National Cyber Warfare Foundation (NCWF)

SMS Pools and what the US Secret Service Really Found Around New York
0 user ratings		2025-09-29 08:53:53
milo
Blue Team (CND)

 Last week the United Nations General Assembly kicked off in New York City.  On the first day, a strange US Secret Service press conference revealed that they had seized 300 SIM Servers with 100,000 SIM cards. Various media outlets jumped on the idea that this was some state-sponsored sleeper cell waiting to destroy telecommunication services around New York.  Like me, you may have immediately wondered why some of the photos showed sophisticated racks of servers on shelves while others showed a hodge podge of devices strewn about the bare floor of an otherwise empty apartment. 












photos extracted from USSS reporting

SIM Pools on Telegram 


Beginning in late 2024, every cell phone in the USA started getting hit hard with annoying messages claiming to be informing us of undelivered packages. In early 2025, this morphed into the famous "Toll Road" phishing messages which started off with messages supposedly about unpaid tolls in Massachusetts Easy Pass and now imitate every toll road system in America. Because the goals of these SMishing messages were to load credit cards onto phones and use them to steal money, DarkTower spent quite a bit of time studying the infrastructure, which is primarily advertised and sold in Telegram channels that we call "Chinese Guarantee Syndicates." I've conducted several briefings about these systems, and have mentioned previously in this blog how they sell SMS-blasting telecom equipment (See: Chinese SMS Spammers Go Mobile ).


The devices found around the NYC tri-state area are a slightly different application of SMS-blasting.


The most famous of the Chinese Guarantee Syndicates, Haowang Guarantee, is part of the US-sanctioned Huione Pay, "The Largest Illicit Online Marketplace" according to Elliptic and WIRED. Haowang has shifted their business to Tudou Danbao, but their vendors continue to offer SMS Modem Pools and associated hardware and software as part of their Crime-as-a-Service empire.  Here's an ad for one such vendor (with its translation):






Let's look at the Telegram channel of Annie, a China-based seller of SMS equipment.  (In Chinese, these are called "Cat Pools" -- I'll explain why at the bottom of this article.)  Most of the posts I'll show are from Chinese-language Telegram channels, so I'll include an English translation.












@Annie068a operates a channel dedicated to selling SMS Gateway equipment











Annie offers SMS Modem Pools in a variety of sizes

SMS Modem Pools have a variety of configurations.  The most basic has 8 modem ports with slots for one SIM card each. On the opposite end of the scale, is a 64 port modem with capacity for 512 SIM cards. (Many of those found by the USSS seem to be 32-port modems with 256 SIM cards.) When there are more SIM cards than modem ports message sending rotates between SIM cards. 



What does Annie suggest you might use your SMS Pool for?  Mostly "Marketing."




The concept, as Annie explains, is that you can route messages from anywhere in the world and have them sent from an SMS pool sitting in the United States and being sent from a US-based SIM, thus having a US telephone number displayed in the caller id.



SMS Pools for Fraud and Phishing


Other Telegram channels are more blatant with suggesting the type of "Marketing" that one might do with the ability to send Bulk SMS messages to other countries.  The Telegram channel "Mini Bulk SMS" provides examples, such as imitating the Irish bank AIB to send phishing emails, or imitating BMF in Austria, Binance in Italy, or doing an Apple refund scam in the US. In SouthEast Asia a major use of Bulk SMS is advertising to gamblers. 



An English-speaking Bulk SMS provider, KathyBulkSMS, also is quite blatant about the criminal nature of the messages she suggests.  Her service also has the ability to send using "Short Message Code" caller IDs. She particularly recommends imitating Coinbase if spamming in the US and says that her recent campaign, sending 170,000 such messages via Verizon, AT&T, and T-Mobile, was "very effective."





Kathy gives other examples, such as imitating Binance and National Australia Bank for the Australian market, but her channel has suggestions for many countries, including Netflix and Crypto campaigns for:  🇬🇷Greece 🇵🇹Portugal 🇦🇹Austria 🇮🇪Ireland 🇯🇵Japan 🇸🇰Slovakia 🇰🇷South Korea and 🇪🇸Spain.
 




Cheap SMS Modem Pools and Cheaper SIMs


Not to bust the "Nation-state" theories too hard, but this gear is ridiculously cheap. You can buy most of it used on places like eBay, but the various business-to-business services like "Made In China" have great prices.  Here are a couple examples: a 16-modem 512 SIM-slot 4G SMS Gateway is $1,000.  A 64-modem 512 SIM-slot 4G/3G/2G offering send and receive SMS can range from $2,400 to $4,000 depending on the configuration and software included.





But what about the SIM cards? Don't worry, there are many Facebook groups, and many more Telegram channels that will hook you up. The Telegram user @Zoom557 posts to many Facebook groups using the new criminal-friendly "Anonymous Poster" service. On Telegram he is excited about the new $5 SIM cards offered 





BaronLiu also uses Facebook to push his Telegram SIM card offerings. 




Here are a few of the Facebook groups (all in Chinese) that specialize in SIM card selling. Notice the sizes: 2500 members, 3600 members, 6400 members, and 8700 members. Most of these groups also offer mass account creation and social media spamming services. 





One Telegram vendor of SIM cards was proud to be supplying a variety of US SIM cards.





The same vendor shared the photo below.  This isn't USSS in New York.  This is a deployment in Thailand using a SIM pool to provide Thai-WhatsApp numbers to customers around the world. 














Do eSIMs change the game? Durov has you covered: 


Never one to shy away from offering anonymized criminal services to the masses, Pavel Durov has announced that you can now buy world-wide eSIMs from a special app inside Telegram called @Mobile. After choosing your region and country, you choose the eSim you want, and then can purchase it paying with Pavel's built-in cryptocurrency, TON, or a credit card if you want to be easily traced by law enforcement.





What about those SMS Cats? 


One of the earliest "famous" SMS-phishers who was doing Toll Road phishing was "Darcula." When Darcula's server was unavailable in the summer of 2024, he recommended people use the server "magic-cat.world" to upgrade their software.  Darcula also used a cat as his Telegram profile image.







Darcula was well-and-truly doxed by the excellent researchers at Mnemonic.io -- Erlend Leiknes and Harrison Sand.  I've spoken to them both and they did a great job tearing apart Darcula's code and mapping out the credit card theft associated with it!  



While Darcula was certainly a major player, "Little Gray Cat" was my favorite SMisher at the beginning of our work.  He loved to show off his "Machine Room" full of iPhones all sending automated (and end-to-end encrypted) Toll Road and Package non-Delivery phish.




It wasn't until recently I realized the story of why our SMS phishers have so many "Cat-named" things has to do with the slang for the word "modem." The Chinese term for modem is 调制解调器 (tiáo zhì jiě tiáo qì). Because that's quite a mouthful, young techies began to refer to their modem simply as 猫 (māo).  Here are some of the "Cat" terms I've learned in this research:




A "Cat Card" is a SIM card.  This is the term to search on Chinese Telegram to find people selling SIM cards and related services. 



An "SMS Cat" is device hosting an SMS number either for "marketing/phishing" or for "verification farming." (Verification Farming uses the destination-country SMS number to receive authentication codes. Group-IB's excellent "SMS Pumping" article mentions that "In late 2022, Elon Musk revealed that Twitter was losing around $60 million per year due to SMS pumping fraud. The activity was attributed to 390 telecom operators that allowed bot accounts to exploit Twitter’s two-factor authentication (2FA) system, generating fake SMS traffic to inflate their own revenue.")


A "Cat Control Platform" is the software, hosted on Windows or Linux, that connects to the 



A "Cat Number" is a virtual number ... it may be in an SMS Pool, but it might also be a Google Voice number or other virtual number. 


A "Cat Pool" as we've already discussed, is an SMS Modem Pool.


The post SMS Pools and what the US Secret Service Really Found Around New York appeared first on Security Boulevard.



Gary Warner

Source: Security Boulevard
Source Link: https://securityboulevard.com/2025/09/sms-pools-and-what-the-us-secret-service-really-found-around-new-york/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.