Smishing on a Massive Scale: "Panda Shop" Chinese Carding Syndicate

Summary:
In March 2025, Resecurity identified a new smishing kit called "Panda Shop," closely tied to Smishing Triad operations. The kit, marketed through Telegram bots and channels, supports multiple smishing templates and integrates with platforms like Apple Pay and Google Wallet to steal personal and financial information. Unlike traditional SMS, RCS and iMessage provide cybercriminals with richer capabilities for crafting persuasive phishing content, making these attacks harder to detect. The Panda Shop kit can be easily deployed on virtual servers and comes with detailed instructions and support. Templates target global brands such as AT&T, UPS, USPS, Vodafone, DHL, and even government websites, and allow the harvesting of personal identifiable information (PII), credit card data, and one-time passcodes.

The Panda Shop infrastructure included exposed configuration files referencing Alibaba’s NACOS platform, with the server’s time zone set to Shanghai, confirming the operators’ location in China. The domain was registered via a Chinese company previously accused of violating ICANN regulations, and the same registrar has been linked to hundreds of smishing domains targeting users in India. Analysts believe Panda Shop is likely a rebranded effort from Smishing Triad following earlier exposure. The kit is part of a broader underground marketplace where compromised Gmail and Apple accounts are sold in bulk to facilitate campaigns. These accounts enable actors to bypass telecom limitations by using internet-based messaging systems. Panda Shop’s advanced capabilities include spoofed sites resembling major financial institutions and live OTP collection through interactive sessions, making the fraud harder to detect and more lucrative.

Cybercriminals behind these kits monetize stolen data through carding shops and engage in merchant fraud and money laundering. Admin panels associated with the kits allow operators to track stolen data and manage victim statistics. Financial institutions such as Bank of America, JP Morgan, and Citibank have been among the top targets. Despite the massive scale and financial impact—resulting in millions of dollars in annual losses—law enforcement faces significant hurdles. Most arrests have involved low-level operatives like money mules, not the primary actors. Tools like NFC have made cashing out stolen funds even easier, minimizing the need for physical intermediaries.

Security Officer Comments:
Resecurity was the first to uncover the Smishing Triad, a network of Chinese cybercriminals that launched large-scale smishing campaigns targeting consumers worldwide. In August 2023, Resecurity identified the group’s activities and exploited a vulnerability in their smishing kit, exposing their infrastructure. Since that time, the group has evolved significantly, adopting more advanced tactics, techniques, and procedures while becoming increasingly stealthy. Rather than being a single group, Smishing Triad operates as a loosely organized criminal ecosystem, offering "Crime-as-a-Service" packages that enable other cybercriminals to use their tools and infrastructure to conduct smishing attacks across different countries.

The group's members operate with impunity in China and have openly expressed disregard for U.S. law enforcement, stating they fear no repercussions. Some actors have reportedly sent up to 2 million smishing messages per day, suggesting a potential reach of over 60 million victims per month.


Suggested Corrections:
To mitigate the threat posed by smishing campaigns like those operated by the Smishing Triad and Panda Shop, organizations should implement SMS and messaging security filters to detect suspicious content and block malicious URLs. Regular user education on identifying phishing attempts across SMS, RCS, and iMessage is critical. Enterprises should enable multi-factor authentication (MFA) for all accounts to reduce the risk of credential abuse and monitor for bulk account takeovers. Security teams should also track and block indicators of compromise (IOCs), such as domains and IPs used in known smishing campaigns, and restrict access to known Telegram bot infrastructure when feasible.

Link(s):
https://www.resecurity.com/blog/article/smishing-massive-scale-panda-shop-chinese-carding-syndicate