01 Fraud Signals: Global Intelligence Overview

The Threat Hunter Identity Profiling Service covers 179 countries worldwide, monitoring over 160 million mobile phone numbers exploited by fraudster networks for SMS verification code receiving. It empowers more than 200 clients to strengthen their security capabilities and reduce fraud risks.

Between November 1 and November 30, 2025, the Threat Hunter team captured more than 3.63 million active malicious mobile phone numbers linked to fraudster networks through malicious tools, trading markets, and other illicit services. Of these, over 3.26 million were newly observed, representing 89.81% of the total. The primary illicit channel during this period was SMS verification code receiving platforms. The majority of malicious mobile phone numbers originated from Mainland China and the United States, while the sectors most affected were Social Media sector, E-commerce and Retail sector, Entertainment sector, Financial sector.

Malicious mobile phone numbers refer to numbers exploited by fraudster networks to attack enterprises for illegal profit. They are mainly categorized into two types:

• Traditional SMS verification code receiving numbers: SIM cards are controlled by fraudster networks and inserted into special devices to send and receive SMS verification codes.

• Hijacked SMS verification code receiving numbers: SIM cards are inserted into devices owned by ordinary users, where backdoors allow SMS verification codes to be intercepted and abused by fraudster networks.

02 Fraud Metrics: Volume and Regional Trends

The Threat Hunter team monitors over 20,000 open‑source intelligence channels and 500,000 tools connected to fraudster networks. Our system automatically identifies and tracks the channels most frequently exploited, building an extensive database of high‑risk mobile numbers and fraud-related activities. This includes mobile phone number information used by fraudster networks, attack campaign details, and other intelligence collected from diverse sources.

During the reporting period from November 1 to November 30, 2025, the Threat Hunter team recorded the following key findings:

• Active Malicious Mobile Numbers Identified: 36,356,483

• Newly Observed Malicious Mobile Numbers: 3,268,028

• Geographic Origin of Malicious Numbers: Mainland China, The United States, Turkey

• Sectors with Concentrated Malicious Mobile Numbers: Social Media sector, E-commerce and Retail sector, Entertainment sector, Financial sector

03 Fraud Trends: Malicious Mobile Phone Number Resources

3.1 Supply Trends of Malicious Mobile Phone Numbers in Fraudster Networks

3.1.1 External enforcement measures reduce supply growth

Fraudster networks remain highly active in their use of malicious mobile numbers. However, due to external enforcement measures on SMS verification code receiving platforms, the month‑on‑month growth rate of newly added malicious mobile numbers compared with October dropped by 48.82%.

3.1.2 Mainland China: Slowing growth of hijacked numbers but new channels emerging

Research by the Threat Hunter team shows that external enforcement measures on SMS verification platforms have reduced the growth scale of SMS verification‑hijacked mobile numbers in Mainland China. SMS verification‑hijacked mobile numbers remain the most frequently used type of mobile number by fraudster networks. Some platforms supplying illicit resources for these hijacked mobile numbers remained highly active, and new channels for hijacked numbers are continuously emerging.

3.2 New Sources of Traditional SMS Verification Numbers

3.2.1 The United States as the primary source

Since SMS verification‑hijacked mobile numbers are a unique SMS verification‑receiving method in Mainland China, the following data applies only to traditional SMS verification‑received mobile numbers. During November, traditional SMS verification‑received mobile number resources from The United States, Mainland China, and Turkey were extensively used by fraudster networks.

3.2.2 Landline‑related malicious materials in the United States increase

Analysis of data in the United States reveals that the number of newly added landline‑type malicious mobile numbers increased significantly in November, with a month‑on‑month growth of 23.54% compared with October. Comparing data from June to November shows that although there were clear signs of a temporary shift toward wireless numbers in September and October, landline‑type numbers surged in November, exceeding wireless numbers by 188.44%. This indicates that the previously observed trend of malicious numbers shifting to wireless types was temporary, and landlines remain the primary type of malicious mobile number used by fraudster networks. The Threat Hunter team will continue to track the dynamic evolution of fraudster networks.

3.3 Industry Distribution Analysis of Malicious Mobile Numbers

3.3.1 Underground industries: Social media remains dominant

After analyzing the industry distribution data of malicious mobile numbers used by fraudster networks, the characteristic of significant industry concentration is prominent. The social media sector ranks first with a 27% share; the e‑commerce and retail sector accounts for 17%, ranking second; the entertainment sector and the financial sector each account for 13%, tying for third place.

A notable highlight in November is that the software services sector (including email services, search engines, and similar platforms) entered the top four industry distribution categories of malicious mobile numbers for the first time. Within this sector, email services have become a key target for fraudster networks. Malicious mobile numbers are used for bulk registration of accounts, and when risk control verification is triggered, fraudster networks often bypass the system by receiving verification codes through these malicious numbers, enabling continued account creation and subsequent attack activities. The Threat Hunter team will continue to closely monitor usage trends and potential attack risks in this sector.

• Software services refer to service‑oriented businesses driven by technology as the core, providing non‑physical products such as software R&D, information retrieval, technical support, digital tools, and professional technical solutions for enterprises or individuals. They do not directly produce hardware or sell commodities, and their core value lies in technology output and digital capability empowerment, such as email services and browser search engines.

04 Fraud Risk: Prevention Recommendations

If enterprises allow fraudster networks to register fake accounts using malicious mobile numbers, these networks can exploit them to launch marketing fraud attacks, generate invalid data, disrupt operations, and drain marketing funds. The platform ecosystem deteriorates as fake accounts proliferate, impairing content quality and driving user attrition. Fake accounts are also used for fraud and phishing, posing serious threats to user privacy and property. Enterprises may face fines, lawsuits, or regulatory actions for violating data protection and anti‑fraud regulations.

Malicious resources linked to fraudster networks are constantly updated, making them difficult to identify and increasing the challenge of monitoring and prevention. In response, the Threat Hunter team has launched the Mobile Number Profiling Service to help enterprises identify and pre‑block malicious numbers, shifting from passive defense to active prevention.