Executive Summary

Threat Hunter's Identity Intelligence solution provides global coverage across 200+ countries, currently maintaining an active inventory of 20.87 million high-risk mobile numbers within our dynamic threat repository. This critical intelligence empowers over 200 client enterprises to significantly enhance their security posture and mitigate evolving fraud risks.

During the reporting period of May 16-30, 2025, the Threat Hunter team successfully ingested over 990,000 unique malicious mobile numbers from diverse underground industry (UI) sources, including illicit access tools, compromised mobile number trading markets, and associated dark services. Notably, 480,000 (48.92%) of these represented net-new detections, indicating significant churn and expansion within UI-controlled infrastructure.

Our analysis identifies OTP marketplace platforms as the predominant illicit channel for mobile number acquisition. The primary geographic origin of these malicious mobile numbers remains US/Canada, with social media platforms being the most highly concentrated target industry for attacks leveraging these compromised credentials.

Data Overview: Key Indicators & Intelligence Collection

The Threat Hunter intelligence team rigorously monitors over 20,000 open-source intelligence (OSINT) channels within the underground industry (UI) ecosystem, tracking more than 500,000 UI tools. By deconstructing UI resource acquisition methodologies, we gain real-time visibility into emerging illicit channels.

Our advanced real-time monitoring algorithms continuously crawl and analyze UI-utilized platforms to identify new service offerings. This proactive intelligence gathering has enabled the construction of an expansive database on high-risk mobile numbers and associated attack campaigns, encompassing comprehensive UI mobile number telemetry and project-specific attack details across various risk scenarios.

Key findings from May 16-30, 2025 intelligence operations include:

• Total Malicious Mobile Numbers Captured: 996,141 instances.

• Unique First-Time Detections: 487,368 instances.

• Top Geo-Origins of Malicious Mobile Numbers: US/Canada, Philippines, Hong Kong (China), Indonesia, Vietnam, and others.

• Concentrated Attack Industries: Social Media, Communications (Telecom), Short Video Platforms, and Internet Basic Services.

Adversary Landscape Update: Evolving Mobile Access Fraud & Geographic Shifts

Persistent Threat Actor Activity: Stable Influx of Malicious Mobile Numbers

During the current reporting period, we observe a stable trend in the influx of newly identified malicious mobile numbers, indicating sustained activity within the underground industry (UI) ecosystem for acquiring and leveraging these critical fraud resources.

Evolving Acquisition Vectors: OTP Marketplaces and Covert API Integration

The primary source for newly introduced malicious mobile numbers is consistently the OTP marketplace platforms, accounting for 85.55% of recent additions.

A significant 14.32% of new numbers are now provisioned via API-based receivers. Critically, the underground industry (UI) has adopted a novel "link code receiving" mechanism, characterized by an exclusive "one number, one project, one link" protocol.

In this method, UI users are assigned a dedicated malicious mobile number for a specific attack project, receiving OTP SMS via a unique, project-specific link. Each number is strictly dedicated to a single attack project, and each link exclusively displays the corresponding OTP. This API-based approach offers enhanced privacy compared to traditional methods, constituting a new and challenging security threat.

Geographic Source Trends: US/Canada Dominance and Regulatory Impact

Underground industry (UI) activity remains concentrated and highly active in key regions including US/Canada, Hong Kong, and Indonesia. While US/Canada has historically contributed a high volume of new malicious mobile numbers, our current analysis indicates a downward trend in new number proliferation from this origin.

This observed anomaly is directly attributed to recent targeted regulatory interventions against "Haowang" , a prominent payment processing syndicate dominating the black and gray industry.

The ensuing operational disruptions, as threat actors prioritize fund exfiltration and the establishment of new illicit financial conduits, have resulted in a quantifiable reduction in related malicious mobile number transactions and their overall market circulation.

Targeted Industry Exploitation: Focus on Social & Communications Sectors

Analysis of captured data confirms a concentrated shift in UI attack vectors during this cycle. The underground industry is primarily focusing its malicious campaigns on the social media industry, short video entertainment platforms, and the communications sector.

Malicious Mobile Number Abuse: Systemic Risks and Proactive Defense Strategies

Unmitigated malicious mobile number abuse, particularly allowing underground industry (UI) entities to provision synthetic accounts, leads to severe, multi-faceted consequences. Threat actors exploit these fraudulent accounts for widespread marketing fraud, data poisoning, and operational interference, directly depleting marketing budgets and inflicting significant reputational damage. This often results in indirect financial losses, including advertiser withdrawal. Furthermore, the proliferation of synthetic accounts degrades platform ecosystem integrity, compromises content quality, and ultimately drives user churn.

Beyond internal platform damage, UI-registered synthetic accounts are frequently weaponized for external fraud and sophisticated phishing campaigns, posing a critical threat to user asset security and privacy. Platforms failing to address this vulnerability face escalating regulatory fines, litigation, and mandatory rectification for non-compliance with data protection and anti-fraud regulations.

The dynamic and adaptive nature of UI-sourced resources and methodologies presents a formidable challenge to traditional detection paradigms.

To counter the pervasive misuse of malicious mobile numbers by the UI, organizations must transition from passive prevention to proactive defense. This requires real-time understanding of UI attack processes and granular details, underpinned by comprehensive, multi-channel intelligence monitoring of malicious mobile number data across the entire digital landscape.

Threat Hunter's Identity Intelligence solution provides this crucial capability. Leveraging a comprehensive intelligence monitoring framework, we actively cover UI channels and profile the intrinsic characteristics of malicious mobile numbers. Numbers identified as originating from UI operations are precisely tagged with a "modem pool card" risk label and assigned a risk level of 9.

Threat Hunter strongly recommends that clients establish highly granular risk control rules tailored to their specific business scenarios. Implementing pre-emptive interception and blocking mechanisms for any transaction or user activity associated with "modem pool card"-labeled numbers is advised to disrupt UI attack chains before malicious actions can be executed.

Learn more about Threat Hunter's Identity Intelligence：

• Phone number intelligence

• IP address intelligence

• Email address intelligence