01 Fraud Signals: Global Intelligence Overview

The Threat Hunter Identity Intelligence solution spans 179 countries, actively monitoring over 160 million illicit mobile phone numbers linked to underground fraud activities. Our platform empowers more than 200 clients to enhance their business security posture, significantly reducing exposure to fraud.

      Between October 1 and October 31, 2025, The Threat Hunter team identified over 7.85 million active malicious mobile phone numbers associated with fraudster networks through underground malicious tools, malicious number trading markets, and other related illicit services. Of these, more than 6.38 million were newly observed, accounting for 81.27% of the total. The primary abuse channel in fraudster networks during this period was SMS verification code receiving platforms; the majority of malicious numbers used by fraudster networks originated from the United States and Mainland China. The industries most targeted by malicious mobile phone number attacks from fraudster networks were the e-commerce sector, internet infrastructure services sector, and social entertainment sector.

02 Fraud Metrics: Volume and Regional Trends

     The Threat Hunter team monitors over 20,000 open-source intelligence channels and 500,000 underground fraud tool sacross the black market ecosystem. By analyzing how fraud actors acquire resources, we can promptly detect the various malicious channels they use. Through the deployment of advanced real-time monitoring algorithms, we continuously track the abuse infrastructure leveraged by underground networks across the internet. Our system automatically identifies and follows the channels frequently used by fraud actors, and has built a comprehensive database of high-risk mobile numbers and related activities. This database includes intelligence collected from multiple sources, such as mobile numbers used in fraud operations and details of associated attack campaigns.

During the reporting period from October 1 to October 31, 2025, the Threat Hunter Team recorded the following key findings:

• Active Malicious Mobile Numbers Identified:  7,850,972

• Newly Observed Malicious Mobile Numbers: 6,385,516

• Geographic Origin of Malicious Numbers: Mainland China, the United States, Indonesia and Turkey

• Most Targeted Sectors: E-commerce, internet infrastructure services, and social media sector

03 Fraud Tactics: Abuse Channels and Patterns

3.1 The supply trend of malicious mobile phone numbers in fraudster networks

3.1.1 Fraudster networks are highly active, and the materials for counterfeit cards have increased significantly.

      The attack activities carried out by fraudster networks using malicious mobile numbers remain active. Driven by the intensified practices of fraudster networks — such as hijacking verification code SMS messages and abusing numbers via low-end devices — the month-on-month growth rate of newly added malicious mobile numbers compared with the previous month (September) reaches 94.82%.

3.1.2 Mainland China: Significant Growth in SMS Hijacked Numbers via Low-End Devices; Persistent Stagnation in Traditional Malicious Mobile Numbers

      Research by The Threat Hunter team shows that affected by external crackdowns and the shutdown of a well-known leading SMS verification code receiving platform, the living space for traditional malicious mobile numbers has been significantly compressed, with their supply remaining sluggish. In contrast, verification code SMS hijacked numbers via low-end devices — featuring the core characteristic of "legitimate users holding physical SIM cards" — have shown a substantial growth trend in scenarios such as registration and traffic diversion. This growth momentum was particularly prominent in October, and the platforms supplying illicit resources for these numbers have maintained a high level of activity. Due to the high concealment of such numbers and their behaviors being highly similar to legitimate users, enterprises’ risk control difficulties have been significantly increased.

       Currently, fraudster networks have gradually abandoned traditional SMS verification code receiving numbers across multiple industries and turned to such hijacked numbers as the primary tool. For detailed explanations and prevention guidelines regarding verification code SMS hijacked numbers via low-end devices, you can read "2025 SMS Hijacking Trend Report: 'Illegally Using' Legitimate Users' Mobile Numbers to Receive Verification Codes Becomes the Mainstream of fraudster networks Attacks" on The Threat Hunter’s WeChat official account.

Leading SMS verification code platforms have done a runner, leaving cybercriminals truly "suffering unspeakably"

3.1.3 The reserve of malicious materials used by fraudster networks to undermine wireless communication services in the United States has continued to increase.

     In-depth analysis of relevant data in the United States reveals that the number of newly added wireless communication service-type numbers increased significantly in October, with a month-on-month growth of 19% compared with the data in September, and the new additions of wireless communication service-type numbers in October were 16.35% higher than those of landline-type numbers. This change may indicate an increasingly obvious trend of fraudster networks shifting the focus of its malicious activity channels to the wireless communication field, and The Threat Hunter team will continue to track the dynamic evolution of fraudster networks.

3.2 Origins of Newly Added Malicious Mobile Numbers

3.2.1 The US as the Primary Origin of Malicious Mobile Numbers

     During this reporting period, countries such as the United States, Indonesia, and Turkey emerged as key regions of concentrated fraudster networks activity. Meanwhile, the supply of illegal SIM card materials by fraudster networks shows distinct characteristics of batch-based and large-scale SIM card activation. From the perspective of the newly added trend chart, some fraudster networks increased the stockpiling volume of illegal SIM card materials in Turkey between October 1st and October 11th. Going forward, The Threat Hunter team will continue to monitor fraudster networks activities in this region.

3.3 Fraudster Networks: Cross-Sector Attack Projects

3.3.1 Sector-Specific Targeting: Attacks Concentrated in E-Commerce Sector

An analysis of the capture status of the aforementioned data shows that during this cycle, fraudster networks concentrated its attacks on the e-commerce industry, the internet infrastructure services industry, and the social media industry.

04 Fraud Risk: Defense Strategies and Recommendations

The unchecked use of malicious mobile numbers to register fake accounts continues to pose escalating risks. These accounts are routinely weaponized for fraudulent marketing campaigns, distorting operational data and draining promotional budgets. Beyond direct financial loss, the ripple effects are substantial:

• Brand Integrity at Risk: A surge in fake activity erodes platform trust, potentially triggering advertiser pullback and reputational fallout.

• Content Ecosystem Disruption: Overrun by inauthentic accounts, platforms face declining content quality and deteriorating user engagement.

• User Safety Compromised: Fraudulent accounts often serve as launchpads for scams and phishing attempts, threatening user privacy and financial assets.

• Compliance Pressure: Mishandling of such abuse may breach data protection and anti-fraud regulations, exposing platforms to legal and regulatory consequences.

What makes this threat especially challenging is its adaptive nature. The tools and tactics used by frauster networks evolve rapidly, making detection and response increasingly complex. A shift in strategy is essential — moving from reactive filtering to proactive defense. This involves mapping the lifecycle of malicious number abuse and integrating real-time threat intelligence into risk control frameworks. Threat Hunter’s Phone Number Intelligence Service plays a key role in this transition. By continuously monitoring underground channels, it identifies high-risk numbers and flags them with the label “SIM Pool Card”, rated at Risk Level 9. These identifiers offer actionable signals for preemptive blocking. To stay ahead, It is recommended to establish precise risk control rules based on specific business scenarios. If a number labeled as “SIM Pool Card” enters the system, interception should occur before any malicious activity begins, effectively preventing fraudulent operations.