01 Fraud Signals: Global Intelligence Overview

The Threat Hunter Identity Intelligence solution spans 179 countries, actively monitoring over 100 million illicit mobile phone numbers linked to underground fraud activities. Our platform empowers more than 200 clients to enhance their business security posture, significantly reducing exposure to fraud.

Between September 1 and September 30, 2025, The Threat Hunter team identified over 4.55 million active malicious mobile phone numbers through underground tools, malicious number trading platforms, and related fraudulent services. Of these, more than 3.27 million were newly observed, accounting for 71.87% of the total. The primary abuse channel during this period was SMS verification platforms, with the majority of malicious numbers originating from the United States and Mainland China. The most targeted industry were E-commerce and Internet Infrastructure Services.

02 Fraud Metrics: Volume and Regional Trends

The Threat Hunter team monitors over 20,000 open-source intelligence channels and 500,000 underground tools across the fraud ecosystem. By analyzing how fraud actors acquire resources, we can promptly detect the malicious channels they use. Through the deployment of advanced real-time monitoring algorithms, we continuously track the abuse infrastructure leveraged by underground networks across the internet. Our system automatically identifies and follows the channels frequently used by fraud actors, and has built a comprehensive database of high-risk mobile numbers and fraud-related activities. This database includes intelligence collected from multiple sources, such as mobile numbers used in fraud operations and attack campaigns.

During the reporting period from September 1 to September 30, 2025, the Threat Hunter Team recorded the following key findings:

• Active Malicious Mobile Numbers Identified: 4,559,957

• Newly Observed Malicious Mobile Numbers: 3,277,575

• Geographic Origin of Malicious Numbers: Mainland China, The United States, Indonesia, The Philippines, Malaysia, and Thailand

• Most Targeted Sectors: E-commerce, Internet Infrastructure Services, and Life Services

03 Fraud Tactics: Abuse Channels and Patterns

3.1 The supply trend of malicious mobile phone numbers in fraudster networks

3.1.1 Fraudster networks are highly active, and hijacked SIM cards have increased significantly.

The attack methods employed by fraudster networks using malicious mobile numbers remain active. Due to the significant growth in SMS verification-hijacked numbers via low-end devices, the month-on-month growth rate of newly added malicious mobile numbers stands at 14.68%.

3.1.2 Mainland China: Significant Growth in SMS Verification-Hijacked Numbers via Low-End Devices

The attack methods employed by fraudster networks using malicious mobile numbers remain active. Traditional malicious mobile numbers continue to show a stagnant trend due to external crackdowns, while "Verification SMS hijacked numbers via low-end devices" show a significant growth in September 2025. Platforms supplying malicious resources for these hijacked numbers also demonstrate a high level of activity.

Verification SMS hijacking via low-end devices works as follows: Physical SIM cards are held by ordinary users, but the devices used by these users are infected with viruses or installed with backdoors by fraudster networks or device manufacturers. This leads to the theft of SMS receiving permissions, and subsequently results in the hijacking of verification SMS messages. Such devices are mostly low-end products like elderly phones and children's smartwatches. Their core characteristic lies in that the SIM cards themselves are held by legitimate users, yet the devices are illegally controlled by fraudster networks.

3.1.3 Fraudster networks show growing interest in Wireless Services

In-depth research on the U.S. region reveals that the number of newly added Wireless Service-type numbers has increased, which is 2.73% higher than the growth of Land Line-type numbers. This may indicate a shift in the malicious activities of fraudster networks, and Threat Hunter will continue to monitor the dynamic changes of these networks.

3.2 Origins of Malicious Mobile Numbers

3.2.1 The US as the Primary Origin of Malicious Mobile Numbers

During this reporting period, the United States, Indonesia, and the Philippines emerged as key regions of underground activity. Meanwhile, the supply of illegal SIM cards by fraudster networks is characterized by batch-based distribution and large-scale activation. Trend chart analysis shows that certain fraudster networks ramped up the stockpiling of illegal SIM cards in Vietnam and Indonesia on September 5th. Going forward, Threat Hunter will continue to monitor fraudster activities in these regions.

3.3 Fraudster Networks: Cross-Sector Attack Projects

3.3.1 Sector-Specific Targeting: Attacks Concentrated in E-Commerce Channels

Analysis of the captured data reveals that during this cycle, fraudster networks focused their attacks on the E-commerce Industry, the Internet Infrastructure Services Industry, and the Short-video Social Networking Industry.

04 Fraud Risk: Defense Strategies and Recommendations

The unchecked use of malicious mobile numbers to register fake accounts continues to pose escalating risks. These accounts are routinely weaponized for fraudulent marketing campaigns, distorting operational data and draining promotional budgets. Beyond direct financial loss, the ripple effects are substantial:

• Brand Integrity at Risk: A surge in fake activity erodes platform trust, potentially triggering advertiser pullback and reputational fallout.

• Content Ecosystem Disruption: Overrun by inauthentic accounts, platforms face declining content quality and deteriorating user engagement.

• User Safety Compromised: Fraudulent accounts often serve as launchpads for scams and phishing attempts, threatening user privacy and financial assets.

• Compliance Pressure: Mishandling of such abuse may breach data protection and anti-fraud regulations, exposing platforms to legal and regulatory consequences.

  
  

What makes this threat especially challenging is its adaptive nature. The tools and tactics used by underground actors evolve rapidly, making detection and response increasingly complex. A shift in strategy is essential — moving from reactive filtering to proactive defense. This involves mapping the lifecycle of malicious number abuse and integrating real-time threat intelligence into risk control frameworks. Threat Hunter’s Phone Number Intelligence Service plays a key role in this transition. By continuously monitoring underground channels, it identifies high-risk numbers and flags them with the label “SIM Pool Card”, rated at Risk Level 9. These identifiers offer actionable signals for preemptive blocking. To stay ahead, It is recommended to establish precise risk control rules based on specific business scenarios. If a number labeled as “SIM Pool Card” enters the system, interception should occur before any malicious activity begins, effectively preventing fraudulent operations.