Hacked - Inside the Smishing Triad
Episode Date: December 15, 2025A deep dive into Lighthouse, a phishing-as-a-service platform linked to millions of scam texts worldwide, and the sprawling “smishing triad” ecosystem built around it. With security researcher Fo...rd Merrill, we unpack how modern scam operations work at industrial scale — from fake e-commerce sites and mass SMS campaigns to the wallet-provisioning techniques that let criminals turn stolen credit cards into tap-to-pay phones. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
All it takes is once.
And that's what these actors are counting on.
It's a numbers game.
For the last two years or so, Ford Merrill has been investigating a sprawling criminal enterprise.
It is so sprawling, Scott, as to be kind of hard to find a way into explaining.
So to start, I want to talk about tap to pay on mobile phones.
Okay.
I'm assuming you use tap to pay on your phone, Scott.
I do.
NFC is great. I love having your credit card link to a phone. I forget my wallet all the time because I am old and forgetful.
Me too, but I always have my phone because I'm addicted to it. It's very useful. Tap to pay is interesting.
When you tap your phone on a payment terminal, the device isn't sending your real credit card information.
Instead, it's basically like proving to your bank that this specific phone is authorized to act as your card.
The phone and the terminal do a little handshake over NFC. And then your phone sends you a
two pieces of information. First is a token. Token looks just like a normal credit card number,
16 digits, but it's not your real number. It's a device account number created when you first
add your card to Apple Pay or Google Wallet. It only works on that device. The merchant never sees
the real number. They just see that token. And if someone steals just the token, it's useless
on any other phone. The token is bound to the device and validated using keys
stored inside of the phone secure hardware.
This was the whole pitch when they brought this stuff out,
was your credit card number will be protected in these NFC transactions.
It'll be more secure, even online payments using something like Apple Pay or Google Pay.
It will be more secure because we are not using your credit card number.
If there's a compromise to their payment database, it won't affect you.
Exactly.
Because the second thing your phone sends is this little piece of cryptographic data.
That's created inside of your phone's secure hardware.
And that little cryptogram is like it's unique to the actual transaction.
It's time limited and it's mathematically tied to the device's secret keys.
Those secret keys are issued to the device during this process.
We're going to be talking about a lot this episode called wallet provisioning.
That's when you add the card to your phone.
And they're stored in hardware that the operating system can't even really access.
So the phone sends the info to the terminal when you tap it to pay, and that sends these two
little bits of information through the normal payment rails, like the processor of the card
network, and finally it all gets to your bank.
The bank checks whether the token belongs to the cardholder and whether the cryptographic
code matches what the device should have produced based on those secret keys.
If all of this lines up, the bank says cool and it approves the transaction.
This all happens super fast.
And during this process, no credit card number, as you mentioned, Scott is ever exposed and that one-time code can't be reused.
That's tap to pay.
Tap to pay.
Now, as I understand it, and as you said, in basically every way that matters, this is a lot more secure than a traditional credit card.
Even if someone skims all the info from that transaction, they can't really do anything with it.
They don't have the phone.
The code was time sensitive.
therefore it's all more secure.
That's not really the case with the normal credit card number.
They need all these extra layers of fraud detection and prevention in case you were to lose it.
If the number gets used on like a different continent, 30 minutes after you last used it where you live, a bunch of alarms go off.
The insecurity of the classic credit card is so bad that they use probabilistic modeling and behavior modeling to try and make them moderately secure.
But there's nothing going on there.
that's actually making them secure.
They added three extra digits, what,
20 years ago to the back of the card?
That really locked it down.
Yeah, really,
but you can't use the card without those three digits,
so every payment database has those three digits in it as well.
So it's not really a thing.
Fraught systems with Tap to Pay still watch for weird device
and spending patterns,
but the cryptography of all that does way more of the heavy lifting
than it does for like MagSripe or just like the plain card number payment.
Tap to pay can afford to be a little more,
loose. So we get to our subject this episode and maybe as an exercise, we're going to imagine
exactly what you would have to do to compromise mobile wallet tap to pay at any kind of scale.
First, you would need a system for stealing the credit card info, like the original number in
the first place. There's a whole world of solutions for how to steal credit card numbers.
traditionally, like a very common one has been smishing, like spam text messages that trick people into going to a fake site, filling in their credit card info.
If you really want to get nasty with it, you could spoof an e-commerce site that people might willingly go to on their own.
And then, I don't know, maybe promote your fake version of a real e-commerce site on just to pick a random example, Facebook.
You can listen to our episode about what percentage of Facebook's revenue is.
the kind of scam ads I'm describing right now.
Not to mention some physical tactics like skimmers.
Yep.
They have massive issues with skimmers at like gas stations and ATMs that are in public.
You know, the classic old school way of stealing credit card information.
That mobile top to pay prevents against with all that cryptography.
Then this is where you'd have to get really innovative.
Because as we mentioned, traditional credit cards have a robust security layer for fraud detection,
but tap to pay is less so.
But getting someone's credit card number that you've stolen added to your mobile wallet on a phone you're controlling,
without their consent, would require a custom-built automated software that works in concert with the spoofed e-commerce site.
To when they give the real credit card info, auto-add that credit card to a phone wallet you control.
You might, for example, do this by displaying the credit card number on a fake credit card on one screen,
and then having a phone with its camera open over here,
scan that fake credit card to upload the information basically instantaneously.
At which point, two-factor authentication is going to occur.
The fake e-commerce site that they're staring at that they think they've uploaded their real credit card information to
might tell them a lie, like your bank requires a code to approve this transaction.
They get the two-factor authentication code to add their credit card to a new wallet,
maybe it auto fills on the fake e-commerce site, and boom, they have then unknowingly verified
someone else's phone to be able to spend money on their credit card.
It's quite ingenious.
It's elaborate.
Yes, elaborate.
The idea of setting up all of this physical infrastructure, having a virtual card simulator,
because chances are, like I know when I add cards to my phone, it wants the
card to match the style of card it is. So I wonder if they don't have fraud
preventions in there to be like, well, this doesn't actually look right.
You know, the numbers and stuff check out, but the card doesn't match the
aesthetic that we would expect. You know, there's probably catches like that in
that they've had to deal with. So when they read your card in, they're going to have
to look up and find out what kind of card it is and immediately render something out that
then a phone scans in and adds to a wallet. It's clever. It's very clever. This
wallet provisioning process is an innovation that kind of like traditional smithing and credit card
fraud never really hit cracked. And I'm letting this all sound as complicated as it is to give a
sense of the scale of the enterprise that are subject to this episode, Ford Merrill, has been
researching. And I have to kind of give them a bit of a compliment. They have been so innovative
and so creative over the years and months that we've been tracking them,
that they've continued to adapt and pivot.
It's called the smishing triad,
and a main player within that,
a fishing as a service developer, called Lighthouse.
To me, Lighthouse looks a lot like a vertically integrated business,
specifically like enterprise-grade software,
because that whole software stack that I described from thousands of fake economy,
commerce site templates through to this never been done before wallet provisioning process,
all of it. That stack, they license it out to people. Wallet provisioning is one of a handful of
features inside of Lighthouse that have never really been done at scale in these kits.
Lighthouse is innovating in weird new ways that as we discuss this episode are just getting
weirder. This is the second recent story in which a giant Google lawsuit plays a role.
They issued a lawsuit against 25 unnamed John Does.
They highlighted more than 1 million victims across 120 countries, between 12 and 115 million U.S. payment cards compromised, 200,000 fraudulent websites linked to activity of Lighthouse with about 25,000 fishing domains, and an estimated $1 billion U.S. dollars in fraud losses tied to Lighthouse enterprises.
In Google's own words, the lawsuit described Lighthouse as a fishing for dummies kit,
powering a, quote, relentless smishing operation.
The population of the USA is, you know, roughly 340, 345 million.
So when you start talking about upwards of 150 million credit card details,
it's insane.
Yeah, you're talking about a third of the country.
And if you assume a third of the country is children, don't have credit cards.
You're actually talking about like half of the country.
That's, that's, that's, that's wild.
Yeah.
It's enterprise great software is what it is.
And we talk about this in the interview.
I love, I love, you know, we've talked about this a few times in multiple episodes,
just how cybercrime is becoming its own enterprise and its own market niche.
100%.
And this is, this is one of those things where you've got a business that's now spending in
research and development, developing new products and service.
is to bring to their market.
The real question that I have, though,
do you think they bill like a monthly flat?
Or do you think it's a percentage of take?
Sure.
Is it a commission or is it?
Yeah.
Like, we take 15 or 20% of like all revenue generated,
or is it something like just give us $12,000 a month?
I'm sure they'll take your money if you want some tools for smishing people.
Yeah.
Ready to jump in?
We are, but I think there's one last thing we have to do.
I think this is our last episode that comes out before the holiday season.
You are correct.
So I think we just got to wish a big, happy holidays to all of the fans and listeners of the show.
We thank you so much for your time and the attention.
And we hope we keep you company when you do all the fun things in life that we all listen to podcasts when we do.
And we love to see the comments of people washing their dishes and mowing their grass.
Lots of commuting.
I think aside from that, there's been some requests for a hot.
line hacked. So stay tuned. That's going to come out sooner than you might think. It will.
Thank you so much for spending this year with us. It means a lot to us. We really appreciate it.
We're excited for one last one this year. This is a wild one. I got on the horn with Ford Merrill,
senior director of research and innovation at SEC Alliance, part of CSIS security group to talk about
Lighthouse and the smishing triad here on hacked. Good to get to talk to you.
this is a wild story.
We have enterprise-grade software, an organized crime operation.
I have to think even with all of your experience in this, the years of research,
you must still get struck by this feeling of like, wow, this is pretty out there.
Yeah, I mean, when we started looking into this, when I started looking at it around August
2023, we really had a huge revelation and we were shocked to that this was the first group we had
ever seen using digital wallets for fraud, like Apple wallet and Google Pay. But at every turn,
there have been sort of innovations that also just kind of leave us a little bit flabbergasted
or just impressed at the ingenuity and creativity of these threat actors.
I want to start super high level. You've been researching this organized crime syndicate
built around these fishing scams for years now, long before any of us in the public had a name
like Lighthouse to kind of point towards.
Super high level.
What is Lighthouse and where did it come from?
Take me through this thing.
Yeah.
Well, maybe you even zoom out before above Lighthouse at a higher level, right?
What we've been looking at is sort of Chinese smishing and what that is is like all these
package delivery or re-delivery messages.
People have been getting all the toll road scams that have been prevalent in North America.
they've also done things like government impersonation, tax refund scams, and various other lures.
But it starts with a text message or an I message or an RCS that you receive telling you to click this link to have a package re-delivered or pay a small toll fine, something along those lines.
And subsequently, the victim will lose their personal information, their credit card information,
and the most important and interesting sort of innovation from them
was the ability to do real-time two-factor or multi-factor authentication bypass.
So they'll also recover the victim's text message or SMS-based OTP code,
and that will be used for the types of fraud that require multifactor authentication bypass.
And so Lighthouse is a Fishing-as-Service developer effectively that makes
software to enable people to do this. Google in their complaint, I guess that we'll talk about
in a bit, called it sort of fishing for dummies. You pay a couple hundred dollars a month.
You get the software to run these smithing and fishing sites. They're all templated and skinnable,
so you can just pick whichever country and whichever organization you want to impersonate,
whether it be United States Postal Service or, you know, DHS or FedEx or whatever it is.
And then you point a domain at the thing and start spamming out.
And that's all you have to do.
I mean, you alluded to this, but the thing that struck me about this is just how
industrial it feels.
There's this enterprise equality to it.
I think Google says,
lighthouses,
they hit about a million people,
120 countries,
up to 115 million credit card numbers.
You know, profits in the billions.
I guess my question is like,
again,
super high level.
Like, where does a cyber crime operas?
and not legal, but basically just a software as a service industry project begin.
And is that boundary, that binary even real at this point?
Well, I mean, I'm not sure.
I really have a great answer for that other than just to say, I mean, definitely we've
been sort of shocked by the scale of these operations and sort of totally agree.
They're industrialized.
They're automated.
They operate like a business, this whole ecosystem.
sort of evolved just like it would in a capitalist society in the sense that certain actors in this ecosystem specialize in various specific things.
So the Fishing as a Service developers, all they do is make the software that you run on the website.
There are people that do nothing but specialize in spam operations for text messages, eye messages, so on and so forth.
There are people that specialize in the money laundering side of things.
just so many different aspects that that yes this is organized crime it is sufficiently advanced
at this point and where it really starts and when it transitions to become like you know at that
level where you now determine it is organized I'm not sure kind of the inflection point but it's
there and it has been for some time I want to dig into the tech but just one last little thing
just for you personally like what was the thing
or moment that pulled you into all of this. Like what did you see that made you realize this wasn't
just spam text messaging as we're used to it? Kind of take me through that personal story for you.
At my at my day job, I've been involved in a lot of work around anti-fishing. I developed an
anti-fishing platform where we basically track all the fishing sites in the world and we do
mitigations and takedowns and stuff like that for customers. But we were tracking in 2023 just,
this massive spike in package delivery fraud. All of a sudden we were just seeing tens of thousands
of domains targeting the United States Postal Service. And we were like, you know, this is the
largest single campaign we've ever observed, right? And we started looking into it and we ultimately
kind of got lucky because some of the threat actors left some of their fishing kit source code
behind. That was Wang Duo Yu, or also known as Lao Wang, who would later go on to create
lighthouse. And so we had this very early version of his fishing kit. We were able to identify him,
identify his telegram channel, and start to kind of look into, peek behind the curtain into this
whole ecosystem. And from there, it just kind of snowballed. I mean, we saw that they were
involved in the digital wallet fraud that part of what these fishing kits enabled was the bypass
of two factor and then subsequently taking the victim's card and putting it into a wallet.
And that for me was the point.
I was like, okay, this is something really big.
And I started putting together a presentation deck about it and started talking to some of our
customers about it.
And over the years, it just continued to snowball and grow and grow.
I want to know more about the digital wallet, that wallet provision.
I think most of us think of like, okay, what is fishing? Someone sends a text. They trick you into
giving them your credit card and they go buy sneakers with it or whatever. When did you first realize
that there's like, there is a meaningful innovation here, this wallet provisioning layer. Explain that
kind of whole concept to us. I mean, kind of from the start, like when you click on this link to
begin with, the actors already do some pretty important controls to make sure you're not like a security
industry scraper or something like that. So it's going to be geo fence to the IP, the geolocation.
So if they're targeting United States Postal Service, you'll need to come from an American
IP. But even more than that, they also require you to be on a mobile user agent. So you have to be
on a phone to get the real fishing page. And then once you do, it'll be incredibly authentic looking
version of the site. They'll ask you for the personal information, you know, in this case to
make sure your delivery can be scheduled or something. They'll ask you for a small payment of like
30 cents. And this payment is actually never going to be charged to your card at the time. It's just a
reason for you to input the card information. And then subsequently, once you put your name and
card number and expiration and CVV, you're going to start spinning. And presumably you think that
you're waiting for like the card to be processed or something like that. But on the back end, the
threat actors have like a visual representation of your card literally like an unbranded um imagine like a black
credit card that has no branding or anything it just has your name and your phone number on it and what they
do with it is they have a a phone ready to go on the back end with like apple wallet or google wallet
open ready to add a card and when you add a new card to your wallet the first thing the device does is say
okay can i use the camera show me the card and so they would scan the
picture of this card that they've automatically generated in the kit off the screen with the
camera. And the phone doesn't know it's just like a computer screen version of the card. And this
rapidly provisions the card number into their phone so they don't need to type the numbers in,
which is important because you, the victim, are waiting and spinning. And then immediately Apple
will prompt them or Google will prompt them and say, okay, if you want to add this card, you need
to complete a two-factor step, select, do you want email or phone? And they'll pick phone. And
And then you, the victim, will get advanced to the MFA bypass page where now they'll ask you,
okay, we just sent you a two-factor code.
Please input it here.
And you will also have just received that message with the code on the same device, most likely.
This is part of the reason that they require you to be on a mobile user agent.
They want you to be on the phone when you visit the site because you're most likely to be on the same device that will receive it.
And then on top of that, if you've ever used...
use the feature on like an iPhone or a Google phone where it can automatically populate the two
factor code you just receive from the message in the background to whatever form you're on.
Victims also use that, right? So they're on that page, on the fishing page that's asking for your
code. As soon as you receive it, your iPhone will tell you, hey, auto fill from messages, and you just
click that button, it inputs the code. And, you know, that's it. They're able to complete the provisioning
of your card in their digital wallet and you've effectively told your financial institution
that you trust that device to spend that card anywhere and no MFA will ever be needed again.
So that was kind of the genius.
Unreal.
Yeah.
Of the digital wallet angle.
So they do all of this while you're waiting.
You input the two-factor dedication.
Yep.
You have basically verified their device as being your device and they can go spend money on
that device.
Do you have a sense of, and I appreciate that.
the scale of this is so significant that there isn't any one answer, but now that they have a device
loaded up with your card, what happens immediately after that? Where does that device go? What do they do
to try and juice as much money out of this as humanly possible? So yeah, we know a lot about how this
works. So in the beginning, when we first started seeing this, what was really interesting is actually
they would wait almost two to three months before they did anything. And part of this, we believe, is they
were worried about sort of the risk control signals that it would give to a bank if suddenly a
random device added a card and then just started spending right away. So in the very early days,
they would add these cards and they would wait a long time to spend them. But nowadays,
you'll be lucky if they wait like a couple of days, you know, one to two days, maybe three days or
seven. But then they have a lot of different ways to launder the money and get the money out of the
card because if you can imagine when you have a card in a digital wallet and you're just a
legitimate user, I mean, there's a lot of ways you can use it. You can tap to pay for things.
You can buy things online in apps. You can also tap to withdraw from ATMs in some countries
and with some banks. So there's a lot of immediate options available. And one of the things that you
might think of doing is just go to the store and tap to pay for something. And that did work a lot
in the early days. But as time goes on, the banks get better and better about their risk controls
and all this kind of stuff. So imagine if you're a threat actor sitting in China and you have a lot of
American victims cards on your device, if you go to the store and just try to buy something
traditionally, probably the geo-controls are going to block you because you're not in the right
country. But even if that purchase did go through, you're on camera, right? And eventually that transaction
will be reported for fraud. There will be a chargeback of some sort. And that merchant
now has you on camera, which is probably not a good look.
So one of the first things they started to do was look to what we call merchant account laundering.
And the way this works in the online version of it is you will create or the threat actor
will create a fraudulent account with something like Stripe or PayPal or Zettle or one of
these online sort of credit card acceptance or payment provider solutions.
And then with their fraudulent stripe account, they will generate a fraudulent invoice.
for something like, let's say, a short-term room rental on Airbnb, $500 or whatever.
And then they will go to that invoice with the device that they have, with the victim's card loaded,
and they'll use the pay-with-appel-pay function to pay themselves the Stripe invoice,
and then that'll go to their merchant account.
That is an interesting angle, but it's not without its challenges,
because merchants are used to credit card fraud, so they withhold money for a long time,
and it's not the ideal way to launder, but it is a way.
The other thing we've seen is that some of the threat actors will obtain physical point-of-sale card terminals.
So just like if you run a business and you need to accept credit cards in person or tap-to-pay in person,
you just get like a square device or some other kind of like physical terminal.
They would obtain and collect a lot of terminals.
And then they would have, you know, 100 phones with five cards loaded on each one.
So they got like 500 credit cards.
and they would generate fake invoices on like a little point of sale terminal machine,
and they would just have to pay with the victim's cards over and over again.
And this was another form of merchant laundering, physical merchant laundering.
But the most interesting ones, and probably the ones that have driven the most losses
and been most impactful, are physical goods purchases through the use generally of mules.
And then the other one is gift card purchase.
And why those are so dangerous is because once those physical goods or those gift cards have left the building, somebody is guaranteed to take the loss. It's either the merchant that sold the product, the bank that issued the card, or the victim who had the card with the bank. But somebody is going to lose their money. And you can't really put it back in the bottle. So those are sort of like some of the key ways they do it. Before I jump into like the,
the mule thing and the NFC relay, I mean, do you have any questions or should we talk a little bit more about
about that? Maybe something's not clear. Yeah, my next question was going to be to explain the mules to me
because as I was reading through this, there's something that hits very emotionally different for that
mule layer than the other ways that they're laundering this money. These are real people who think
they're doing like a temporary job. And I guess I'm curious, help people understand how that whole process
works. Do you have any insight into how the people behind us see those mules? Tell me about them.
Yeah, so our visibility into this sort of mule process is a little bit limited because we
don't actually go through the process of like trying to become a mule ourselves and get involved
in it. We just observe and see kind of from the discussions and the advertisements that they
have. But we generally believe that they advertise on various platforms, TikTok, Facebook,
you know, AdSense, other kind of social media probably on like WeChat and other forms.
And they're just basically looking for people who want to make extra money by doing sort of, you know, small tasks or whatever.
And what they'll ultimately be signing up to do is buying things in physical stores, mainly gift cards,
but also sometimes luxury physical goods or other products.
that are easily resellable.
And the way that they'll do this is they will be instructed to have a certain type of phone.
Usually it'll be a Samsung Galaxy phone.
It's necessary to support the NFC Relay Story.
And they will be given like an APK or an Android app to download.
And when they open this app, it will basically just provide them credit cards to use that work for Tap to pay.
So the way this kind of works fully is they will usually be in close coordination with their mule handler or the operator.
And that person will be operating, I like to say, behind the curtain, right?
They might be in China.
They might be in Southeast Asia.
They might be somewhere else.
But effectively, they're sitting somewhere else with stolen cards that have already been uploaded onto digital wallets.
So they have a lot of iPhones or Android's or whatever with these cards on.
them. And they will have another device, an Android device that is running, generally I think it's
going to be rooted, and it's running the server version of this NFC relay software. And when they
touch those two devices together, the wallet device with the card on it and their Samsung running
this custom software, it will relay that NFC card to the mule that has the client side version
of that software running on their Android phone in the field. And so now the mule can
basically just walk up to the point of sale terminal and tap to pay for whatever it is,
using the card from behind the curtain from like 10,000 miles away.
And it works just like a real tap-to-pay transaction because actually effectively,
it is a real tap-to-pay transaction. It's a perfect relay.
And yeah, that's basically what they do. They just take stolen cards. They add them to
wallets all day long. They hire mules to go out into the physical places to buy the things that they
want and the mules go up there and just buy gift cards or so on from like automated kiosk or
self-checkout kiosks and they will generally then scratch the codes off of the gift cards take pictures
of them and then send them back to their mule handler who will cut them in on some of the money unreal
think about the last time you heard a breach story on this show it always starts the same way
someone somewhere saw something too late an alert buried a signal missed an s oc that
just couldn't keep up. Arctic Wolf set out to solve that problem by rebuilding security
operations from the ground up for a world where attackers are already using AI. They created the
Aurora superintelligence platform, a fully agentic system powered by the swarm of experts. Instead of
single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle
whole entire workflows. Humans stay in the loop and on the loop to validate the critical decisions
and keep everything trustworthy. And all of this is just off running on their secure operations
graph. A constantly updating intelligence engine fueled by more than nine trillion telemetry
events every week and over a decade of real-world incident response. The system reasons on real
signals and real context not synthetic training data. And the result is the new Aurora Agent
SOC. It's the first SOC that is agent led by design. You get agents that coordinate, agents that investigate,
agents that respond at machine speed, and hundreds more that automate the repetitive work
that normally buries human analysts. Arctic Wolf didn't try and bolt AI on.
into an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and
proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks
like go to arctic wolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turned defenses on their head.
Organizations around the world saw headlines they never expected and cybersecurity teams
were tested like never before, but here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th, diving to the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened, but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving, how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
So much of this seems as though I can imagine it being automated.
There's stages to this process that I have more questions about that seem like you could
have this running in the background on a computer somewhere.
That seems like it would require a ton of human labor.
Like you are just coordinating with a small army of people running around doing these
transactions, running these fake cards.
I also saw a number.
It was lighthouse boasting,
lighthouse boasting like 300 plus front desk staff worldwide.
I'm not sure what that means.
What does the scale of this mean to you operation?
Like,
what should we visually be picturing?
Is there,
are there call centers full of people running this?
Is this decentralized?
Like,
what does this workforce look like?
Well,
um,
we,
we don't know exactly in terms of visually what it looks like.
But,
um,
Some of the things we do.
We know the spam centers or the spam operations.
You know, we've seen racks of iPhones and Androids as like 100 to 200 phones deep
on like a rack that will have, let's say, 20 phones wide and five phones deep.
And one operator is sort of just visually managing like 100 phones at a time.
And those are all being automated to blast out like iMessages or RCS.
And maybe at some point one of the phones will get like banned by Apple.
or something and he'll need to pull it out of the rack, reset it, you know, set up a new
iCloud account on it, put it back into the automation and keep it going. So that's, you know,
imagine there's many actors like that on the spamming side. On the fishing side, I mean,
and just in this ecosystem as a whole, I mean, just individual channels for just, for instance,
Lao Wang, who sold Lighthouse, his telegram channel had something like 21,000,
impressions or views and almost like five or six thousand people in it by the time it was the first one
was shut down by telegram and we believe you know we track 10 major fishing as a service
actors just like la wang and so if he has 6,000 in his channel we know some that have 10 and 12
000 at their channel i mean is tens of thousands of chinese speaking individuals that are in these
groups. And so, yeah, we believe there's easily tens of thousands of people involved in
every aspect of this fraud. And some of them are going to be smaller operators that they just
buy access to the software. They pay a spammer to send their messages and maybe they target,
you know, the U.S. or Canada or whatever their little geographic region is. And they may do it
for their own gain. And collectively, when you start to add up all these small actors, it's
It's a tremendous amount.
And then we've also seen evidence to support.
There are some groups that are truly organized crime in the sense that they're just openly
advertising that we do it all from spamming to meal operations to point of sale laundering
to, you know, fishing platforms to giving you data to target your fish.
Like everything is.
So it's pretty big.
Yeah.
When I was first reading about it, I mentioned this earlier, but it kind of drew a parallel
with like software as a service.
But the more you look at it, the more, it's like, yes, there's software as a service and enterprise-grade software when there already exists a marketplace.
There's this much larger marketplace of people that are trying to spin up these types of operations.
Someone can say, oh, I'm going to target this part of the world with this type of messaging.
Oh, I'm going to target this group with these types of lures.
How does that, how does that fester?
Like, where does that come from?
Is this all just growing on Discord channels on the internet?
Like, is there a top-down way of thinking about this?
Like, how did this grow in the first place?
Well, I mean, when there's money to be made,
people are interested in making more.
I think, you know, La Wang, who authored a lighthouse
and then subsequently or also Darcula,
were kind of some of the OGs when it comes to Chinese smishing operators.
and they developed probably some of the first really sophisticated kits that could do these real-time
SMS OTP bypasses and be used for digital wallets.
And so we're not exactly sure who really invented this sort of recipe with the digital wallet
cash out angle in the real-time OTP bypass.
But it was probably one of them or somebody that they were close to or inspired by.
And then, you know, once they started having a little bit of success doing this,
I think one of the things they quickly ran into or realized at least at that time before a lot of it was automated was,
well, I mean,
one person can only sort of put so many cards in wallets at a time, right?
Like if you send out a blast of spam and you have a thousand victims rolling in and, you know,
let's say 50 of them are putting their cards in at the same time and then you need to provision those wallets.
Like one person can't do all that.
So there's a lot of loss that, you know,
fish,
basically fish catch that you're losing by not being able to have enough hands on the problem.
And so they were like,
hey,
this is free money that we can't monetize.
We could sell this software to a service and sort of like advertise it
so that other people can get in on this action
and we can happen to profit from that activity too.
And what was really interesting is in the early days,
we believe almost all of these kits were backdoored.
So their customers would pay them a fee every month to use the software and the service,
but they could then come behind and just scoop up all the card information and the victim information anyway.
Now, granted, they couldn't tokenize it once the victim's no longer on the hook and they don't have the MFA anymore, right?
But they could still use that card data for like card not present fraud or follow up vishing or social engineering, things like that.
And so it was just really interesting.
They were like double dipping by selling the software.
their customers and stealing.
And why would their customers assume privacy when they're purchasing privacy infringing software
in a sense?
Correct.
You mentioned them a couple of times, Lawang, like the author of Lighthouse.
What do we know about them?
Tell me about them.
Well, what we know is kind of limited in terms of real term personal attribution,
but we know they've been around since February, 2023.
he originally provided sort of tuition, not just the software as a service, which he certainly did,
but he also offered people an ability to be under his apprenticeship and learn how to create and modify these kits.
And we believe he was, he apprenticed somebody who he called the Young Lady,
which we believe later went on to become an actor that was known as Chen Loon.
And she created what he called one of the most advanced kits, his students,
had ever made, and it was a Gov.U.K. tax-based fishing kit at the time. But he was sort of,
like I said, a visionary in OG. He had around 17 brands that he targeted with his original
kit that we call version one. But his most prolific victim was the United States Postal Service
and the American people through the use of United States Postal Service package delivery lures.
by far his most popular kit.
The other thing that he specialized in and still does specialize in to this day is fake shops.
So he supports a workflow that instead of sort of getting a message and needing to log in
and do something and lose your data, he will allow you to set up a fake shop, an e-commerce site
selling anything you want.
It could be, you know, toilet paper, dish detergent, or electronics.
and it looks just like a real e-commerce site.
And when the victim goes to check out for this product that they think they're buying,
they literally just lose their personal information,
they lose their card information,
and then they lose their OTP again because they think they're doing that for the payment validation.
And these are a lot more sinister in some ways
because they have a lot more staying power because no messages are sent out.
Not a lot of people report them.
They also don't require you to receive a message and click on something
to be victimized. You can just be searching for something you want to buy online and see this
e-commerce shop that looks to have a good deal. And they advertise these sites on AdSense, like on Google
AdSense, on meta platforms, on TikTok. I'm sure you've seen the news that Facebook had like
$18 billion in revenue from scam advertisements. Things like that are driving people towards
these fake shops where they then self-victimized. So that was another big part. He was kind of
of a pioneer in that fake shops space as well.
And he went on in August of 2024, he would later, he would launch the kit that would be known
as Lighthouse and for a number of reasons.
He wanted to modernize the code base.
He wanted to make it more modular, basically just improve functionality across the board.
And when Lighthouse originally launched, he only targeted 17 brands with the old kit.
Within a month, he targeted 29 brands and a month later, he started targeting 63 countries
and each of those countries would often have multiple brands.
So just kind of like the new kit skyrocketed his ability to scale the brands for his customers.
And yeah, we believe he was very successful for, you know, since early 2023.
And finally, Google released this civil action, this lawsuit against Doe's 1 through 25 related
to Lighthouse and he's subsequently shut most of his telegram stuff down, gone dark.
It looks like a lot of his infrastructure got knocked offline.
And so he's probably licking his wounds and rebuilding, would be my guess.
Yeah, since you brought it up, this is the second story in as many months about Google being
involved in a lawsuit with alleged cyber criminals.
We reported on their lawsuit against a group installing malware on these cheap consumer electronics.
this lawsuit, it kind of frames Lighthouse under RICO, basically saying, like, this is an organized
criminal enterprise. You alluded to this a second ago in terms of him kind of going off and licking
his wounds, but like from a researcher's perspective, why does Google do these lawsuits? And what role
does legal action play in disrupting stuff like this? Like, is this just whackamol or do these
lawsuits have an impact? Well, I mean, first off, the disclaimer, obviously I don't work for Google.
I'm not a lawyer, so it's hard for me to kind of do anything but speculate.
But I can do a little bit of informed speculation anyway because of my knowledge on sort of this subject.
I think this action or this type of action taking civil action against a cyber criminal actor is really interesting.
Obviously, we also saw it in the past with Microsoft using it to obtain default judgments and then go after like C2s of known malware or botnets that were causing a lot.
of problems for Windows users and things like that. And I think one of the more interesting parts of it
or ingenious parts of doing it in a civil way is that in a criminal case, you really have a high
barrier for proof that, you know, you need a lot of proof and it all has to be proper chain of
custody and everything. There's really a high bar to prove somebody is guilty. And then you have
the jurisdictional problem where if these actors are sitting somewhere, you can't really
reach them or you don't have jurisdiction over them, that becomes hard to do a criminal thing.
And then, like you said, with whackamol, well, if you do get a criminal action against somebody
and you arrest some folks, I mean, there's plenty more people that are going to pop up.
And so you're going to have to rinse and repeat that more expensive process over again.
Whereas with the civil action, you can file a suit against these folks in a jurisdiction that's
relevant for you.
and almost 100% chance they're never going to come to defend themselves.
So you will win by default, obtaining a default judgment.
And then you can take that thing to hosting providers, domain registries, domain registrars,
all that sort of stuff, and say, hey, we obtained a judgment.
These actors are on your platform doing bad things, and we would like you to take them down.
And most legal departments are going to say, hey, to avoid any extra liability or any chance
that we get caught up in this thing, it's, you know, they have a court order. We need to take
this stuff down. So I think at least in terms of disruption, even though it might be temporary,
it does cause pain and impose costs for these threat actors. And to some extent, it starts to
limit their horizons, right? If they know that they can no longer use a hosting provider that used to be
friendly, then they'll need to look for another one. And as these things continue to come and they get
shut down from place after place and get run from provider to provider, eventually they'll be left
with sort of no other option other than the bulletproof hosters, the bottom of the barrel stuff
that has zero reputation. And those become easier to block. And
and automatically list stuff as suspicious from.
So I do think it has a positive impact and it is a good approach.
There are tradeoffs with it, right?
10 cent.
I mean, on that note, it seems like a pretty large percentage of these, like the domains linked to this were coming from 10cent and Alibaba networks.
Those are two of, I believe, the first and largest listed companies in China.
If big tech companies in China ever did cooperate with, say, U.S. takedowns lawsuits like this,
how much of this ecosystem actually would collapse and how much of it is, again, just to use that
metaphor, is just whack-a-mole that's going to pop back up somewhere else.
Well, as far as I know, Alibaba and Tencent at least do respond to some complaints and do take
some action on them, although they tend, I don't want to say malicious compliance, but they tend
to do it in a way that's sort of, if you could drag your feet as much as possible and
require as much information and make the process as painful as possible for a reporter to
actually get something done. It seems to be the way they handle these complaints. At least that's
been what I've heard from folks who actually try to get these taken down. And we also submit
data to clearing houses that try to get these things taken down. So we've had some of that
experience as well. Yeah, I mean, a vast majority is hosted, or so many of them are hosted at
Alibaba on 10 cent, that's for sure. And oftentimes, I mean, so many of them are also protected
behind Cloudflare free accounts, right? So there's, you know, there's a bit of a tech
enabler as well with Cloudflare. But that being said, you know, if Cloudflare was to stop
offering protection for these proactively, and they can make a good argument that, hey, you know,
potentially it's not always possible for us to identify these things proactively.
And I do know that they are responsive to abuse requests.
They have an API for that kind of stuff.
So I don't want to, you know, I'm not trying to throw them under the bus here.
But, you know, I think if Alibaba and Tencent did something about this, it would make a meaningful impact.
Again, you know, the actors probably would just shift somewhere else to another hosting provider
and just continue to do that until they've been chased to the bottom of the barrel.
I'm curious to go back to the groups themselves a little bit.
And this feeling I got in reading through this story of like growing ambitions,
you know, this starts out and it feels kind of familiar.
It's the, you know, the postal service lure.
It's familiar stuff.
And there seems to be this escalation of like you've got card theft,
kind of moving into like even bank logins.
There was stuff about brokerage accounts.
Yes. There's a real sense of like we are climbing the ladder that is the Western international financial system. What should we take from that? Are they just truly ambitious? Are they learning? Like what's what's going on there? I think it's a combination. I mean, they're ambitious for sure. They want money, right? They are financially motivated. And they've been to their credit. And I have to kind of give them a bit of a compliment. They have been so innovative.
and so creative over the years and months that we've been tracking them that they've continued to
adapt and pivot when they started with NFC relay.
I mean, first off, they invented digital wallet fraud.
I mean, it's crazy enough, right?
And real-time OTP and SMS bypass to be able to facilitate.
That's crazy enough.
But then they basically invented NFC relay, the ability to relay an NFC payment, a tap-to-pay payment
around the world.
and that's like mind-blowing levels of nobody thought that was possible until they invented it.
And then they learned how to scale it and use it.
And then even on top of that, now they've got technology that allows them to do NFC relay multicasting.
So a single user behind the curtain with one device that's operating as a relay server and cards that he touches to that device can now support not just one mule operating in the field, but it can support 20 or 30 or 50 or 50 or.
however many mules simultaneously.
And because it's so clever how they've created it,
because tap to pay is a one-time token transaction
where you can't replay the token,
if one of those 50 actors that's receiving that card
taps to pay for something,
all the other actors temporarily lose the card on their app,
and then as soon as that transaction is completed,
all the other actors receive the card again,
so it's ready to go.
And so, you know, things like this,
I mean, first they hit you with NFC relay,
and then they come with multi-examble.
and it's not even a couple months after they just invented this tech.
And then to your point about banking and brokerages, as the banks have gotten better at protecting
against digital wallet provisioning, so in other words, the process of them adding your
card to their device, that has gotten harder for them because the banks do receive some
interesting controls and data from Apple and from Google that give them some ideas about
risk levels of that device and all sort of stuff.
and they're starting to get better at preventing these malicious wallet provisionings.
So the actors have also built in a system that will automatically tell them which cards they should automatically reject
and which cards they should bubble up to the top and prioritize because those will be the ones with weaker controls,
like smaller credit unions or smaller banks instead of the megabanks.
And then as provisioning continues to get harder and harder and they scrape the bottom of the barrel,
they start using these tools that are perfect for real-time fishing and MFA bypass
to do things like account takeovers where they'll take over the victim's PayPal account
or more interestingly lately and more saddening lately is brokerage account takeovers.
So the way this works is you'll get a text message that like, hey, your Charles Schwab account
has had some suspicious activity, you need to log in and do something about it.
And it will be a fishing site that looks exactly like.
Charles Schwab, they'll take your login information, you'll give them your two-factor or your
multi-factor, and they will log in and now they own your brokerage account. Now, you might have
a million dollars in there or whatever investments you have in there, and they can't take the
money out in terms of wiring it out of the account because the controls are too good for that.
But what they can do is effectively liquidate all your positions and buy Chinese penny
stocks or Chinese IPO stocks that they already own in their own personal accounts or their own
criminal accounts offshore and as you are as you are buying those penny stocks they're selling against
your order flow so it's like a twist on a classic pump and dump where they used to have to
convince you to buy a penny stock now they just take your account they control it and they buy
whatever they want yeah wow the penny stock one that's nuts I hadn't
caught that. That's crazy. Yeah. And it's very, I mean, it's really sad and it's really damaging.
We know some people that have lost their entire life savings. They're retired. They're on pension
or whatever, right? And they lose everything. And when you lose $400, I mean, you know,
there's this kind of saying, like, if you owe the bank $400, it's your problem. If you owe the
bank $4 million, it's the bank's problem. But if you lose your entire.
brokerage account, it's unlikely, depending on where you are and how much it was worth. I mean,
it's much less likely that you'll be reimbursed. So those are really saddening, but, you know,
again, like I said, they're financially motivated, and so at every turn, they've sort of
increased their ability to do this, to scale it, to steal greater amounts. We believe that, well,
we know that some of them are also involved in pig-butchering type of scams.
You name it.
They're involved.
I'm curious.
An innovation feels like such a weird word for this because of the kind of harms we're talking about.
But like I'm curious to understand where this innovation is coming from.
I feel like here when we talk about people developing really complicated software,
the two stories are either like the wonder kind in a basement that hacks it together themselves
or increasingly often like the person who gets ungodly gobs of like venture capital money.
And then poaches talent and points it at a problem like a machine gun.
And I'm curious, what does this look more like?
Is it the individual author creating all of this?
Is it more of the investor business model?
Is it a crowdsourced software project where it's wisdom of the crowd and people working
together to come up with NFC relays and wallet layers?
Like, where is that innovation coming from?
I think wisdom is, wisdom of the crowd is probably the closest one to the truth.
at least just from what I observe.
We believe a lot of these developers are students
or people who have recently graduated,
you know, maybe in 20s, 30s kind of age.
They have computer science degrees and backgrounds.
They are developers.
Some of them, we believe, did, you know,
had a real day job when they started working on this stuff
and ultimately went on to kind of do this as a side hustle
that became their main hustle.
But in a lot of these channels,
there is, you know, that you'll see, there are so many people offering their own services willing to work,
pitching ideas, or, hey, does anybody have something that could work with this card or whatever?
And so there seems to be a collaborative nature to, hey, I want to get some money, you want to get some money.
How can we figure out to do this?
And then also, at least in the Chinese fraud ecosystem, as we've seen it,
there has not really been much shame around copying other people's work.
So if one fishing actor came with a new feature, for instance, in early 2025, we saw this massive
rotation in the U.S. and North America to toll road scams, whereas before that, everything was
pretty much United States Postal Service package delivery scams.
But people had gotten so tired of it, so fatigued.
I mean, how many of these package messages did you get every day?
And you kind of knew it was a scam at that point.
So people weren't falling for it.
So one of the actors decided to try a playbook that had worked in another part of the world in Australia and New Zealand.
These toll road scams had been very popular in Australia and New Zealand from 2023 onwards.
And so they decided, hey, why don't we try these in the U.S.?
And they apparently had massive success.
And within just two or three days of one actor adding,
basically U.S.
toll roads to their kit,
almost all the other major
Fishing as a Service actors
also supported toll roads.
And so I think
part of that innovation is kind of
like when one person figures out something
that works, that's the new
baseline, and then everybody's
looking for the new thing that will improve
that, right?
So they went from manually
inputting card details to
provision these wallets to automating it.
And we've seen some of the
actors use like LLMs and AI to help a customer create like a very convincing brand impersonation.
So imagine if you have a particular brand you want to impersonate and the kit doesn't yet support it.
There are features within the kit that are like AI enabled or AI powered that allow like a user who has
no technical skill to say, okay, I want to impersonate this website and it'll go out and like make a
capture, scrape it all down, put things in the right format.
for like creating a skin for the fishing site.
And then that becomes a new template.
So they've really been smart about how they kind of automate things,
about how they approach development and treat all of this like a real business.
This is a maybe an unfair question,
maybe more just to putting you on the spot.
But I am curious with everything that you know about this,
if you could redesign any part of the financial ecosystem,
like how card issuers work and mobile wall,
and telco messaging systems,
if you could redesign some part of the financial system
to try and shut down a big chunk of this fraud overnight,
like where would you intervene?
What's that bottleneck?
Yeah, this is always a tough one
because everybody wants a silver bullet
and there is no silver bullet.
There's a lot of things that need to come together.
But I think one thing that would have a massive impact in general
is if we would move away from SMS for,
Second factor because A, it's clearly one of the easiest forms of MFA to bypass, even if we don't talk about sim swapping.
But of course, sim swapping does exist.
SMS is unencrypted.
It's, you know, an aging protocol very old at this point.
It was really just a hack to begin with.
And one of the biggest sort of things that I see against SMS, at least as a second factor,
is that a lot of times when the victim receives that two-factor code from their issuing authority,
there's not a lot of context about what it's for.
It's just, at best, it's like, hey, this is Chase and here's your code.
Don't give it to anyone.
And, you know, at least with app-based authorizations, like let's say bank app-based authorizations,
you will get some information that's like, hey, somebody is trying to add your card to an Apple wallet device
Are you sure you want to allow this?
And that becomes a lot harder for these threat actors to overcome, because even if the victim fell for the fish and they put all their information and their card information in and the actor says, okay, now you need to open your banking app and approve.
When they see what it's for, I bet you a high percentage of people actually bail out at that point.
So I think there's something to be said for getting read or getting onto stronger forms of multi-factor authentication, either app-based.
Generator-based is obviously a little better than text, but still it's kind of weak because it's just a time-based code and there's no context there.
You just have to provide your code for something.
Things like Fido and pass keys and so on.
Also really interesting.
We're not aware that these actors are able to bypass pass keys because of sort of the nature of them.
Of course, I have some misgivings about some of the other things that pass keys enable, which is a lot of centralized lock-in to big players.
But the other thing, I mean, I know you asked for a single thing.
The other thing that is happening and we are getting much better at is we're so good at filtering spam messages from email.
And we have been for many, many years now.
But we're terrible at it when it comes to text messaging.
But that is changing, right?
Android released an awesome feature related to like scam detection and possible scam detection for messages.
They also do things like call screening, iOS.
now 26 apparently has a lot of anti-scam or sort of anti-spam message features as well as call screening.
Unfortunately, it's not available anywhere except the U.S. as far as I'm aware. Maybe that's changed,
but we don't have access to it where I live in Europe. So if we can prevent people from seeing
these messages and clicking on them and going to them, that's a big, you know, impact as well.
I'm curious where this goes next. Like they have truly embraced the move fast.
and break things philosophy, they are iterating and coming up with new like templates and lures
and ways of doing this. What's that next adaptation? Where does this go, say, in 2026?
I think it's, yeah, I think it's really going to be towards more account takeover type activity.
Whether that's brokerages, I'm not sure. Maybe the brokerages will probably do to the amount of
money involved, probably pretty quickly kind of shut that down. I would assume could be wrong about that.
but other forms of account takeover that allow them to monetize and do things useful,
whether that might be stealing like Amazon accounts or PayPal accounts or Stripe accounts,
these kind of things that often have some sort of a payment,
like a payment channel associated with them or a card associated with them
and allow you to buy things or transfer money.
I think that's an area that so far,
We know that certain threat actors go after those type of things, but the digital wallets was such a low-hanging fruit that it just seemed like everything gravitated there for a long time because of all the advantages.
But yeah, I would think probably more targeted spearfishing, more account takeover, more kind of social engineering-backed stuff.
We know that they also have the capability to bypass KYC controls.
There's a lot of stuff in the ecosystem about providing fake documents.
fake passports, fake social security numbers, ID cards.
And we believe that they're also starting to leverage like generative AI for videos
to bypass these type of controls that when you open, for instance, a crypto account
and you need to have your phone's camera pointed at your face with a selfie and holding a passport
next to it and move it in and out and all these kind of things.
We believe they're also able to bypass those kind of controls.
So yeah, it's hard to say exactly because I could have never predicted NFC relay or some of the other things that they've rotated to.
But whatever it is, I have a feeling it will be effective for sure.
To wrap up, because you've been super generous with your time, you've spent years researching and unraveling and like trying to paint a picture of this.
What is it about this topic that kind of keeps you curious and engaged?
Like what is the thread that you feel like you haven't pulled all the way on?
I mean, unfortunately, it has been, my feeling has been since I started looking into this that I wanted some closure before I was done.
Right.
And I say unfortunately because I can see now that that is probably never going to happen.
But I really initially thought like, wow, we've learned a lot about this.
We understand how it works.
If we just talk to the right people, like we can make a difference.
and solve this problem.
And the reality is, while we've had, I've had, and a number of other people that are really close to this,
have had good impact here, at the end of the day, like, it's a never-ending battle, right?
This tale is as old as time, you know, that if you can convince somebody to give you your password,
or you can social engineer somebody into defeating the controls, then no matter how sophisticated the controls get,
it never matters, right?
Like, you can always just convince you.
a human to defeat the controls for you. So in that sense, I don't think this will ever really be
resolved. But my hope was that through our research and what we shared, we could really like
shut it down to a significant extent. So that's kind of what keeps me going. And the other thing is,
as long as people have an interest in this and as long as people are losing money to this and want to
talk about how it works, I'm happy to share that, right? Because I think they're
needs to be more visibility, more understanding of what's going on. And when I talk to people about
how it works, no matter if they're technical or not technical, they always love to hear the story and
learn how it works because we've all seen these messages. And we all kind of, I guess, subconsciously
wondered, like, what's that about or how are they even making money from this? And when you show
somebody that and their eyes kind of light up and that light bulb goes off in their brain and they're like,
oh, that's how it works.
You know, then they can go and tell their family and be like, hey, I understand how that works.
You need to be really careful about this.
Or let's look at our OPSEC or let's look at how we address how we handle security.
Because it is a very, you know, it's not only a personal responsibility.
It's also a societal and sort of government regulatory responsibility.
It's a responsibility of these companies.
But it's a responsibility of all of us to sort of lift the level.
with the security level, let's say.
So I guess that's really what keeps me going,
the hope that we can really make a difference in this kind of thing
and the fact that people are interested in learning more about it
and understanding more about it.
Just as an aside,
I think that people,
I think that we all have this feeling that we are on a daily basis,
even in something as innocuous as a text message.
You know, the bad fat, like Facebook ad scam,
ad that you try to avoid clicking on the the link to the e-commerce site that seems
seems right right like it seems like it's the real thing we all have this feeling that like
you are kind of in order to exist online you sort of have to consent to just being lied to
with the potential for very real harm all of the time there's this feeling of like when I
wade into this world I'm waiting into a space where people are going to lie to me
to try and steal from me all of the time
And that feeling, even if people aren't technical, doesn't go unnoticed.
People, it sort of builds up on you like a residue, that there's someone always trying to tell me a lie.
So even for non-technical folks, I get why this would be a really compelling story.
Yeah.
And, you know, to your point, I mean, it's unrealistic for anybody to have their guard at like, you know, the highest level at all times.
Right.
So even if you don't fall for 99 out of 100 text messages, the one time that you're busy or stressed or you've had something to drink or it's just early in the morning and you just woke up or you're tired, all it takes is once.
And that's what these actors are counting on.
It's a numbers game.
We know from the numbers that they only one to three out of every 1,000 victims that receives these messages actually goes through with clicking the link and losing their information and getting their card.
information provision. So that's less than 1% of everybody that receives it, but it's clearly enough
for them to make money at scale. Ford, thank you so much for your time. It was really good
to get to talk to you. I appreciate it. Yeah, absolutely. Thanks so much for the time.