Cybercriminals are ramping up their game, and your text messages aren’t safe anymore. A massive smishing campaign has emerged, targeting a staggering 169 entities across 88 countries worldwide. The culprits? A Chinese-speaking hacking collective known as the XinXin group, or Black Technology. They’re behind Lucid, a sophisticated phishing-as-a-service platform that’s turning heads in the cybersecurity world. Not in a good way.
The numbers are alarming. Smishing now accounts for 39% of all mobile phishing threats globally in 2024. Three out of four organizations reported being hit by these attacks last year. Growth? Try 150% yearly between 2019 and 2022. That’s not growth, that’s an explosion.
Smishing isn’t just growing—it’s detonating across the digital landscape, swallowing nearly 40% of mobile threats in its path.
These aren’t your garden-variety scam texts. They’re convincing impersonations of postal services, courier companies, and government agencies. Royal Mail in the UK. Poste Italiane. New Zealand Post. USPS. FedEx. They’re all being mimicked with frightening accuracy. The scammers particularly love delivery services – CJ Logistics impersonations made up 45.4% of attacks in some regions. Clever. Everyone’s expecting a package these days.
Their methods are slick. Using iMessage and RCS for Android, they bypass traditional SMS detection. They’ve got device farms and mobile emulators sending thousands of messages. They rotate domains to avoid getting caught. They even use deepfake audio to seem more legitimate. One particularly dangerous tactic involves tricking users to disable security features in their message settings, making malicious links from unknown senders clickable. Seriously, who even stands a chance?
The impact hits hard, especially in Europe, where 80% of smishing campaigns target EU citizens. Recent research shows cybercriminals are increasingly utilizing sophisticated Chinese phishing kits for their operations. Australia reported a mind-boggling 300 million fraudulent SMS messages tied to smishing arrests in 2024. In the US, tax-related smishing scams cost victims an average of $8,199 each in 2024. Nearly half of UK adults got fake delivery texts during last year’s holiday season. Ouch.
Behind it all is LARVA-242, the codename for Lucid’s developer. This isn’t amateur hour. It’s organized crime with subscription services, automation tools, and real-time monitoring of victim interactions. They’re harvesting credit card details and personal information with industrial efficiency.
What’s most disturbing? The complexity. The planning. The scale. These aren’t random hackers in basements. They’re businesses. Profitable ones. And your text messages are their goldmine.
