It was late on December 30, 2022, when police in Paris made the first arrest of a person driving an SMS blaster around a European city. The woman failed a drug test, but the police were more concerned about the object in the back of her car (pictured). To untrained eyes, the device looked like a bomb, so they called for explosives experts to neutralize it. The police later realized the device had been used to send scam SMS messages that appeared to come from Ameli, the online platform for France’s health insurance system. Anyone clicking the link in the messages would have been taken to a phishing website designed to capture the personal data of the unwary. The driver, a woman named Zoé, said she had been paid EUR100 (USD115) per day by her boyfriend to slowly drive the SMS blaster around the suburbs of Paris. Zoé controlled the SMS blaster as she was driving via an app installed on her mobile phone. Her boyfriend, Mohammed, was the co-founder of a business that said it offered ‘local SMS marketing’ services. When found by the police, Mohammed also claimed to be just following the instructions given to him by somebody else, although those instructions had been relayed via Telegram.
Along with Abdoulaye, the other co-founder of the ‘local SMS marketing’ business, Mohammed had obtained the SMS blaster from Kevin Yin, a Chinese national that represented a company which also sells high-tech weapons including attack drones and missile systems. US police provided intelligence about Yin, and an international arrest warrant was issued, with French magistrates emphasizing the need to detain Yin because of the worrying proliferation of privacy-infringing devices in the wake of the conflict in Ukraine. Yin was eventually arrested in Geneva, Switzerland, as he waited to board a flight to Toronto, Canada. The Swiss authorities were concerned at the time about the potential supply of IMSI-catchers to Wagner, the Russian mercenary army that fought in Ukraine and which is also known to have used IMSI-catchers in their African operations. A search of Yin’s luggage uncovered nine bank cards, four USB sticks, three mobile phones, two Chinese passports and a Peruvian driving license.
Yin’s real name proved to be Nongzhong Yin, and he was extradited from Switzerland to France, where he remains in detention. Investigating his affairs uncovered other SMS blasters that were used for scams in both Paris and Lyon. 14 people in total, including Zoé, Mohammed, Abdoulaye, and Nongzhong Yin, will be tried for the part they each played in enabling frauds that are estimated to have caused EUR20mn (USD23mn) in damage to the victims. Six of these defendants are expected to engage in plea bargaining to reduce their sentences; this process will occur in Paris and begins in November. The other eight defendants will be tried in Paris from February 6 to 27, 2026.
Some people said I exaggerated the risk of international criminal gangs using radio communications devices to commit fraud when Commsrisk became the first English-language publication to cover Zoé’s arrest and the subsequent scale of the Ameli scam. There is a sharp contrast to coverage of the same risks this year. 2025 has seen an explosion in the number of English-language journalists who now consider these radio devices to be threat, although most of them write garbage because they have done no meaningful research and do not understand what they are writing about. Do they really care about informing the public? I doubt it. If they did care, then they would first care about getting their facts straight.
The threat to all Europeans should have been evident as soon as the first car was stopped in Paris. There are 26 other European Union countries that promise unfettered movement over their shared borders. Does it not seem strange that multiple SMS blasters were used to commit crime inside France, but there has not been a single SMS blaster identified in any of the other EU countries? A vehicle could drive from Paris to Berlin in less than 12 hours; Madrid could be reached in a little over 13 hours. SMS blasters have been found elsewhere in Europe — in Norway, Switzerland and the UK — but none of those countries are EU members. Either the spread of transnational crime is entirely unpredictable or some European police forces are still asleep to the risk posed by SMS blasters.
Recently I have seen the worst journalists pushing nonsense like the following.
- SMS blasters will stop being a threat when 2G and 3G mobile networks have been switched off. This is plain wrong. An SMS blaster connects directly to a victim’s phone. The status of genuine mobile networks in the vicinity is irrelevant. What matters is whether the phone is capable of connecting to the SMS blaster, or whether it has been configured to prevent a downgrade in connection. A downgrade is typically prompted by an SMS blaster to bypass the security inherent to later generations of communication. Even if every network within a country uses 4G or 5G that does not mean there are no vulnerable phone users. Mobile phones will continue to have the ability to connect to 2G to provide connectivity when roaming. Furthermore, inbound roamers from countries that still use older generations of networks will remain vulnerable. Note that the SMS blasters discovered in Japan this year were configured to scam Chinese tourists.
- Increased sophistication at locating SMS blasters will stop crime. Crime should be fought at all levels but it is naive to think transnational criminal gangs will go out of business if the authorities spend more time catching and punishing goons at the lowest levels of the crime pyramid. The scams in France follow the same franchising/outsourcing pattern as seen elsewhere. The drivers and other stooges who operate SMS blasters are expendable. Criminal bosses located in other countries make so much money from scams that they can afford to endure the cost of replacing the minions who are imprisoned and the equipment that was confiscated. If the criminal bosses are not tackled then the crime will continue. The authorities need to move up the pyramid, not just from the Zoés and the Mohammeds to the Nongzhong Yins, but to keep moving up to the bosses who gave instructions to men like Nongzhong Yin.
- Nobody can be sure where SMS blasters come from. They come from China. The existence of supply chains that lead back to China is such a common factor in the stories that have been reported worldwide that it is foolish to pretend otherwise.
The wheels of justice can turn slowly, as demonstrated by the three years that will elapse between the police search of Zoé’s car and the eventual trial of her fellow defendants. Perhaps the authorities in countries across Europe have calculated that they can afford to delay another three years before they begin to devise a credible cross-border action plan to tackle the root of SMS blaster crime. And how much will the aggregate losses to crime be in the interim? EUR20mn may not seem like much, but crime that is not discovered goes on for longer.
It is only this year that a wider cross-section of the population in multiple countries have realized the scale of SMS blaster crime worldwide, and only because this website has been systematically charting its spread. I like to play my part in making the world a better place, but there is something wrong with a world that depends on Commsrisk to unveil patterns in transnational crime committed at large scale. Perhaps the punishments that will be meted out by the French authorities will stir their sleepy peers into taking SMS blaster crime more seriously. If not, then I expect that charting the continuing spread of SMS blasters worldwide will reveal more about the incompetence of officialdom than it teaches us about criminal practices that are already well established.
News about the trial dates for the 14 defendants has mostly been reported by France’s provincial newspapers. The story per Ouest-France can be read here.
