A highly organized Chinese cybercriminal syndicate has carried out one of the largest payment card fraud operations in history, potentially compromising between 12.7 million and 115 million cards in the United States between July 2023 and October 2024.

According to researchers at SecAlliance, the campaign marks “a fundamental paradigm shift in financial cybercrime,” blending advanced text message phishing (smishing) with clever use of Apple Pay and Google Wallet to sidestep normal fraud detection.

The group, led by a threat actor known as “Lao Wang,” evolved from simple pandemic-era delivery scams into a full-scale, industrialized crime operation. Instead of just stealing card numbers, the criminals immediately load them into digital wallets on old iPhones, allowing them to bypass security checks.

“Once payment card credentials are harvested, threat actors immediately provision these cards to digital wallets on attacker-controlled devices,” the report explained.

Over 32,000 fake USPS-themed websites were used to trick victims into handing over their information. The operation works much like a legitimate tech business, with SecAlliance noting it “operates with the efficiency and scalability of software-as-a-service companies.” Losses are believed to be in the billions of dollars.

The group’s custom-built “Lighthouse” phishing platform, introduced in August 2024, uses geofencing to block visitors outside target regions, ensures only mobile devices can access the fake sites, and hides from known security tools. “The system blocks IP addresses from known hosting providers, security vendor ranges, and Tor exit nodes,” SecAlliance said.

Once a stolen card is added to a wallet, fraudsters face fewer security hurdles for purchases. They even tailor their tactics by region — provisioning 4 to 7 cards per device in the US, but up to 10 in the UK, taking advantage of differences in fraud prevention rules.

Other criminals in the network, including Chen Lun, PepsiDog, and Darcula, have added their own tools and scams, expanding into areas like brokerage account takeovers.