Executive Summary

This report provides a comprehensive analysis of a targeted phishing campaign impersonating the cryptocurrency platform Coinhako via SMS fraud. The investigation focuses on the campaign’s infrastructure, threat actors, tactics, techniques, and procedures (TTPs), as well as the malicious assets and indicators of compromise (IOCs) involved. The findings are grounded in multi-source intelligence, including official Coinhako advisories, open-source reporting, and threat enrichment feeds.

1. Campaign Overview

The campaign COINHAKO SMS phishing campaign targets Coinhako users through SMS and email messages that impersonate Coinhako staff or support. Victims are lured into engaging with fake support hotlines, downloading malicious wallet applications, and ultimately transferring their cryptocurrency assets to attacker-controlled wallets. The campaign is part of a broader fraud ecosystem targeting cryptocurrency platforms in Asia-Pacific.

2. Threat Actors and Ecosystem

2.1. Smishing Triad

Who they are. A China-based, commercially organized cyber-fraud network that industrializes smishing (SMS/iMessage phishing) across >100 countries, impersonating financial brands, postal/logistics, and payment providers. They run at high volume (tens of thousands of messages/day) using phishing kits, device farms, VoIP/DID numbers, and rapid domain churn.

Why it matters here. Their kit-driven lures are quickly re-skinned for regional crypto brands; Coinhako-themed SMS is a natural extension of the same playbook (urgent account alerts → fake support flow → credential capture / wallet diversion). Investigations describe a split between kit developers and operators renting the kit, which explains the fast replication of brand templates and cross-border reuse.

Characteristic TTPs & infrastructure.

• Channels: SMS/iMessage blasts; callbacks via WhatsApp/VoIP DIDs that rotate frequently.
• Kits & panels: Turnkey web panels for operators; some kits include backdoors for the kit author to see operator data.
• Lure themes: Banks, postal/toll notices, crypto platforms; recent waves hit toll payment services at massive scale (indicating playbook portability).
• Ops tempo: 50k–100k messages/day reported in some runs; domain footprints in the hundreds of thousands over time via rapid churn.

Regional enablers. Recent arrests in Thailand/Vietnam show use of car-mounted “SMS blasters”/fake base stations to push localized smish at scale—helping operators seed lures that then funnel to the Triad’s web stack.

Relevance to Coinhako: Expect brand-swap templates (Coinhako logos/wording), shared VoIP/DID pools, and overlapping domain infrastructure with other financial smish. Your IoC tracking should assume infrastructure reuse and rapid rotation.

2.2 “Haozi” Phishing-as-a-Service (PhaaS) — Turnkey Kits & Operator Support

What it is. A Chinese-language PhaaS platform that sells plug-and-play phishing kits with full documentation and Telegram-based operator support. Reports in 2025 tracked at least $280k USDT tied to its service flows over a recent period, indicating active uptake by lower-skill actors.

Why it matters here. Coinhako-branded smishing sites can be rapidly spun up by non-expert operators using Haozi’s tooling—lowering the barrier to entry and expanding the pool of adversaries who can impersonate Coinhako convincingly.

Characteristic TTPs & infrastructure.

• Kit model: Pre-built login pages/flows, dashboards, and hosting guidance; minimal command-line work needed.
• Payments & support: Operator onboarding and Telegram support; USDT used for subscriptions/purchases to reduce friction and traceability.
• Scale lever: Because the kits are turnkey, operators can re-skin to any brand (banks, exchanges, logistics) and chain together with WhatsApp hotlines and wallet-diversion scripts.

Relevance to Coinhako: Even if a specific campaign isn’t “Haozi-branded,” visual/HTML overlaps and hosting patterns often betray kit lineage. Incorporate kit-fingerprint hunting (HTML comments, resource paths, panel strings) into detections.

2.3 Operator Playbooks That Bridge Both Ecosystems

Regardless of whether the actor is a Triad operator or a PhaaS buyer, the downstream playbook converges:

• Brand spoofing + urgency → SMS/email → callback/WhatsApp.
• Credential/OTP collection or wallet diversion via attacker-coached Trust Wallet setup (legitimate app misused).
• Infrastructure reuse: recycled DIDs, short-lived domains, and shared RAT/stealer payload delivery in some variants (e.g., Remcos, RedLine/Lumma).

Analyst guidance for Coinhako cases

• Track both brand-specific signals (Coinhako lures) and kit lineage (HTML/JS fingerprints).
• Expect IoC half-life to be short; emphasize patterns (registrar/NS/cert/ASNs, VoIP vendor blocks, JA3/JA4) over single indicators.
• Monitor local reports of SMS blaster crackdowns, which often precede or coincide with regional smishing surges.

Drop-in callout

Attribution note: “Smishing Triad” and “Haozi” coverage explains how large-scale, brand-agnostic phishing gets packaged and operated. A given Coinhako-spoofing wave in APAC may be run by different operators standing on the same commercial scaffolding.

3. Infrastructure and Malicious Assets

3.1. Phone Numbers and Communication Channels

The campaign utilizes Singapore-based phone numbers as fake support hotlines, including +65 3159 2233, +65 3159 2186, and +65 3159 0283. These numbers are directly linked to the malicious domain trangmoiphathanh.site, which serves as part of the phishing infrastructure.

International WhatsApp calls from numbers with prefixes +44, +61, and +66 are used to guide victims through remote wallet setup and screen-sharing sessions.

3.2. Malicious Domains

The domain smsactive.top is associated with a large malware delivery infrastructure, distributing credential-stealing malware and remote access trojans (RATs) such as Gh0stRAT, ValleyRAT, RemKos RAT, LummaStealer, and RedLine. This domain cluster is linked to APT activity and hack-for-hire campaigns.

3.3. Social-Engineering Abuse of Wallet Apps (e.g., Trust Wallet)

Key point: Trust Wallet is legitimate. The threat comes from social-engineering misuse:

1. Victims install the genuine app (or a sideloaded look-alike APK).
2. On a call/screen-share, the attacker coaches wallet creation and captures the recovery seed (spoken, photographed, or “backed up” to a fake site). Sometimes the attacker provides a pre-generated seed, guaranteeing access.
3. Victims are told to transfer assets to a “security/investigation wallet,” which is attacker-controlled.
4. With the seed exposed, adversaries can sweep funds anytime, even after the app is removed.

Variants: modified APKs with telemetry/stealers; WalletConnect phishing for unlimited spend approvals; clipboard hijack (desktop) replacing addresses.

Behavioral indicators: any request to show/say/upload seed; screen-share during setup; pressure to consolidate into a new wallet; recent install of remote-assist tools (AnyDesk/TeamViewer).

4. Tactics, Techniques, and Procedures (TTPs)

Social Engineering and Impersonation

Attackers impersonate Coinhako staff or support Impersonation of Coinhako staff/support to gain victim trust. Fake warnings of suspicious account activity are used to provoke urgency and fear.

Credential Harvesting

Victims are manipulated into disclosing login credentials and passwords Requesting victims to disclose login credentials and passwords, enabling account takeover and asset theft.

Guided Wallet Setup and Asset Transfer

Attackers guide victims to download the Trust Wallet app Guiding victim to download Trust Wallet app and conduct screen-share sessions Screen-share sessions to set up wallets to ensure the wallet is under attacker control. Victims are then instructed to transfer funds to these scammer-controlled wallets Request transfer of funds to scammer-controlled wallets.

MITRE ATT&CK Patterns

The campaign employs the following MITRE ATT&CK techniques:

• Spearphishing Attachment (T1566.001): Initial access via phishing emails/SMS with malicious attachments or links Spearphishing Attachment (T1566.001).
• User Execution (T1204): Requires victim interaction to execute malicious payloads or perform actions such as wallet setup.

5. Related Campaigns and Infrastructure

The Coinhako SMS phishing campaign is part of a broader fraud landscape, with similar tactics observed in the Coinhako Phishing Fraud / Scam campaign. These campaigns share infrastructure, threat actors, and TTPs, and are linked to Chinese-language phishing kits such as Haozi.

6. Actionable Intelligence and Mitigation

6.1. Indicators of Compromise (IOCs)

• Phone numbers: +65 3159 2233, +65 3159 2186, +65 3159 0283
• Domains: trangmoiphathanh.site, smsactive.top
• Abuse Actor : Coinhako‑spoofing pages; Trust Wallet setup via coached screen‑share

6.2. Defensive Recommendations

• Always check official Coinhako website and sources, such as their official help article: How to Spot and Avoid Phishing Emails Pretending to Be from Coinhako
• Block and monitor the identified phone numbers and domains in security controls.
• Educate users on phishing red flags, including requests for credentials, unexpected support calls, and instructions to transfer assets.
• Coinhako does not provide phone support or request sensitive information via email/SMS; users should verify all communications.
• Monitor for installation and use of the Trust Wallet app in suspicious contexts.
• Track and report suspicious WhatsApp calls from international prefixes.

7. Conclusion

The COINHAKO SMS phishing campaign demonstrates a sophisticated, multi-stage fraud operation leveraging social engineering, credential theft, and malicious wallet infrastructure. The campaign is supported by organized threat actors and commercial phishing kit providers, with infrastructure spanning phone numbers, domains, and remote support channels. Defensive measures should focus on blocking known IOCs, user education, and monitoring for suspicious wallet activity.

‍

‍

References

(https://www.silentpush.com/white-papers-and-reports/threat-report-smishing-triad/?utm_source=chatgpt.com )

(https://www.wired.com/story/usps-scam-text-smishing-triad?utm_source=chatgpt.com )

(http://resecurity.com )

(https://www.netcraft.com/blog/haozi-s-plug-and-play-phishing-as-a-service-has-facilitated-280-000-of-criminal-transactions?utm_source=chatgpt.com )

(https://therecord.media/bangkok-police-sms-scammers-blasting?utm_source=chatgpt.com )

(https://www.darkreading.com/threat-intelligence/haozi-gang-sells-turnkey-phishing-tools-amateurs?utm_source=chatgpt.com )

(https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims?utm_source=chatgpt.com )

‍