01 Threat Hunter Identity Intelligence: Fortifying Global Anti-Fraud Capabilities

The Threat Hunter Identity Intelligence solution provides a comprehensive intelligence framework spanning 178 countries, actively monitoring over 100 million illicit mobile phone numbers associated with global underground activities. Our platform empowers over 200 clients with enhanced security capabilities, significantly mitigating fraud exposure and enabling robust risk management.

02 Dynamic Threat Landscape: Key Indicators & Anomalies (July 1st – July 15, 2025)

Our intelligence-driven approach leverages real-time monitoring of over 20,000 open-source intelligence channels and 500,000 underground industry tools. This extensive reach allows for proactive detection and analysis of emerging malicious channels. Through advanced algorithmic deployment, our system autonomously identifies and tracks high-frequency channels, continuously enriching a robust database of high-risk mobile numbers and associated attack vectors. This repository includes granular data on underground mobile number utilization, project-specific attack methodologies, and more.

During the reporting period of July 1st to July 15th, 2025, the Threat Hunter Team observed the following critical indicators:

• Active Malicious Mobile Numbers Identified: 1,467,756

• Newly Observed Malicious Mobile Numbers: 841,091 (representing 57.3% of active numbers)

• Primary Malicious Channels: OTP receiving platforms

• Geographic Origin of Malicious Numbers: Predominantly US/Canada, followed by the Philippines, Malaysia, Japan, and Indonesia.

• Most Targeted Sectors: E-commerce Industry, short-form video social platforms, and internet infrastructure services.

03 Malicious Activity Trends: Dissecting Underground Industry Modus Operandi

3.1 Adversary Infrastructure Volatility Impacts Malicious Number Influx

While the underground industry's reliance on malicious mobile numbers remains pervasive, we observed a 39.2% month-on-month decrease in newly added malicious mobile phone numbers. This apparent decline is not indicative of reduced activity but rather a consequence of frequent fluctuations within the core data centers supporting illicit OTP receiving channels. Recent instability, including changes to domain names and server infrastructure, has temporarily disrupted the downstream underground industry's ability to reliably receive OTPs. This operational friction has impacted the overall volume of active fraudulent SIMs, consequently reducing the rate of new malicious number onboarding. However, as these OTP platform channels recover, we anticipate a renewed upward trend in malicious number additions, underscoring the adaptive nature of these adversaries.

3.2 OTP Platforms Remain Primary Provision channel for Malicious Activities

During this analysis cycle, OTP receiving platforms continue to be the dominant malicious channel for illicit SIM card provisioning. Specifically, the "Link Code Receiving" channel, a significant provider of fraudulent SIMs, experienced a 28.36% proportional decrease in its contribution. This reduction directly correlates with the aforementioned infrastructure instability (as detailed in Section 3.1), which temporarily curtailed the availability of active fraudulent SIMs from this source.

3.3 Geographic Hotspots: US/Canada Lead Malicious Number Origin

Our data consistently identifies the US/Canada region as a persistent hot-spot for concentrated underground industry activity, maintaining a disproportionately high volume of newly added malicious mobile phone numbers. Other active regions include the Philippines and the United Kingdom, indicating a global, yet geographically focused, distribution of illicit SIM card operations.

3.4 Targeted Sectors: Social Media and E-commerce Under Siege

Analysis of captured data reveals that the underground industry has strategically concentrated its attack efforts on specific sectors during this period. The social media industry is a primary target, alongside the e-commerce industry and internet infrastructure service providers. This focus suggests a high return on investment for fraudsters exploiting vulnerabilities within these interconnected digital ecosystems.

04 Mitigating Malicious Mobile Number Abuse: From Passive to Proactive Defense

The unchecked proliferation of malicious mobile numbers for fraudulent account registration poses severe, multi-faceted consequences for digital platforms. Unmitigated, this leads to:

• Financial Erosion: Exploitation of new user incentives, direct consumption of marketing funds, and the generation of invalid data that skews business metrics.

• Reputational Damage: A corrosive impact on brand trust, potentially leading to advertiser withdrawal and significant indirect losses.

• Ecosystem Degradation: Proliferation of fake accounts degrades content quality, fosters a toxic environment, and ultimately drives legitimate user churn.

• User Security Compromise: Maliciously registered accounts are frequently leveraged for sophisticated fraud and phishing attacks, directly threatening user property and privacy.

• Regulatory Exposure: Non-compliance with data protection and anti-fraud regulations can result in substantial fines, legal action, and mandatory rectification.

The challenge is compounded by the underground industry's relentless iteration and obfuscation of their resources, making traditional detection increasingly difficult. To counter this, organizations must transition from passive prevention to active defense.

Threat Hunter's Identity Intelligence (Mobile Numbers) solution provides the critical advantage for this paradigm shift. Leveraging a comprehensive, multi-channel intelligence monitoring system, we meticulously track underground industry channels to identify and characterize malicious mobile numbers. Our system precisely flags these numbers with a "SIM Pool Card" risk label and assigns a Risk Level of 9, indicating active use by the underground industry with 99.9% accuracy.

We strongly recommend that clients establish precision-tuned risk control rules tailored to their specific business scenarios. By proactively intercepting any number labeled as a "SIM Pool Card" at the point of entry into your business processes, you can pre-emptively neutralize malicious activities before they impact your platform, transforming your defense from reactive to truly anticipatory.