Crypto-less Crypto Investment Scams: A California Case

My readers will know by now that I am addicted to PACER - the Public Access to Court Electronic Records.  When I see headlines like this one, I am compelled to dive in and read every publicly released document related to the case.  

USAO Central California

The headline last month was that Shengsheng He, a 39 year old Chinese native living in La Puente California (described as being a resident of Los Angeles and Mexico City) had been sentenced to 51 months in prison and ordered to pay restitution in the amount of $26,867,242. The press release quotes Matthew Geleotti from the Attorney General's office:

 "The defendant was part of a group of co-conspirators that preyed on American investors by promising them high returns on supposed digital asset investments when, in fact, they stole nearly $37 million from U.S. victims using Cambodian scam centers.  Foreign scam centers, purporting to offer investments in digital assets have, unfortunately, proliferated."

When talking about Crypto Investment Scams, they certainly have "proliferated." They are currently the number one form of cybercrime financial losses in America, for the third year in a row, according to the FBI's IC3.gov.  When we refer to these "Pig Butchering" scams as Crypto Investment Scams, it is easy to forget that many "crypto" scams still rely on the tried and true method of wire transfers to shell companies. When we first started exploring Romance Scams and their link to Business Email Compromise, the mostly Nigerian scammers referred to these as "Wire-wire jobs." A wire goes from the victim to a shell company, and a second wire goes from the shell company to the ultimate beneficiary of the crime. While West African Organized Crime continues unabated, Chinese Organized Crime has taken the top spot and is learning that many of the methods of their West African predecessors are still quite useful.

(figures from the ic3.gov 2024 report)

In the Shengsheng He case each of the victims believed that they were wiring money to fund their crypto investments.  Despite believing they have purchased crypto currency with these funds, they cannot be traced on the blockchain because they do not exist on the blockchain!  The first wire transfer went to any of the dozens of shell companies that had been set up across America under the direction of Lu Zhang, an illegal immigrant from China. (Zhang pled guilty to "conspiracy to commit money laundering on 12NOV2024.)  The second wire in the "wire-wire" job would then send those funds to one of two bank accounts at Deltec Bank in the Bahamas in the name "Axis Digital Limited." Deltec Bank's website is titled "Deltec Bank: Ultra-Sophisticated Private Banking" and boasts of their "robust anti-money laundering framework." 

 

Axis Digital Limited served as an off-shore crypto exchange that seems to have been created for the purpose of taking "wire-wire" proceeds from Crypto Investment Scams and converting the funds to USDT before transferring them on to the Chinese Organized Crime gangs operating the scam centers in Sihanoukville, Cambodia.

The case is being prosecuted in the Central District of California in four parts.

Zhang, Wong, Walker, Zhu - Sea Dragon Trading & the Shell Companies

One of the cases focuses primarily on the network of US-based shell companies created to receive the wire transfers from the victims.  The victims believed they were funding their crypto investments, and would see "deposits" into their imaginary crypto investment accounts that corresponded to the amount of their wire transfers.  Court records show that "at least 284 transactions resulted in more than $80 Million in victim losses." The defendants in this case, with their ages as of December 14, 2023, were named in an initial press release entitled: "Four Individuals Charged with Laundering Millions from Cryptocurrency Investment Scmas Known as 'Pig Butchering'" 

• Lu Zhang - (36, of Alhambra) was sentenced to 24 months + $7,560,014 restitution
• Joseph Wong - (32, of Rosemead) was sentenced to 51 months + $7,560,014 restitution
• Justin Walker - (31, of Cypress) was sentenced to 30 months 
• Hailong Zhu - (40, of Naperville, Illinois) has not been sentenced yet

Sea Dragon Trading, LLC and Sea Dragon Remodel, Inc were two of the companies created by Hailong Zhu, but the list of shell companies below collectively sent $20,083,987 in wires to Deltec Bank in the Bahamas:

• BFC REMODEL, LLC;  - 408 W Glendon Way, San Gabriel, CA 91776

• BFC SUPPLY, LLC; - 408 W Glendon Way, San Gabriel, CA 91776 

• CREATIVE HOMEGOODS, LLC;  - 823 W Huntington Dr. Apt B, Arcadia, CA 91007

• FUYU COMMERCE, LLC;  - 1140 S El Molino St, Alhambra, CA 91801

• GOOD LUCK TRADING, LLC;  - 2220 Falling Leaf Ave, Rosemead, CA 91770

• HONG'S TRADING, LLC; - 1140 S El Molino St, Alhambra, CA 91801 

• KAIS TEA SET SUPPLIES, LLC;  - 508 Bellows Ct, Diamond Bar, CA 91765

• LEADING CONSTRUCTION, LLC;  - (multiple - unsure)

• LJS REMODELING, LLC;  - 1441 Paso Real Ave SPC 254, Rowland Heights, CA 91748

• LJS SUPPLY, LLC;  - 650 W Duarte Rd Suite 100B, Arcadia, CA 91007 

• LQH SUPPLY, LLC;  - 823 W Huntington Dr, Apt B, Arcadia, CA 91007

• MINGXING REMODEL, LLC;  - 4661 District Blvd, Vernon, CA 90058

• MINGXING TRADING, LLC;  - 2220 Falling Leaf Ave, Rosemead, CA 91770 

• QAG TRADING, INC. - 8811 Garvey Ave, 202, Rosemead, CA 91770 

• QAG TRADING, LLC;  - 3254 Evelyn Ave, Rosemead, CA 91770 

• SEA DRAGON REMODEL, INC;  - 4661 District Blvd, Vernon, CA 90058

• SEA DRAGON TRADING, LLC;  - 1140 S El Molino St, Alhambra, CA 91801

• SHANGHAI FOOD & GROCERIES, LLC;   - 250 W Valley Blvd, Ste M, San Gabriel, CA 91776

• SUNRISE SUPPLY, LLC;    - 823 W Huntington Dr. Apt B, Arcadia, CA 91007

• XIEYUNZHU TRADING, INC;  - 1441 71st STreet, Apt 1, Brooklyn, NY 11228 

• YHM SUPPLY, LLC;  - 401 S Canyon Blvd Unit C, Monrovia, CA 91016

• YHM TRADING, LLC;  - 401 S Canyon Blvd Unit C, Monrovia, CA 91016

• YZX LUXURY, LLC;  - 1036 S Garfield Ave, B, Alhambra, CA 91801 

• YZX TRENDING, LLC;    - 1036 S Garfield Ave, B, Alhambra, CA 91801 

Li & Zhang - the Telegram Connection

In a second case, the defendants were: 

• Daren Li, 41
• Yicheng Zhang (39, of China) (sentenced to 18 months and $1,047,226 in restitution)

Zhang & Li controlled four additional shell companies: 

• B&C Commerce, LLC - 180 E Valley Blvd Ste 202, San Gabriel, CA 91776 

• Jimei Trading - 785 King St, San Gabriel, CA 91776 

• SMX Beauty, Inc. - 132 E Emerson Ave, Unit C, Monterey Park, CA 91755 

• SMX Travel, Inc. - 132 E Emerson Ave, Unit C, Monterey Park, CA 91755 

The DOJ described Daren Li as "41, a dual citizen of China and St. Kitts and Nevis, and a resident of China, Cambodia, and the UAE." He was arrested 12APR2024 at the airport in Atlanta.  The DOJ press release "Two Foreign Nationals Arrested for Laundering at Least $73M through Shell Companies Tied to Cryptocurrency Investment Scams" says that Li and Zhang (a resident of Temple City, California) "instructed co-conspirators in the laundering network to open bank accounts in the names of various shell companies. Once the victims sent funds to the shell companies, Li and Zhang monitored the lower-level co-conspirators who transferred the proceeds overseas to bank accounts at Deltec Bank in The Bahamas." The funds were then converted to cryptocurrency and sent to wallets, including at least one controlled by Li. 

Zhang's communications revealed "extensive coordination to facilitate the international money laundering, including chats discussing the commission structure for the network, various shell companies used, victim information, and at least one video from a co-conspirator calling a U.S. financial institution." 

Daren Li is described as being "the leader of the syndicate."  Daren used his Telegram id (@KG71777) to communicate with the Cambodia-based members of the conspiracy.  (Daren's email was: darren1575687@gmail.com).  In court documents, the primary USDT address of the conspiracy is referred to as "the TRteo" address (for the first five characters of the address.)  While TRteo is not an uncommon prefix, there are certainly very few such addresses that have received in excess of $39 Million in deposits, much less the higher number mentioned in the press release of $341 Million! In fact, there is only one. 

Chinese Blockchain intelligence company "BlockSec" blogged about that wallet on their QQ page.  Using their tool, MetaSleuth, they were able to successfully identify the full wallet address, TRteottJGH5caJyy9qFuM8EJJGGCpDaxx6.  The wallet became inactive on 29APR2024, but from its initial transaction on 16APR2021, more than $300 Million USD in more than 16,000 deposits  flowed through that address, including transactions to and from HuionePay. 

BlockSec QQ Post

Because Daren Li is described as being in control of this USDT wallet, it is generally considered that he was the leader of this entire enterprise. In July 2022, a meeting was held in Phnom Penh of the top leadership. Daren Li, JingLiang Su, Shengsheng He, and Jose Somarriba were all present.  Daren Li also controlled a Binance account that received at least $4.5 Million in USDT that originated from "Bahamas Account #2." He was also the source of funds to create that "Bahamas Account #2 at Deltec Bank by transferring $999,383 in USDT. 

Jose Somarriba, Axis Digital, and Itemized Victim Losses 

Jose Somarriba (55, of Los Angeles) (sentenced to 36 months and $26,867,242.44 in restitution) is being held responsible for the losses from 174 victims.  Those victims are listed by their initials and the dollar amounts that each had stolen from them.  The average victim lost $154,409.44!  (The median loss was $61,250.) The victims who had the most money stolen were in the amounts: $5,616,000; $2,340,000; and $1,030,279! Nine victims experienced a theft of $500,000 or more. 

(extract from loss amounts for 174 victims) 

Somarriba was a co-founder of Axis Digital, along with Shengsheng He and Jingliang Su.  He was the one who opened the "Bahamas Account #1" at Deltec Bank which received $36.9 million in wire transfers from American bank accounts. He prepared fraudulent KYC forms to present to the banks as well as being primarily responsible for converting Deltec funds to USDT and transferring the funds to Cambodia via a USDT wallet referred to as "TRteo" in the court documents. 

Jingliang Su - the Dubai Connection

The final of the linked cases is the case of Jingliang Su, (44, of China and Turkey). Su was sentenced to 51 months in federal prison and to pay $26,867,242.44 in restitution.  

Preferring the name "James," Su resided in Dubai.  He was a director of Axis Digital and was a signatory to "Bahamas Account #1" at Deltec Bank. He is described as being "a citizen of China and St. Kitts and Nevis" and a resident of Cambodia, the UAE, and the People's Republic of China.

Transnational Organized Crime Gang Steals $1 Million from Ontario Couple

Today my LinkedIn feed and Google News filter is showing me several stories that illustrate how we are failing to stop online scammers from stealing from our elderly.  It starts with the headlines.

CTVNews:  Ontario seniors GIVE AWAY MORE THAN $1 MILLION to scammers.
CTVNews: Ontario couple LOSES MORE THAN $1 MILLION DOLLARS to fraud.
Toronto Only: A couple ... LOST MORE THAN $1 MILLION 
Daily Mail:  Elderly couple transfer $1m to online scammers despite warning from bank

The tone of several of these stories, is victim shaming and leads with the wrong headline. They didn't "Give away" or "Lose" or "Transfer" these funds.  They were STOLEN FROM THEM.  

Illicit Call Centers: "Facebook Pop-Ups" 

One of the ways that we learn about how these scams play out is that we engage with scammers.  I'm not a professional scam baiter or anything close to it, but it is a useful research tool. When I read the story of the Ontario couple, I knew exactly the type of script that was being followed, because I experienced it last month.  Usually when I call an illicit call center on purpose, I am asked very quickly to give remote control of my computer to the scammers. But one day last month, the call followed a very different script than the primary ones to which I am accustomed.  It started with a Facebook advertisement.

In the top right corner of my Facebook homepage, I had two advertisements displayed: 

The goal of these advertisements is to make a less than wary Facebook user believe that they have unread messages that need to be attended to.  I actually wrote a longer piece for LinkedIn about this type of advertisement about six months ago.  See: "Dangerous Facebook Ads and Call Center Scams" on my LinkedIn page.  In this case, the "vendor" who is providing the Facebook Ads portion of this scam is almost certainly operating from Vietnam.  Crime is global.  Who knew?

Clicking the ad, in the incident that I experience on October 17, 2025, led to exactly the same next steps as the ones I reported on April 24, 2025.  

A fake "Facebook Suspended" page (hosted on web.core.windows[.]net)

Whether you choose "Accept" or "Ignore" on this page, the next thing that happens is that your browser goes "Full Screen" and begins to play an audio warning on loop while displaying this Warning Page: 

Mouse clicking is disabled while an audio warning tells us our Facebook account is going to be deleted if we don't call the indicated number immediately.  I know that I can "Alt-F4" out of this message, but many users would not know how to do so. 

According to our friends at URLScan.io, they have received reports of the "Facebook Suspended" intermediate page in the scam delivery using 933 different URLs, most recently, today.  After a huge spike from November 2024 to January 2025, there has been a constant trickle of these nearly every day since ... often using Microsoft Azure nodes. 

URLScan.io statistics on this page.

Checking the Meta Ad Library, it is easy to see that a new round of these ads launched on October 29, 2025 (two days ago): 

The new ads redirect through a slightly different intermediary page (I have an incoming call from a pretty girl) and then tell me that "Microsoft Care has temporarily disabled your Internet connection" and that I need to call or my "Facebook and Internet accounts will be permanently disabled."

new intermediary page

new BSOD page as of 31OCT2025

Illicit Call Centers: Qualifying and "Recruiting"

When I placed my call to the scammers on October 17th, I have to admit to being a bit inspired by "Scammer Payback" as I had recently written about his work in breaking up a $65 Million Crime Ring.  I wrote about it in my post "Indian Call Center Scammers Partner with Chinese Money Launderers" on this blog. Following Pierogi's lead, I answered the scammers questions as if I were a retiree.  (Don't let the grey beard fool you, I'm not!) 

The first thing the scammers had me do was to power off my computer. (I was playing an MP3 of their scam audio so they believed I was still on their "lock screen.") 

They asked me "Is this your own computer? or a work computer?"  I answered "Work computer? Heavens no!  I haven't worked in years!" 

Then they asked me "Do you know what an IP address is?"  I answered "No, I've never heard of an IT address, but my grandson works in IT ... is this related to him?" 

They gave me a very poor explanation of what an IP address is and then asked who my Internet carrier was.  I lied and told them a carrier that doesn't even offer services in my area. They "put me on a brief hold" during which I could hear people talking in Hindi to one another.  Then they came back and said "Yes, I see that your IP address is under investigation by (imaginary carrier)!" 

Then they asked me where I banked (I lied again) and whether I had an investment account (I lied again.) After putting me on another hold, they came back and said that my bank account was also under investigation.  After a few minutes, they came back and said (in a very grave voice) that unfortunately, I was under suspicion for distributing "child pornography" (an obsolete and inappropriate term for Child Sexual Abuse Materials). Unfortunately, they had no choice but to turn this matter over to the FBI.  Please hold as they were going to transfer me to the FBI Agent then.

As I denied having any involvement in CSAM materials, the FBI Agent very sternly yelled at me and asked me for my ZIP Code. 

Unfortunately I had a meeting to attend about then, so I disengaged, but I know the rest of that script.  The ZIP Code is so that they can look up the address of the nearest Bitcoin ATM from my house. 

This is the BEGINNING of what happened to "the Ontario Couple" (only of course they were speaking to a Royal Canadian Mounted Police Agent, rather than an FBI Agent.)

We have assisted in several of these cases -- twice involving the elderly relatives of my own students -- who were convinced over the course of many phone calls over many days -- that they needed to withdraw their cash from the bank, and in one case, put the cash in an overnight delivery box and ship it to a CVS store in the Chicago area. 

Why would they do that?  Because the FBI, convinced of their innocence, had asked their permission to use their bank account for a "sting" against a Mexican Drug Cartel. The "FBI Agent" in one case made them take an imaginary oath, similar to the oath one would take when being sworn into military service, that as part of the FBI's Undercover Operation, they were not allowed to speak to anyone about their secret mission.  Doing so would result in them being arrested and charged with Obstruction of Justice.

So when the bank says "Why are you withdrawing this money?" and they reply "Because I've decided to invest in Gold Bars" they are not "ignoring the warning of the bank" they are "following their orders as a sworn undercover agent assisting the FBI in breaking up a drug cartel!"  In the Ontario couple's case, the psychological oppression and manipulation continued for FIVE MONTHS as they had their money slowly stolen by a TransNational Organized Crime group who has perfected the art of manipulation. 

And in that scenario, the Daily Mail and CTV want to broadcast that these fools gave their money away to criminals despite the bank's warning and they want YOU to believe that is what happened.  

Shame on them!

Illicit Call Centers: Crime-As-A-Service (via Facebook)

How do these types of crimes begin?  To understand, it is necessary to start taking apart the illicit call center Crime-as-a-Service model that operates via Facebook Groups.  We've been talking about these for nearly a decade now and they are more active now than ever before. 

Here's an example of a scammer boasting that he offers calls on a "Pay Per Call" model for a variety of fraud types.  Facebook, Blue Screen of Death, Amazon, and PayPal. His point in sharing the Call Duration is to indicate that his calls are "sticky." That is, they are likely to have a long enough conversation to "sink the hook."  Calls from 1308 seconds (21 minutes) to 4765 seconds (79 minutes!) are likely to have been believable enough that there is time to have taken the scam to a financially rewarding level. 

"Sounds" posted their advertisements in groups such as: 

• all about tech support
• Genuine Techsupport calls and blocking
• Tech support calls 
• PPC Expert for Tech Support 
  
• PPC Services for Tech Support
• Tech Support Genuine Calls Kolkata/Delhi
• Tech Support Calls Delhi/Noida/Chandigarh

Every piece of the criminal infrastructure needed to run these scams is available in this Crime-as-a-Service Facebook groups.  Whatever your Illicit Call Center needs, they can provide it.

Toll Free Numbers? 

Fake invoices sent via PayPal?

Cash Pickup services in USA and Canada?

Zelle accounts to use for money laundering?

And of course as we have already mentioned, the Chinese Money Laundering Organizations are now offering their services inside the Indian Call Center CaaS Facebook groups as well ... (+852 = Hong Kong)

"Kevin" is in the Facebook groups that are more dedicated to the money laundering side of these transnational organized crime operations.  Groups like: 

• Venmo,varo,paypal,zelle,cash 
• PayPal, Venmo And Cash App Verification - 11,400 members
• Paypal | Venmo | Zelle | G-Pay 24/7 Support - 2,100 members

That largest group has been "frozen by Admin" after we reported the popular "BuyAccounts" service that was offering to sell stolen bank accounts and advertiser accounts: 

"Norman Mike" was advertising an Indian telephone number despite attending the University of Johannesburg, living in London, and having an American flag as their cover image. 

https://www.facebook.com/norman.mike.7528/

I'll be sure to post an update on what happens when we suggest to Facebook that Norman Mike may be a fake account!

Illicit Call Centers:  STOP BLAMING THE VICTIM! 

In this Crime-as-a-Service Infrastructure, criminals like the Vietnamese programmers who place the Facebook ads work with Indian "Lead Generators" who promise to send "Facebook Pay Per Call" telephone calls from potential victims to Illicit call centers in India and Pakistan, who use Pakistani-provided Toll Free Numbers to make connection, and then use Chinese Money Laundering Organizations to pick up their cash, could we agree that perhaps things are a bit more complicated than our average Ontario pensioner is able to tackle by themselves? 

When the Illicit Call Center's scripts and practices qualify the victim as an elderly high wealth pensioner and they are "recruited by the FBI or RCMP" it is entirely insufficient for the bank to say "Sir, this may be a scam" and then boast to the media how they provided an adequate warning!

Our APWG eCrimes Paper on Tech Support Scam Facebook Groups

My colleague Raghavendra Cherupalli will be at APWG eCrime next month sharing a paper based on our research into the Facebook Groups where illicit Indian Call Centers share "Crime-as-a-Service" offerings with one another.

In our paper, "Classification of Cybercriminal Posts Using Large Language Models: A Comprehensive Study on Tech Support Scam Marketplaces," Raghavendra will be sharing how he and the team have categorized 380,000 posts from 90 of these groups to determine the nature and most prominent trends in these groups. Since our initial dataset was gathered, my colleagues at DarkTower have gathered nearly a million additional posts from hundreds of similar Facebook groups. (And yes, we've reported these groups to Meta, who has terminated a few dozen, but hundreds more reports were rejected as "not violating community standards.) We can't wait to get Raghavendra to run his analysis on the expanded dataset!

What type of groups and posts are we talking about? Here's a sampling:

"Buy Sell Popup Calls" says the 1700 member group was created "basically for both buyers and sellers to buy and sell the tech support pop up calls." The most recent post in that group, offering Facebook phishing kits, is by a user called "Hex Manual." We reported that post to Facebook, who responded that it does not violate Community Standards. (His post also includes a fake FTC phishing page.)

One of the posters in this group is Manoj Singh. His post advertises his email blasting services, where he sends emails imitating Geek Squad, PayPal, Norton, and Microsoft to cause calls going to the purchaser's illicit call center. 

Manoj is an admin of several groups and has posted his ads to at least 17 additional groups with 143,230 total members (as of 12OCT2025.)

Krati-Krati advertises that he can provide "Blue Screen of Death" calls filtered for people who are 50+ years old and pop-ups on IOS devices filtered for people who are 45+ years old.

Brijesh Mohan offers calls, but also provides Zelle, Google Pay, Apple Pay, Venmo, CashApp, and Canadian Interac accounts that can be used for money laundering quick payments from North American victims.

While these examples, and hundreds of thousands of similar ones, are easily obtainable, Raghavendra and his professors at the University of Tulsa, Tyler Moore, Yi Ting Chua, and Weiping Pei have developed some awesome tech for analyzing these messages in bulk. That is necessary to gain true understanding of these scams!

We'd be thrilled to have you attend his presentation!  With this year's conference in San Diego, it would be a great opportunity to attend an APWG eCrime Research event! Get your tickets and register here ==> https://apwg.org/events/ecrime2025

Scam Compound Operators: Members of The Four Great Families sentenced to death in China

(photo from BBC article "China sentences 11 members of mafia family to death")

On Monday this week, Chinese authorities sentenced to death 16 members of "The Four Families" for the multitude of crimes they committed while operating scam compounds in Northern Myanmar near the Chinese border. This was the culmination of an investigation that has been on-going since July 2023 and that we have been tracking primarily through Chinese Telegram channels that discuss the scam compounds.  Thirty-nine criminals were sentenced in the hearing. Eleven will be immediately executed, while five others have a two year reprieve, during which their sentences might be commuted to life in prison. Eleven more received life sentences, while the rest received sentences of between five and twenty-four years.  But who are The Four Families?  Read on . . .

The Incident at Crouching Tiger Villa - October 20, 2023

In Myanmar this is referred to as the "1020 Incident."  Crouching Tiger Villa, which is also called "Wohu Mountain Villa" was a telecom scam compound that covered 200 acres, and encompassed hotels, shopping malls, and buildings full of high tech equipment.  Ming Xuechang, who was the richest man in the Kokang Autonomous Region had a private army of 2,000 men to help patrol and protect the area. On October 20th a large group of prisoners, forced to work as cyber scammers, rioted and attempted to escape.  In the ensuing chaos, Ming's troops began to fire into the crowd, killing at least 60 (some say 70.) Rumors indicate that some of those killed were undercover Chinese police officers, but some say this is based on the plot of a Chinese movie with a similar theme.  

As a result, on November 12, 2023, the Criminal Investigation Bureau of the Ministry of Public Security issued a reward notice, offering a cash incentive for four leaders of the Myanmar Kokang group headed by Ming.  Within just a few days, all four had been arrested! 

Ming Guoping, Ming Julan, and Ming Zhenzhen were turned over to the Chinese police

Myanmar hands over 10 crime bosses to the Chinese - January 30, 2024

The Record: Crime bosses behind Myanmar cyber 'fraud dens' handed over to Chinese government

(image from: X.com/johnwSEAP )

On December 10, 2023, China issued arrest warrants for Bai Suocheng and ten other key leaders of the Kokang Autonomous Region's telecom and internet fraud rings.  Working with Myanmar's Ministry of Foreign Affairs, six of the ten were arrested and on January 30, 2024, sent to China to answer for their crimes. 

These are the ten in the China Warrant according to the Irawaddy

Two leaders of the Bai Family were among those sent back to China. The Bai family operated many casinos around Laukkaing, especially "the Silver Palace." They had many construction and logistics firm that served their own needs and those of the other families. Bai's most famous brand was the "Yum! Brands" which operated several other casinos that served as scam compounds as well. 

Bai Suocheng -白所成
Bai Yingcang - 白应苍

The Wei family was led by Wei Chaoren ( 魏朝仁 ), operating chiefly from Kongyang Township.  They were significant players in telecom infrastructure and provided SIM Pools for the use of the families.  The Henry Group was the chief company of Wei Chaoren, as well as The Xiaozhu.

Arrested: 
Wei Huairen - 魏怀仁 

Remaining at large from the Wei family were: 

Wei Rong

Wei Qingsong 

The Liu family also operated from Kongyang and other nearby border towns. The Liu family came to wealth in the mining industry and control most of the mining in Kokang.  They were significant players in money laundering. Liu's primary casinos were operated under the name "Fully Light Group." Liu Guoxi has also been linked to organ trafficking. Liu Zhengxiang was the founder of the Fulilai Group back in 1992 which operates a number of casinos in the area. His predecessor, Liu Abao, was known to be a significant drug trafficker.

Arrested: 
Liu Zhengxiang - 刘正祥
Liu Zhengmao - 刘正茂

Remaining at large from the Liu family was: 
Liu Zhengmao 

Ministry of Public Security - May 27, 2024

Ministry of Public Security spokesman Li Guozhong gave a major update on the strategy "Four Specializations and Two Joint Efforts" and their results.  He said that over the past five years, they had worked 1.945 million telecom network fraud cases and that for eight months in a row, they had significant declines in fraud as a result of their efforts.  The operation, which began in July 2023, had specifically targeted the "Four Major Families" ( “四大家族” ) in Kokang and had brought to justice members of the Bai, Wei, Liu, and Ming families. 

In this press conference, Li mentions that Ming Zhenzhen ( 明珍珍  ) had also been taken into custody. 

Myanmar's Cooperation with China's Ministry of Public Security 

September 28, 2024 - The Ministry of Public Security announced that they had made key arrests in Yangon and Mandalay, and that 20 "telecom network fraud crime group leaders and key members" had been arrested and were being handed over the China.  These included Chen Mouwei ( 陈某卫 ) and Yang Mou ( 杨某 ). The press release at that time said that Chen and Yang had "relied on the Four Great Families" of Myanmar's Kokang region, as well as criminal groups "such as Xu Laofa ( 徐老发 )" in order to "control armed forces, set up telecom fraud dens, and carry out telecom network fraud crimes targeting Chinese citizens.  They were also said to be suspected of intentional homicide, intentional injury and other serious violent crimes. 

The Crouching Tiger Villa arrests - December 30, 2024

"Tracking down and investigating the truth! The story of the investigation into the Mingjia criminal group in northern Myanmar.  Chinese people are being "traded" in northern Myanmar.

On December 30, 2024, China's Supreme People's Procuratorate published the first round of charges under the headline "Exposing the Northern Myanmar Mingjia Criminal Group's Fraud, Murder, and Drug-related Activities" ( 揭露缅北明家犯罪集团诈骗杀人涉毒解密数宗罪 ).  At that time, the Wenzhou Municipal court in Zhejiang Province charged 39 defendants, calling the Mingjia criminal group "one of the four major families in northern Myanmar.

They interviewed many victims, who told stories of the promises made to them by the "snakeheads" (a Chinese term for a human trafficker) and the reality they faced when they arrived.  One victim, Li Mouqian, from Guangdong, was sold to the Ming family and told he could buy his freedom for 300,000 Yuan. At Crouching Tiger Villa, he was expected to make 100 phone calls per day and to land three new victims of cyber scams each day.  If he failed to do so, he was beaten.  When he tried to escape with a colleague, he was beaten with steal pipes and his accomplice in the escape was beaten to death. 

The Ming family at that time was led by Ming Zhenzhen (明珍珍 ), the granddaughter of their founder Ming Xuechang (明学昌). Xuechang had been a part of Myanmar's Shan State legislature, representing the Kokang Self-Administered Zone as a member of the Union Solidarity and Development Party.  He was also in charge of the local police.  He controlled a personal army of at least 2,000 men. During a previous cross-border police action against Ming Xuechang, he shot himself rather than being captured, and died in the hospital leaving his granddaughter in charge. 

Between July 2023 and December 2024, the Chinese Ministry of Public Security managed to repatriate 53,000 telecom and internet fraud suspects from northern Myanmar. 

New Smish: New York Department of Revenue

 As I was visiting SmishTank to report the most recent SMish that I had received (an iMessage from a +27 South African telephone number claiming to be from ParkMobile) I noticed there had been many recent submissions from the New York Department of Revenue. SmishTank is operated by Professor Muhammad Lutfor Rahman, a colleague of mine from our time at UAB, and his student Daniel Timko from California State University San Marcos. 

SmishTank.com is a great resource for recent SMish!

Pennsylvania and Connecticut "Department of Revenue" also observed

The Utah State Tax Commission and the State of California Franchise Tax Board also seen

SMish that Hide from Wrong Browsers

If you visit any of the URLs that are reported by these "Tax Refund" phish, you'll find that they fail to resolve unless you are visiting from a phone. Researchers easily bypass this by using a "User Agent Switcher" which allows a browser, such as Chrome, to claim to be another device with a different browser.  By setting myself to be an "Android KitKat" version of Chrome, the pages render on my Windows PC just fine.  The User Agent Switcher also allows you to enter your own customer User Agents.  Today, this is the one I used ... 

Mozilla/5.0 (Linux; Android 4.4.2; Nexus 4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36

New York Department of Revenue Mobile Phish (SMish)

After switching my browser agent, I chose to visit "revenue.refundjpt[.]cc/notice" to get samples of the phish. The first thing that stands out is that despite the SMish all claiming to be the "New York Department of Revenue" the phishing website calls itself "Department of Taxation and Finance" and makes no reference to any specific state. 

The "Address" page of the phish starts by asking for a Social Security Number, which makes sense if you are interacting about taxation.  With most "bank" phish, that would be an immediate Red Flag, but people who are interacting about taxes would not be alarmed by this.  In the USA, your SSN is the primary identifier for taxes.  Although the "State" is pre-populated to "New York" the footer still references the California Penal Code. 

The next page tells me they would like to refund me $1120 and asks which Credit Card or Debit Card I would like to send the funds to.  The "Bank Routing" option is unavailable, apparently due to "system maintenance." 

The website is using the Luhn algorithm to confirm that the credit card number is valid.  Type any 16 digits starting with a 4 or a 5, then rotate the final number until it stops saying "invalid card number" in red and accepts the number.  My made up number was 4381 6621 8355 371_ and when I changed the last digit to a "6" it became an acceptable Credit Card number.  (I looked it up later, as this was entirely fictitious, but 438166 would mean my card was a Visa Credit Classic issued by Multicredit, S.A., in Guatemala.  Oops!  Its ok, the Chinese scammers didn't care.) 

After this, the criminals sent a text message to the burner phone that I had provided in the Address block. This is a CRITICAL PART OF THEIR STRATEGY!

The "SERCURTITY" verification (yes, securTity) asks for my 6-digit code.  While they say this is because they want my tax refund to be secure, this code is actually the 2-Factor Authentication that allows them to add MY CREDIT CARD to THEIR PHONE's WALLET!

Unfortunately, Guatemala Multicredit SA must have let them know that my credit card didn't really exist, as it booted me back to the credit card page and asked for a different card. This actually happens even if you enter a VALID card.  Why?  The criminals are not interested in sending you a tax refund. They are interested in loading your debit and credit cards onto their phone in Bangkok (or wherever their "machine room" full of spam-sending phones is located.) If you will give them two cards, they will load two.  If you will give them three cards, they will steal all three.  

How does the Stolen Credit Card get used? 

They then deploy "Shoppers" to begin making purchases using your credit card which is now "Tap to Pay" ready on their phone!  The phone is in Bangkok?  No problem.  They use the software "X-NFC" to "remote tap" transmitting the card loaded on the wallet in Asia to the phone standing at the payment til at the Apple Store in Burbank.

I'm attaching a promotional video that the author shares on his Telegram channel.  In the video, the criminal has two phones "above" his Point of Sale device.  He links the NFC capability of one of the top phones to the bottom phone.  He then taps the top "linked phone" to an iPhone holding a credit card in his wallet.  The image of the card is transferred to the bottom phone, which he can then successfully tap on the Point of Sale device.  

In practice, the "bottom phone" would be somewhere in North America.  The person using that phone would call a collaborator in Asia to say they are ready to make a purchase.  The remote agent then taps one of the phones where your Phished credit card is loaded.  That card is now "usable" on the phone in North America, who taps the phone locally to make a payment using the credit card 7500 miles away! 

What Registrars, Hosts, and Domains are part of the current New York campaign?

These iMessage and RCS phish are part of a deployment server where criminals pay a monthly fee to use the phishing sites.  Each criminal can choose how and where they register their domains and how and where they host the phishing websites.  Because they are all renting access to the same catalog of phishing website, the sites may look identical while having very different hosting and registration models.

In this case, the main set of domains is registered at "Dominet (HK) Limited" while the hosting is more difficult since they are hiding behind Cloudflare's Reverse Proxy service.  The bulk of that group's domains for this campaign were registered on September 27, 2025. 

The New York campaign used the hostname "revenue" with URLs using this pattern: 

hxxps://revenue.refundyt[.]cc/notice

hxxps://revenue.refundql[.]cc/notice

hxxps://revenue.refundmj[.]cc/notice

hxxps://revenue.refundrm[.]cc/notice

hxxps://revenue.refundet[.]cc/notice

hxxps://revenue.refundjc[.]cc/notice

hxxps://revenue.refundyt[.]cc/notice

hxxps://revenue.refundxu[.]cc/notice

hxxps://revenue.refundxe[.]cc/notice

hxxps://revenue.refundvs[.]cc/notice

hxxps://revenue.refunduw[.]cc/notice

hxxps://revenue.refundte[.]cc/notice

hxxps://revenue.refundsz[.]cc/notice

hxxps://revenue.refundrm[.]cc/notice

Another group of domains, which was first seen on September 26th and includes 28 domains, some of which were registered today, was also registered at Dominet (HK) Limited and also hiding behind Cloudflare uses the pattern: 

hxxps://revenue.paybds[.]cc/notice

hxxps://revenue.paydjr[.]cc/notice

hxxps://revenue.paydqo[.]cc/notice

hxxps://revenue.payeoc[.]cc/notice

hxxps://revenue.payfgm[.]cc/notice

hxxps://revenue.payfkv[.]cc/notice

hxxps://revenue.paygaa[.]cc/notice

hxxps://revenue.payhqe[.]cc/notice

hxxps://revenue.payidx[.]cc/notice

hxxps://revenue.payjjt[.]cc/notice

hxxps://revenue.payjok[.]cc/notice

hxxps://revenue.paykah[.]cc/notice

hxxps://revenue.paykdr[.]cc/notice

hxxps://revenue.paylsn[.]cc/notice

hxxps://revenue.paymnk[.]cc/notice

hxxps://revenue.paymtj[.]cc/notice

hxxps://revenue.paynds[.]cc/notice

hxxps://revenue.payono[.]cc/notice

hxxps://revenue.payque[.]cc/notice

hxxps://revenue.payquh[.]cc/notice

hxxps://revenue.payryc[.]cc/notice

hxxps://revenue.paysbv[.]cc/notice

hxxps://revenue.paytia[.]cc/notice

hxxps://revenue.payvem[.]cc/notice

hxxps://revenue.payvik[.]cc/notice

hxxps://revenue.paywar[.]cc/notice

hxxps://revenue.payyks[.]cc/notice

hxxps://revenue.payzlr[.]cc/notice

And yet another domain pattern, also registered at Dominet (HK) Limited and also hiding behind Cloudflare uses this pattern: 

hxxps://revenue.paybds[.]cc/notice

hxxps://revenue.paydjr[.]cc/notice

hxxps://revenue.paydqo[.]cc/notice

hxxps://revenue.payeoc[.]cc/notice

hxxps://revenue.payfgm[.]cc/notice

hxxps://revenue.payfkv[.]cc/notice

hxxps://revenue.paygaa[.]cc/notice

hxxps://revenue.payhqe[.]cc/notice

hxxps://revenue.payidx[.]cc/notice

hxxps://revenue.payjjt[.]cc/notice

hxxps://revenue.payjok[.]cc/notice

hxxps://revenue.paykah[.]cc/notice

hxxps://revenue.paykdr[.]cc/notice

hxxps://revenue.paylsn[.]cc/notice

hxxps://revenue.paymnk[.]cc/notice

hxxps://revenue.paymtj[.]cc/notice

hxxps://revenue.paynds[.]cc/notice

hxxps://revenue.payono[.]cc/notice

hxxps://revenue.payque[.]cc/notice

hxxps://revenue.payquh[.]cc/notice

hxxps://revenue.payryc[.]cc/notice

hxxps://revenue.paysbv[.]cc/notice

hxxps://revenue.paytia[.]cc/notice

hxxps://revenue.payvem[.]cc/notice

hxxps://revenue.payvik[.]cc/notice

hxxps://revenue.paywar[.]cc/notice

hxxps://revenue.payyks[.]cc/notice

hxxps://revenue.payzlr[.]cc/notice

refundfg[.]cc was actually a State of Florida tax refund scam, began about 11 days ago.  That campaign differed from this one in that it was hosted openly at TENCENT (AS132203, IP: 170.106.160.91) and shifted to using a different domain pattern: 
revenue.refuAXCV[.]cc
revenue.refuREWJ[.]cc
revenue.refuDZSA[.]cc

pivoting on that IP address, we can use Zetalytic's ZoneCruncher to look at the passive DNS and find many other domains.  Our TenCent phisher who is doing the New York Tax phish is clearly also doing Pennsylvania, and Minnesota! The Passive DNS also shows us other host and domain patterns for New York. 

SMS Pools and what the US Secret Service Really Found Around New York

 Last week the United Nations General Assembly kicked off in New York City.  On the first day, a strange US Secret Service press conference revealed that they had seized 300 SIM Servers with 100,000 SIM cards. Various media outlets jumped on the idea that this was some state-sponsored sleeper cell waiting to destroy telecommunication services around New York.  Like me, you may have immediately wondered why some of the photos showed sophisticated racks of servers on shelves while others showed a hodge podge of devices strewn about the bare floor of an otherwise empty apartment. 

photos extracted from USSS reporting

SIM Pools on Telegram 

Beginning in late 2024, every cell phone in the USA started getting hit hard with annoying messages claiming to be informing us of undelivered packages. In early 2025, this morphed into the famous "Toll Road" phishing messages which started off with messages supposedly about unpaid tolls in Massachusetts Easy Pass and now imitate every toll road system in America. Because the goals of these SMishing messages were to load credit cards onto phones and use them to steal money, DarkTower spent quite a bit of time studying the infrastructure, which is primarily advertised and sold in Telegram channels that we call "Chinese Guarantee Syndicates." I've conducted several briefings about these systems, and have mentioned previously in this blog how they sell SMS-blasting telecom equipment (See: Chinese SMS Spammers Go Mobile ).

The devices found around the NYC tri-state area are a slightly different application of SMS-blasting.

The most famous of the Chinese Guarantee Syndicates, Haowang Guarantee, is part of the US-sanctioned Huione Pay, "The Largest Illicit Online Marketplace" according to Elliptic and WIRED. Haowang has shifted their business to Tudou Danbao, but their vendors continue to offer SMS Modem Pools and associated hardware and software as part of their Crime-as-a-Service empire.  Here's an ad for one such vendor (with its translation):

Let's look at the Telegram channel of Annie, a China-based seller of SMS equipment.  (In Chinese, these are called "Cat Pools" -- I'll explain why at the bottom of this article.)  Most of the posts I'll show are from Chinese-language Telegram channels, so I'll include an English translation.

@Annie068a operates a channel dedicated to selling SMS Gateway equipment

Annie offers SMS Modem Pools in a variety of sizes

SMS Modem Pools have a variety of configurations.  The most basic has 8 modem ports with slots for one SIM card each. On the opposite end of the scale, is a 64 port modem with capacity for 512 SIM cards. (Many of those found by the USSS seem to be 32-port modems with 256 SIM cards.) When there are more SIM cards than modem ports message sending rotates between SIM cards. 

What does Annie suggest you might use your SMS Pool for?  Mostly "Marketing."

The concept, as Annie explains, is that you can route messages from anywhere in the world and have them sent from an SMS pool sitting in the United States and being sent from a US-based SIM, thus having a US telephone number displayed in the caller id.

SMS Pools for Fraud and Phishing

Other Telegram channels are more blatant with suggesting the type of "Marketing" that one might do with the ability to send Bulk SMS messages to other countries.  The Telegram channel "Mini Bulk SMS" provides examples, such as imitating the Irish bank AIB to send phishing emails, or imitating BMF in Austria, Binance in Italy, or doing an Apple refund scam in the US. In SouthEast Asia a major use of Bulk SMS is advertising to gamblers. 

An English-speaking Bulk SMS provider, KathyBulkSMS, also is quite blatant about the criminal nature of the messages she suggests.  Her service also has the ability to send using "Short Message Code" caller IDs. She particularly recommends imitating Coinbase if spamming in the US and says that her recent campaign, sending 170,000 such messages via Verizon, AT&T, and T-Mobile, was "very effective."

Kathy gives other examples, such as imitating Binance and National Australia Bank for the Australian market, but her channel has suggestions for many countries, including Netflix and Crypto campaigns for:  Greece Portugal Austria Ireland Japan Slovakia South Korea and Spain.
 

Cheap SMS Modem Pools and Cheaper SIMs

Not to bust the "Nation-state" theories too hard, but this gear is ridiculously cheap. You can buy most of it used on places like eBay, but the various business-to-business services like "Made In China" have great prices.  Here are a couple examples: a 16-modem 512 SIM-slot 4G SMS Gateway is $1,000.  A 64-modem 512 SIM-slot 4G/3G/2G offering send and receive SMS can range from $2,400 to $4,000 depending on the configuration and software included.

But what about the SIM cards? Don't worry, there are many Facebook groups, and many more Telegram channels that will hook you up. The Telegram user @Zoom557 posts to many Facebook groups using the new criminal-friendly "Anonymous Poster" service. On Telegram he is excited about the new $5 SIM cards offered 

BaronLiu also uses Facebook to push his Telegram SIM card offerings. 

Here are a few of the Facebook groups (all in Chinese) that specialize in SIM card selling. Notice the sizes: 2500 members, 3600 members, 6400 members, and 8700 members. Most of these groups also offer mass account creation and social media spamming services. 

One Telegram vendor of SIM cards was proud to be supplying a variety of US SIM cards.

The same vendor shared the photo below.  This isn't USSS in New York.  This is a deployment in Thailand using a SIM pool to provide Thai-WhatsApp numbers to customers around the world. 

Do eSIMs change the game? Durov has you covered: 

Never one to shy away from offering anonymized criminal services to the masses, Pavel Durov has announced that you can now buy world-wide eSIMs from a special app inside Telegram called @Mobile. After choosing your region and country, you choose the eSim you want, and then can purchase it paying with Pavel's built-in cryptocurrency, TON, or a credit card if you want to be easily traced by law enforcement.

What about those SMS Cats? 

One of the earliest "famous" SMS-phishers who was doing Toll Road phishing was "Darcula." When Darcula's server was unavailable in the summer of 2024, he recommended people use the server "magic-cat.world" to upgrade their software.  Darcula also used a cat as his Telegram profile image.

Darcula was well-and-truly doxed by the excellent researchers at Mnemonic.io -- Erlend Leiknes and Harrison Sand.  I've spoken to them both and they did a great job tearing apart Darcula's code and mapping out the credit card theft associated with it!  

While Darcula was certainly a major player, "Little Gray Cat" was my favorite SMisher at the beginning of our work.  He loved to show off his "Machine Room" full of iPhones all sending automated (and end-to-end encrypted) Toll Road and Package non-Delivery phish.

It wasn't until recently I realized the story of why our SMS phishers have so many "Cat-named" things has to do with the slang for the word "modem." The Chinese term for modem is 调制解调器 (tiáo zhì jiě tiáo qì). Because that's quite a mouthful, young techies began to refer to their modem simply as 猫 (māo).  Here are some of the "Cat" terms I've learned in this research:

A "Cat Card" is a SIM card.  This is the term to search on Chinese Telegram to find people selling SIM cards and related services. 

An "SMS Cat" is device hosting an SMS number either for "marketing/phishing" or for "verification farming." (Verification Farming uses the destination-country SMS number to receive authentication codes. Group-IB's excellent "SMS Pumping" article mentions that "In late 2022, Elon Musk revealed that Twitter was losing around $60 million per year due to SMS pumping fraud. The activity was attributed to 390 telecom operators that allowed bot accounts to exploit Twitter’s two-factor authentication (2FA) system, generating fake SMS traffic to inflate their own revenue.")

A "Cat Control Platform" is the software, hosted on Windows or Linux, that connects to the 

A "Cat Number" is a virtual number ... it may be in an SMS Pool, but it might also be a Google Voice number or other virtual number. 

A "Cat Pool" as we've already discussed, is an SMS Modem Pool.