Our APWG eCrimes Paper on Tech Support Scam Facebook Groups

My colleague Raghavendra Cherupalli will be at APWG eCrime next month sharing a paper based on our research into the Facebook Groups where illicit Indian Call Centers share "Crime-as-a-Service" offerings with one another.

In our paper, "Classification of Cybercriminal Posts Using Large Language Models: A Comprehensive Study on Tech Support Scam Marketplaces," Raghavendra will be sharing how he and the team have categorized 380,000 posts from 90 of these groups to determine the nature and most prominent trends in these groups. Since our initial dataset was gathered, my colleagues at DarkTower have gathered nearly a million additional posts from hundreds of similar Facebook groups. (And yes, we've reported these groups to Meta, who has terminated a few dozen, but hundreds more reports were rejected as "not violating community standards.) We can't wait to get Raghavendra to run his analysis on the expanded dataset!

What type of groups and posts are we talking about? Here's a sampling:

"Buy Sell Popup Calls" says the 1700 member group was created "basically for both buyers and sellers to buy and sell the tech support pop up calls." The most recent post in that group, offering Facebook phishing kits, is by a user called "Hex Manual." We reported that post to Facebook, who responded that it does not violate Community Standards. (His post also includes a fake FTC phishing page.)

One of the posters in this group is Manoj Singh. His post advertises his email blasting services, where he sends emails imitating Geek Squad, PayPal, Norton, and Microsoft to cause calls going to the purchaser's illicit call center. 

Manoj is an admin of several groups and has posted his ads to at least 17 additional groups with 143,230 total members (as of 12OCT2025.)

Krati-Krati advertises that he can provide "Blue Screen of Death" calls filtered for people who are 50+ years old and pop-ups on IOS devices filtered for people who are 45+ years old.

Brijesh Mohan offers calls, but also provides Zelle, Google Pay, Apple Pay, Venmo, CashApp, and Canadian Interac accounts that can be used for money laundering quick payments from North American victims.

While these examples, and hundreds of thousands of similar ones, are easily obtainable, Raghavendra and his professors at the University of Tulsa, Tyler Moore, Yi Ting Chua, and Weiping Pei have developed some awesome tech for analyzing these messages in bulk. That is necessary to gain true understanding of these scams!

We'd be thrilled to have you attend his presentation!  With this year's conference in San Diego, it would be a great opportunity to attend an APWG eCrime Research event! Get your tickets and register here ==> https://apwg.org/events/ecrime2025

Scam Compound Operators: Members of The Four Great Families sentenced to death in China

(photo from BBC article "China sentences 11 members of mafia family to death")

On Monday this week, Chinese authorities sentenced to death 16 members of "The Four Families" for the multitude of crimes they committed while operating scam compounds in Northern Myanmar near the Chinese border. This was the culmination of an investigation that has been on-going since July 2023 and that we have been tracking primarily through Chinese Telegram channels that discuss the scam compounds.  Thirty-nine criminals were sentenced in the hearing. Eleven will be immediately executed, while five others have a two year reprieve, during which their sentences might be commuted to life in prison. Eleven more received life sentences, while the rest received sentences of between five and twenty-four years.  But who are The Four Families?  Read on . . .

The Incident at Crouching Tiger Villa - October 20, 2023

In Myanmar this is referred to as the "1020 Incident."  Crouching Tiger Villa, which is also called "Wohu Mountain Villa" was a telecom scam compound that covered 200 acres, and encompassed hotels, shopping malls, and buildings full of high tech equipment.  Ming Xuechang, who was the richest man in the Kokang Autonomous Region had a private army of 2,000 men to help patrol and protect the area. On October 20th a large group of prisoners, forced to work as cyber scammers, rioted and attempted to escape.  In the ensuing chaos, Ming's troops began to fire into the crowd, killing at least 60 (some say 70.) Rumors indicate that some of those killed were undercover Chinese police officers, but some say this is based on the plot of a Chinese movie with a similar theme.  

As a result, on November 12, 2023, the Criminal Investigation Bureau of the Ministry of Public Security issued a reward notice, offering a cash incentive for four leaders of the Myanmar Kokang group headed by Ming.  Within just a few days, all four had been arrested! 

Ming Guoping, Ming Julan, and Ming Zhenzhen were turned over to the Chinese police

Myanmar hands over 10 crime bosses to the Chinese - January 30, 2024

The Record: Crime bosses behind Myanmar cyber 'fraud dens' handed over to Chinese government

(image from: X.com/johnwSEAP )

On December 10, 2023, China issued arrest warrants for Bai Suocheng and ten other key leaders of the Kokang Autonomous Region's telecom and internet fraud rings.  Working with Myanmar's Ministry of Foreign Affairs, six of the ten were arrested and on January 30, 2024, sent to China to answer for their crimes. 

These are the ten in the China Warrant according to the Irawaddy

Two leaders of the Bai Family were among those sent back to China. The Bai family operated many casinos around Laukkaing, especially "the Silver Palace." They had many construction and logistics firm that served their own needs and those of the other families. Bai's most famous brand was the "Yum! Brands" which operated several other casinos that served as scam compounds as well. 

Bai Suocheng -白所成
Bai Yingcang - 白应苍

The Wei family was led by Wei Chaoren ( 魏朝仁 ), operating chiefly from Kongyang Township.  They were significant players in telecom infrastructure and provided SIM Pools for the use of the families.  The Henry Group was the chief company of Wei Chaoren, as well as The Xiaozhu.

Arrested: 
Wei Huairen - 魏怀仁 

Remaining at large from the Wei family were: 

Wei Rong

Wei Qingsong 

The Liu family also operated from Kongyang and other nearby border towns. The Liu family came to wealth in the mining industry and control most of the mining in Kokang.  They were significant players in money laundering. Liu's primary casinos were operated under the name "Fully Light Group." Liu Guoxi has also been linked to organ trafficking. Liu Zhengxiang was the founder of the Fulilai Group back in 1992 which operates a number of casinos in the area. His predecessor, Liu Abao, was known to be a significant drug trafficker.

Arrested: 
Liu Zhengxiang - 刘正祥
Liu Zhengmao - 刘正茂

Remaining at large from the Liu family was: 
Liu Zhengmao 

Ministry of Public Security - May 27, 2024

Ministry of Public Security spokesman Li Guozhong gave a major update on the strategy "Four Specializations and Two Joint Efforts" and their results.  He said that over the past five years, they had worked 1.945 million telecom network fraud cases and that for eight months in a row, they had significant declines in fraud as a result of their efforts.  The operation, which began in July 2023, had specifically targeted the "Four Major Families" ( “四大家族” ) in Kokang and had brought to justice members of the Bai, Wei, Liu, and Ming families. 

In this press conference, Li mentions that Ming Zhenzhen ( 明珍珍  ) had also been taken into custody. 

Myanmar's Cooperation with China's Ministry of Public Security 

September 28, 2024 - The Ministry of Public Security announced that they had made key arrests in Yangon and Mandalay, and that 20 "telecom network fraud crime group leaders and key members" had been arrested and were being handed over the China.  These included Chen Mouwei ( 陈某卫 ) and Yang Mou ( 杨某 ). The press release at that time said that Chen and Yang had "relied on the Four Great Families" of Myanmar's Kokang region, as well as criminal groups "such as Xu Laofa ( 徐老发 )" in order to "control armed forces, set up telecom fraud dens, and carry out telecom network fraud crimes targeting Chinese citizens.  They were also said to be suspected of intentional homicide, intentional injury and other serious violent crimes. 

The Crouching Tiger Villa arrests - December 30, 2024

"Tracking down and investigating the truth! The story of the investigation into the Mingjia criminal group in northern Myanmar.  Chinese people are being "traded" in northern Myanmar.

On December 30, 2024, China's Supreme People's Procuratorate published the first round of charges under the headline "Exposing the Northern Myanmar Mingjia Criminal Group's Fraud, Murder, and Drug-related Activities" ( 揭露缅北明家犯罪集团诈骗杀人涉毒解密数宗罪 ).  At that time, the Wenzhou Municipal court in Zhejiang Province charged 39 defendants, calling the Mingjia criminal group "one of the four major families in northern Myanmar.

They interviewed many victims, who told stories of the promises made to them by the "snakeheads" (a Chinese term for a human trafficker) and the reality they faced when they arrived.  One victim, Li Mouqian, from Guangdong, was sold to the Ming family and told he could buy his freedom for 300,000 Yuan. At Crouching Tiger Villa, he was expected to make 100 phone calls per day and to land three new victims of cyber scams each day.  If he failed to do so, he was beaten.  When he tried to escape with a colleague, he was beaten with steal pipes and his accomplice in the escape was beaten to death. 

The Ming family at that time was led by Ming Zhenzhen (明珍珍 ), the granddaughter of their founder Ming Xuechang (明学昌). Xuechang had been a part of Myanmar's Shan State legislature, representing the Kokang Self-Administered Zone as a member of the Union Solidarity and Development Party.  He was also in charge of the local police.  He controlled a personal army of at least 2,000 men. During a previous cross-border police action against Ming Xuechang, he shot himself rather than being captured, and died in the hospital leaving his granddaughter in charge. 

Between July 2023 and December 2024, the Chinese Ministry of Public Security managed to repatriate 53,000 telecom and internet fraud suspects from northern Myanmar. 

New Smish: New York Department of Revenue

 As I was visiting SmishTank to report the most recent SMish that I had received (an iMessage from a +27 South African telephone number claiming to be from ParkMobile) I noticed there had been many recent submissions from the New York Department of Revenue. SmishTank is operated by Professor Muhammad Lutfor Rahman, a colleague of mine from our time at UAB, and his student Daniel Timko from California State University San Marcos. 

SmishTank.com is a great resource for recent SMish!

Pennsylvania and Connecticut "Department of Revenue" also observed

The Utah State Tax Commission and the State of California Franchise Tax Board also seen

SMish that Hide from Wrong Browsers

If you visit any of the URLs that are reported by these "Tax Refund" phish, you'll find that they fail to resolve unless you are visiting from a phone. Researchers easily bypass this by using a "User Agent Switcher" which allows a browser, such as Chrome, to claim to be another device with a different browser.  By setting myself to be an "Android KitKat" version of Chrome, the pages render on my Windows PC just fine.  The User Agent Switcher also allows you to enter your own customer User Agents.  Today, this is the one I used ... 

Mozilla/5.0 (Linux; Android 4.4.2; Nexus 4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36

New York Department of Revenue Mobile Phish (SMish)

After switching my browser agent, I chose to visit "revenue.refundjpt[.]cc/notice" to get samples of the phish. The first thing that stands out is that despite the SMish all claiming to be the "New York Department of Revenue" the phishing website calls itself "Department of Taxation and Finance" and makes no reference to any specific state. 

The "Address" page of the phish starts by asking for a Social Security Number, which makes sense if you are interacting about taxation.  With most "bank" phish, that would be an immediate Red Flag, but people who are interacting about taxes would not be alarmed by this.  In the USA, your SSN is the primary identifier for taxes.  Although the "State" is pre-populated to "New York" the footer still references the California Penal Code. 

The next page tells me they would like to refund me $1120 and asks which Credit Card or Debit Card I would like to send the funds to.  The "Bank Routing" option is unavailable, apparently due to "system maintenance." 

The website is using the Luhn algorithm to confirm that the credit card number is valid.  Type any 16 digits starting with a 4 or a 5, then rotate the final number until it stops saying "invalid card number" in red and accepts the number.  My made up number was 4381 6621 8355 371_ and when I changed the last digit to a "6" it became an acceptable Credit Card number.  (I looked it up later, as this was entirely fictitious, but 438166 would mean my card was a Visa Credit Classic issued by Multicredit, S.A., in Guatemala.  Oops!  Its ok, the Chinese scammers didn't care.) 

After this, the criminals sent a text message to the burner phone that I had provided in the Address block. This is a CRITICAL PART OF THEIR STRATEGY!

The "SERCURTITY" verification (yes, securTity) asks for my 6-digit code.  While they say this is because they want my tax refund to be secure, this code is actually the 2-Factor Authentication that allows them to add MY CREDIT CARD to THEIR PHONE's WALLET!

Unfortunately, Guatemala Multicredit SA must have let them know that my credit card didn't really exist, as it booted me back to the credit card page and asked for a different card. This actually happens even if you enter a VALID card.  Why?  The criminals are not interested in sending you a tax refund. They are interested in loading your debit and credit cards onto their phone in Bangkok (or wherever their "machine room" full of spam-sending phones is located.) If you will give them two cards, they will load two.  If you will give them three cards, they will steal all three.  

How does the Stolen Credit Card get used? 

They then deploy "Shoppers" to begin making purchases using your credit card which is now "Tap to Pay" ready on their phone!  The phone is in Bangkok?  No problem.  They use the software "X-NFC" to "remote tap" transmitting the card loaded on the wallet in Asia to the phone standing at the payment til at the Apple Store in Burbank.

I'm attaching a promotional video that the author shares on his Telegram channel.  In the video, the criminal has two phones "above" his Point of Sale device.  He links the NFC capability of one of the top phones to the bottom phone.  He then taps the top "linked phone" to an iPhone holding a credit card in his wallet.  The image of the card is transferred to the bottom phone, which he can then successfully tap on the Point of Sale device.  

In practice, the "bottom phone" would be somewhere in North America.  The person using that phone would call a collaborator in Asia to say they are ready to make a purchase.  The remote agent then taps one of the phones where your Phished credit card is loaded.  That card is now "usable" on the phone in North America, who taps the phone locally to make a payment using the credit card 7500 miles away! 

What Registrars, Hosts, and Domains are part of the current New York campaign?

These iMessage and RCS phish are part of a deployment server where criminals pay a monthly fee to use the phishing sites.  Each criminal can choose how and where they register their domains and how and where they host the phishing websites.  Because they are all renting access to the same catalog of phishing website, the sites may look identical while having very different hosting and registration models.

In this case, the main set of domains is registered at "Dominet (HK) Limited" while the hosting is more difficult since they are hiding behind Cloudflare's Reverse Proxy service.  The bulk of that group's domains for this campaign were registered on September 27, 2025. 

The New York campaign used the hostname "revenue" with URLs using this pattern: 

hxxps://revenue.refundyt[.]cc/notice

hxxps://revenue.refundql[.]cc/notice

hxxps://revenue.refundmj[.]cc/notice

hxxps://revenue.refundrm[.]cc/notice

hxxps://revenue.refundet[.]cc/notice

hxxps://revenue.refundjc[.]cc/notice

hxxps://revenue.refundyt[.]cc/notice

hxxps://revenue.refundxu[.]cc/notice

hxxps://revenue.refundxe[.]cc/notice

hxxps://revenue.refundvs[.]cc/notice

hxxps://revenue.refunduw[.]cc/notice

hxxps://revenue.refundte[.]cc/notice

hxxps://revenue.refundsz[.]cc/notice

hxxps://revenue.refundrm[.]cc/notice

Another group of domains, which was first seen on September 26th and includes 28 domains, some of which were registered today, was also registered at Dominet (HK) Limited and also hiding behind Cloudflare uses the pattern: 

hxxps://revenue.paybds[.]cc/notice

hxxps://revenue.paydjr[.]cc/notice

hxxps://revenue.paydqo[.]cc/notice

hxxps://revenue.payeoc[.]cc/notice

hxxps://revenue.payfgm[.]cc/notice

hxxps://revenue.payfkv[.]cc/notice

hxxps://revenue.paygaa[.]cc/notice

hxxps://revenue.payhqe[.]cc/notice

hxxps://revenue.payidx[.]cc/notice

hxxps://revenue.payjjt[.]cc/notice

hxxps://revenue.payjok[.]cc/notice

hxxps://revenue.paykah[.]cc/notice

hxxps://revenue.paykdr[.]cc/notice

hxxps://revenue.paylsn[.]cc/notice

hxxps://revenue.paymnk[.]cc/notice

hxxps://revenue.paymtj[.]cc/notice

hxxps://revenue.paynds[.]cc/notice

hxxps://revenue.payono[.]cc/notice

hxxps://revenue.payque[.]cc/notice

hxxps://revenue.payquh[.]cc/notice

hxxps://revenue.payryc[.]cc/notice

hxxps://revenue.paysbv[.]cc/notice

hxxps://revenue.paytia[.]cc/notice

hxxps://revenue.payvem[.]cc/notice

hxxps://revenue.payvik[.]cc/notice

hxxps://revenue.paywar[.]cc/notice

hxxps://revenue.payyks[.]cc/notice

hxxps://revenue.payzlr[.]cc/notice

And yet another domain pattern, also registered at Dominet (HK) Limited and also hiding behind Cloudflare uses this pattern: 

hxxps://revenue.paybds[.]cc/notice

hxxps://revenue.paydjr[.]cc/notice

hxxps://revenue.paydqo[.]cc/notice

hxxps://revenue.payeoc[.]cc/notice

hxxps://revenue.payfgm[.]cc/notice

hxxps://revenue.payfkv[.]cc/notice

hxxps://revenue.paygaa[.]cc/notice

hxxps://revenue.payhqe[.]cc/notice

hxxps://revenue.payidx[.]cc/notice

hxxps://revenue.payjjt[.]cc/notice

hxxps://revenue.payjok[.]cc/notice

hxxps://revenue.paykah[.]cc/notice

hxxps://revenue.paykdr[.]cc/notice

hxxps://revenue.paylsn[.]cc/notice

hxxps://revenue.paymnk[.]cc/notice

hxxps://revenue.paymtj[.]cc/notice

hxxps://revenue.paynds[.]cc/notice

hxxps://revenue.payono[.]cc/notice

hxxps://revenue.payque[.]cc/notice

hxxps://revenue.payquh[.]cc/notice

hxxps://revenue.payryc[.]cc/notice

hxxps://revenue.paysbv[.]cc/notice

hxxps://revenue.paytia[.]cc/notice

hxxps://revenue.payvem[.]cc/notice

hxxps://revenue.payvik[.]cc/notice

hxxps://revenue.paywar[.]cc/notice

hxxps://revenue.payyks[.]cc/notice

hxxps://revenue.payzlr[.]cc/notice

refundfg[.]cc was actually a State of Florida tax refund scam, began about 11 days ago.  That campaign differed from this one in that it was hosted openly at TENCENT (AS132203, IP: 170.106.160.91) and shifted to using a different domain pattern: 
revenue.refuAXCV[.]cc
revenue.refuREWJ[.]cc
revenue.refuDZSA[.]cc

pivoting on that IP address, we can use Zetalytic's ZoneCruncher to look at the passive DNS and find many other domains.  Our TenCent phisher who is doing the New York Tax phish is clearly also doing Pennsylvania, and Minnesota! The Passive DNS also shows us other host and domain patterns for New York.