Content

• Introduction: SMS OTP as a Fundamental Attack Vector1

• Traditional Many-to-Many SMS Code Receiving Platforms: Architecture & Vulnerabilities2

• Underground Industry's Private Domain SMS OTP Acquisition: The Evolution to Group Code Receiving3

• Advanced Obfuscation: Deconstructing the Link Code Receiving Paradigm5

• Scaling & Proliferation of Link Code Receiving6

• Defense Strategy Recommendations: Mitigating Evolving Mobile Access Fraud7

01 Introduction: SMS OTP as a Fundamental Attack Vector

Malicious mobile numbers constitute a foundational resource for the underground industry (UI) in orchestrating cyber-crimes. By acquiring and operationalizing these numbers in bulk, the UI facilitates mass synthetic account registration and verification, enabling a spectrum of illicit activities on online platforms. These activities span marketing fraud, digital ecosystem disruption, and direct financial exploitation. Within this operational framework, the reception of SMS verification codes (herein referred to as "code receiving") is a critical enabler for the UI's malicious endeavors.

This report will provide an in-depth analysis of the link code receiving model's operational mechanics, technical characteristics, and projected development trends. Through real-world case studies, data indicator analysis, and malicious scenario profiling, we aim to expose its potential cyber security implications and furnish targeted countermeasures for enterprise business security teams.

02 Traditional Many-to-Many SMS Code Receiving Platforms: Architecture & Vulnerabilities

The traditional code-receiving platform represents the foundational and still prevalent modus operandi for SMS verification code acquisition within the underground industry (UI). This architecture centralizes number allocation, verification code delivery, and commission distribution. Key roles within this ecosystem include:

• The Platform Owner：functioning as the administrator and transaction intermediary, deriving commissions;

• The Card Dealer：serving as the malicious mobile number provider, uploading numbers and corresponding SMS OTPs for commission upon successful malicious activity completion;

• The User：funding and executing code-receiving-dependent illicit operations.

  
  

However, the evolution of the UI code-receiving ecosystem has exposed inherent limitations in privacy and availability within this traditional many-to-many model: unrestricted access to malicious mobile number telemetry by any platform user when not in active use; the ability for users to arbitrarily screen and select malicious mobile numbers, thereby reducing revenue for card dealers; preferential selection of "high-quality," newly provisioned malicious mobile numbers by users for illicit purposes; and resource contention within the shared number pool, leading to number reuse conflicts or in-validations.

Furthermore, accounts linked to these malicious mobile numbers are susceptible to malicious interception by other UI users, introducing risks of data leakage or loss of criminal gains (e.g., synthetic accounts, exfiltrated data).

The centralized nature of code-receiving platforms, requiring user account registration, introduces a significant privacy and security risk for UI participants, who fear implicating themselves in potential law enforcement investigations. These systemic vulnerabilities have driven card dealers and users to seek more efficient and secure code-receiving methodologies. This catalyzed the emergence of decentralized private domain transactions, exemplified by the "group code receiving" model, representing a "one-to-many" approach to UI code-receiving services.

03 Underground Industry's Private Domain SMS OTP Acquisition: The Evolution to Group Code Receiving

The "Group Code Receiving" methodology represents a pivotal shift towards a decentralized, private domain model for SMS verification code acquisition within the underground industry (UI). This "one-to-many" paradigm, where a single card dealer services multiple users, was primarily developed to circumvent the commission overheads and inherent privacy risks associated with traditional, centralized code-receiving platforms. This model facilitates direct, private channel transactions between card dealers and UI users for malicious mobile numbers and their corresponding OTPs, fostering the development of increasingly efficient bespoke tools.

Initially, card merchants utilized conventional social tools and web-based message boards to execute code-receiving services, often by posting SMS content and obfuscated malicious mobile numbers within private groups or ephemeral web pages. This iterative process has culminated in the emergence of sophisticated "code transfer tools" that provide these services via dedicated web-based transcoding. The fundamental appeal of Group Code Receiving stems from its significantly enhanced operational security (OPSEC) and obfuscation capabilities, directly addressing critical vulnerabilities inherent in traditional platforms. Key advantages include:

• Actor Anonymity & OPSEC Enhancement: Neither the card dealer nor the malicious user is compelled to expose their identity or sensitive operational metadata during the OTP acquisition process, drastically minimizing their digital footprint and attribution vectors.

• Reduced Forensic Traceability via Minimalist Tooling: The underlying service tools are designed with a lean, simple forwarding mechanism. This minimalist architecture inherently constrains the data accessible to investigators, making it exceptionally challenging to trace UI actors via the code-receiving interface itself.

• Controlled Access & Resource Exclusivity: Access to these code-receiving services is stringently restricted. Utilization is contingent upon possessing specific, pre-determined code-receiving addresses and the complete target mobile number, enforcing a selective access layer that limits broad exposure and potential compromise of the resource.

Despite these advancements in privacy and usability, the iterative refinement of private domain transactions and transcoding tools eventually exposed inherent drawbacks within the "one-to-many" group code receiving model. This recognition spurred further innovation, leading to the proliferation of a new "one-to-one" model within the UI: the "Link Code Receiving" paradigm.

04 Advanced Obfuscation:Deconstructing the Link Code Receiving Paradigm

The "Link Code Receiving" model represents a significant evolution in the underground industry's (UI) SMS verification code acquisition, characterized by its "one-to-one" exclusive resource allocation. This mechanism enforces a "one number, one project, one link" protocol: UI users are assigned a dedicated malicious mobile number for a specific attack project, receiving OTPs via an exclusive, project-specific URL. Each malicious mobile number is strictly dedicated to a single project, and its corresponding link exclusively displays the relevant verification code. This architecture drastically enhances operational privacy and resource availability for UI actors, effectively mitigating the data leakage and OTP theft vulnerabilities inherent in traditional shared code-receiving platforms and group-based models.

Beyond its fundamental exclusivity, the current iteration of mainstream link code receiving services has undergone significant optimization in terms of usability and concealment:

• Paid Resource Access & Screening Prevention: Unlike legacy code-receiving platforms that permitted free screening of malicious mobile numbers, Link Code Receiving necessitates a fee for number acquisition. This monetized access mechanism inherently prevents users from indiscriminately screening for "high-quality" malicious mobile numbers, thereby forcing utilization of provided resources.

• Independent Domain Name Obfuscation for Traceability Evasion: Card dealers frequently deploy link code receiving services on domain names independent of traditional code-receiving platforms, or they syndicate these services to distributors who utilize their own distinct domains. This strategic domain diversification significantly reduces the risk of law enforcement agencies conducting centralized, associated tracking of the platform infrastructure.

05 Scaling & Proliferation of Link Code Receiving

As a cutting-edge underground industry (UI) strategy, Link Code Receiving has rapidly proliferated, propelled by its inherent exclusivity and advanced concealment features. Its adoption by black card dealers signifies its emergence as a highly efficient tool within the illicit ecosystem. This rapid expansion is evidenced by significant increases in scale, coverage, and popularity:

• Accelerated Platform Proliferation: Continuous Threat Hunter intelligence tracking reveals 17 active traditional code-receiving platform domain names, alongside 7 dedicated link code receiving platforms, and a staggering 111 associated independent link domain names. Approximately 8 new independent distributor domains are identified weekly, indicative of aggressive, rapid expansion.

• Massive Card Pool Expansion: Active malicious mobile numbers on a single large-scale link code receiving platform now exceed 700,000, dwarfing the capacity of traditional and group code receiving platforms.

• Expanding Geographic Coverage: The geographic reach of malicious mobile numbers leveraged by link code receiving continues to broaden, with the US and Hong Kong currently serving as primary source regions.

  
  

06 Defense Strategy Recommendations: Mitigating Evolving Mobile Access Fraud

The relentless iteration of underground industry (UI) resources and methodologies for marketing fraud presents a formidable challenge to detection and prevention. To effectively counter the systemic abuse of compromised mobile numbers, organizations must transition from passive prevention to proactive defense. This mandates real-time understanding of UI attack processes and granular details, underpinned by comprehensive, multi-channel intelligence monitoring of malicious mobile number data across the entire digital landscape.

Threat Hunter provides a robust "Identity Intelligence - Mobile number" solution that leverages a comprehensive intelligence monitoring system.

This system covers critical UI channels and profiles the intrinsic characteristics of malicious mobile numbers. Numbers identified as UI-controlled are precisely tagged with a "modem pool card" risk label and assigned a critical risk level of 9. Threat Hunter strongly advises clients to establish granular, business-scenario-specific risk control rules for targeted defense. Implementing pre-emptive interception and blocking mechanisms for any transaction or user activity associated with "modem pool card"-labeled numbers is paramount to disrupting UI attack chains and preventing marketing fraud at its nascent stage.

Learning more about fraud risks relevant to your business? Let's talk.