01 Threat Hunter Identity Intelligence: Fortifying Global Anti-Fraud Capabilities

The Threat Hunter Identity Intelligence solution spans 178 countries, actively monitoring over 100 million illicit mobile phone numbers linked to underground fraud activities. Our platform empowers more than 200 clients to enhance their business security posture, significantly reducing exposure to fraud.

Between July 16 and July 31, 2025, the Threat Hunter team identified over 1.61 million active illicit mobile phone numbers through underground tools, malicious number trading platforms, and related fraudulent services. Of these, more than 1 million were newly observed, accounting for 62.41% of the total. The dominant attack vector during this period was SMS verification platforms, with the majority of malicious numbers originating from the United States and Canada. E-commerce remains the most targeted industry by these attacks.

02 Dynamic Threat Landscape: Indicators & Anomalies (July 16 – July 31, 2025)

The Threat Hunter team continuously monitors over 20,000 open-source intelligence channels and 500,000 underground industry tools. By analyzing resource acquisition methods used by underground actors, our system proactively identifies emerging attack channels. Leveraging advanced real-time monitoring algorithms, we track malicious infrastructure across the internet, autonomously identifying high-frequency fraud vectors. This intelligence feeds into a continuously enriched database of high-risk mobile numbers and associated attack activities. The repository includes detailed insights into underground mobile number usage, targeted attack campaigns, and operational methodologies—enabling clients to respond with precision and confidence.

During the reporting period of July 16 to July 31, 2025, the Threat Hunter Team observed the following critical indicators:

• Active Malicious Mobile Numbers Identified: 1,615,324

• Newly Observed Malicious Mobile Numbers: 1,008,221 (representing 62.4% of active numbers)

• Geographic Origin of Malicious Numbers: Predominantly US/Canada, followed by Indonesia, the Philippines, Malaysia, and Japan

• Most Targeted Sectors: E-commerce industry, internet infrastructure services, and short-form video social platforms

03 Malicious Activity Trends: Dissecting Underground Industry Modus Operandi

3.1 Recovery of OTP Channels Drives Surge in Malicious Number Onboarding

Underground actors continue to actively leverage illicit mobile phone numbers for attack operations. During this reporting period, newly observed malicious mobile numbers increased by 19.87% month-over-month. The upward trend reflects the recovery of OTP receiving platforms from prior infrastructure anomalies observed in the previous cycle. However, compared to earlier periods, these adversary-operated channels now exhibit significantly heightened risk control measures, indicating a shift in operational resilience and defensive adaptation within the underground ecosystem.

3.2 OTP Receiving Platforms: Primary Channel for Malicious Number Provisioning

During this reporting period, OTP receiving platforms remained the dominant conduit for malicious mobile number onboarding. Notably, the “Link Code Receiving” channel—an essential source of fraudulent SIM provisioning—has resumed normal supply operations following prior disruptions. This recovery reinforces the central role of OTP platforms in sustaining underground activities and highlights their operational resilience within the broader illicit ecosystem.

3.3 Geographic Hotspots: US/Canada Remain Primary Source of Malicious Numbers

During this reporting period, the United States and Canada continued to serve as dominant hubs for underground activity, consistently contributing a high volume of newly observed malicious mobile numbers. Malaysia and the Philippines also remained active regions, while Indonesia exhibited a notable surge in high-risk mobile number activity. Following volatility in previous cycles, underground OTP channels have significantly intensified their risk control measures. Leveraging advanced technical capabilities and extensive counter-fraud expertise, the Threat Hunter team successfully bypassed these enhanced defenses, maintaining continuous surveillance over adversary-held malicious resources.

3.4 Sector-Specific Targeting: Social Media and E-commerce Remain High-Value Targets

Analysis of captured intelligence during this reporting period reveals concentrated underground activity targeting the e-commerce industry, internet infrastructure service providers, and short-form video social platforms. These sectors continue to be high-value targets for adversaries due to their extensive user bases and exploitable digital ecosystems

04 Malicious Mobile Number Abuse: Strategic Risk and Proactive Defense Recommendations

Allowing the underground industry to exploit malicious mobile numbers for fake account registration can trigger a cascade of severe consequences across multiple dimensions. These illicit accounts are frequently weaponized for marketing fraud, generating invalid data that disrupts normal business operations and directly depletes marketing budgets. The resulting damage includes:

• Reputational Harm: Platform credibility suffers, leading to advertiser withdrawal and indirect financial losses.

• Ecosystem Degradation: The proliferation of fake accounts undermines content quality and user experience, accelerating legitimate user churn.

• User Security Threats: Fraud and phishing attacks launched via these accounts pose serious risks to user assets and personal data.

• Regulatory Exposure: Non-compliance with data protection and anti-fraud regulations may result in fines, lawsuits, and mandated corrective actions.

  
  

Compounding the issue is the underground industry's continuous evolution of tactics and resources, which significantly increases the difficulty of detection and mitigation. To effectively counter this threat, vendors must shift from passive prevention to active defense—grounded in intelligence-driven insights.

Threat Hunter’s Phone Number Identity Intelligence Service offers a robust solution to this challenge. Powered by a comprehensive multi-channel monitoring system, it provides deep visibility into underground industry operations and the behavioral characteristics of malicious mobile numbers. Our system has successfully identified numbers actively used by threat actors, tagging them with the “SIM Pool Card” risk label and assigning a high-risk rating of “Risk 9.”

We strongly advise clients to develop precision-targeted risk control rules tailored to their specific business scenarios. By integrating intelligence markers—such as the “SIM Pool Card” designation—into existing fraud detection frameworks, platforms can intercept malicious numbers at the point of entry. This proactive strategy neutralizes threats before they materialize, safeguarding platform integrity, user trust, and operational resilience.