized crime group to target millions of localized scam messages per day. The methods of operation of the Smishing Triad point to an increase in the creation of localized scams based upon the language, currency, and institutions of the target country. To illustrate this, in November 2024, the joint efforts of DarkAtlas and Resecurity identified a number of domain names registered using a large number of domains that mimic the postal and financial portals of countries. The domains included phishing URL addresses that had similar URLs to the official Egypt Post and UAE Telecom URLs. The associated findings related to Smishing Triad demonstrated that the scam was part of a larger network of over 70 active domains that are hosted in Asia and Europe.
Moreover, the phishing kit(s) of the Smishing Triad include JavaScript-based anti-bot tools to evade functional automated security scanning techniques, and the growing use of this method represents a substantial development in the collaboration of organized crime networks through the development of such tools and ways to sell the tools on the dark web.
The size and sophistication of the operations conducted by the Smishing Triad suggest that we are witnessing a paradigm shift in the way cybercriminals operate. They are capitalizing on the growing overlap between organized fraud and APT-style precision targeting and utilizing both technological vulnerabilities and human psychology to do so.
In Egypt and the UAE, the Smishing Triad’s attacks disrupted postal payment services and also led to thousands of compromised accounts being taken over within the financial networks of those two countries. In India, the Smishing Triad’s campaigns have enabled the group to harvest sensitive KYC and Aadhaar linked data at a national scale. In the U.S., the spoofed USPS campaigns have eroded citizen trust in government official communications.
The evolution of the Smishing Triad from a regional player in the fraud world to a globally-networked syndicate raises concerns about the trend of phishing-as-a-service (PhaaS) downtown commoditization. The Smishing Triad has developed an ecosystem in which they provide ‘turnkey’ solutions for local criminal affiliates to launch large-scale scams, leveraging the shared infrastructure model.
To reduce the impact of Smishing’s campaigns, organisations and consumers must employ a multi-layered defence approach:
Conclusion The Smishing Triad documents the ongoing evolution of cybercrime syndicates in a mobile sphere that combines scale, automation and social engineering techniques targeting developed and emerging markets equally. Their activities provide an example of how ‘phishing’, the act of sending fraudulent emails, has gone from a single scam, to being ‘phishing’ on an industrial scale with reach globally.
As law enforcement agencies and Cyber Security continue to work together, it is anticipated that the tactics employed by the Triad will continue to evolve with a focus on AI-assisted targeting, cryptocurrency obfuscation, and the use of affiliate models across different regions. To adequately combat these adaptable criminal organisations, there must be proactive development of threat intelligence, a coordinated response between Governments on a global scale, and a strong culture of digital vigilance among all end users.
You can download and review the sheet for all the details!
Take control of your digital security with an exclusive demo of our powerful threat management platform.
