SMS blaster gangs are becoming like London buses: you wait an age for the next one, then two arrive at once. The difference is that most police forces claim this crime is unknown to them, whilst authorities in East Asia are racking up arrests at an accelerating rate. Last week, Commsrisk broke the story of AIS and the Thai police taking down an SMS blaster gang ahead of any other English-language publication. This week we share news of a similar scam that impersonated mobile operator Maxis in neighboring Malaysia. The increasing use of radio devices by scammers was also highlighted this week when Thai police seized 642 unlicensed simboxes from a gang that used to them to create social media accounts. We also pause to examine how news stories like these spread from country to country, and to comment upon the importance of knowing what is in somebody’s heart.
- Malaysian Police Arrest Four SMS Blaster Smishers
- 642 Simboxes Seized in Thailand
- How Information Flows
- Justice for Joseph
- Other News
Malaysian Police Arrest Four SMS Blaster Smishers
A press conference and Facebook post from Jabatan Siasatan Jenayah Komersil (JSJK), the commercial crime investigative division of the Royal Malaysia Police, revealed on Tuesday the details of an SMS blaster smishing gang that was arrested on 19 November. Four men were taken into custody, accused of being supervisors, operators and drivers of two cars that carried SMS blasters around the Klang Valley conurbation. This region is home to 8.8 million Malaysians and includes Kuala Lumpur, Putrajaya and adjoining towns. Police estimated that the range of the SMS blasters they seized is between 500m and 1km, and that around 32,000 victims could have been messaged each day that the scam was live. Investigations so far indicate that this scam may be responsible for around MYR117,000 (USD26,300) stolen from victim’s accounts.

Like the Thai case revealed last week, victims of the Klang Valley gang received SMS messages stating they had earned ‘points’ from their comms provider, and were presented with a hyperlink to redeem them. The link took them to a phishing website which asked victims to enter their banking details and the one-time password (OTP) which the criminals would have used to transact on the victim’s account. However, the reported range of the radio devices used in this scam is less than that of the SMS blaster that was confiscated in Thailand. The device seized in Thailand was said to have sent almost a million SMS messages in just three days, presumably aided by its having a superior range of 3km.
Police stated that the men who drove and operated the SMS blasters received a daily salary of MYR300 (USD67.50) from their criminal bosses. Seizures included two sports utility vehicles that were used to transport the SMS blasters around Klang Valley, nine mobile phones and various other equipment. Look below for embedded video footage of some of the seized equipment, as recorded by Peng Kaixin of China Press.
Maxis was named as a mobile operator which had been impersonated by the fraudsters. The national comms regulator, the Malaysian Communications and Multimedia Commission, was also credited with assisting with the operation, although their role was not clarified. The regulator emphasized that they had already prohibited the inclusion of any URLs in SMS messages. Industry insiders have suggested to me that the ban on hyperlinks is opposed by some Malaysian business interests, but this latest scam highlights the resources that criminals are willing to dedicate to luring victims to phishing websites.
642 Simboxes Seized in Thailand
The Central Investigation Bureau of the Thai police has announced the seizure of 642 unlicensed simboxes from 11 properties in Chiang Mai. The properties had all been rented by a Thai woman who is believed to be connected to Chinese organized crime. The simboxes are said to have been used for the creation and maintenance of social media accounts by receiving one-time passwords (OTP) used for authentication. These social media accounts were then made available for use by other criminals, who were charged 1 Chinese Yuan (USD0.14) for each OTP handled by the simboxes.
A Thai man was arrested in addition to the Thai woman who had rented the properties. Arrests were also made of five Chinese nationals and eight nationals from Myanmar. In addition to the simboxes, police seized: 1,455 mobile phones; 590,000 SIM cards; 47 SIM card readers; account books for six bank accounts; and various other IT equipment. A photograph of some of the seized simboxes is shown below.

Asian countries like Thailand are leading the way with protecting consumers by tackling the equipment that enables scams as well as asking social media companies to monitor activity on their networks. It is perverse that authorities in other countries have ratcheted up obligations on social media platforms to identify and disable accounts used by scammers, but are doing nothing about the use of social media to advertise the sale of simboxes and SMS blasters! More countries should be licensing the radio equipment that is typically used by scam gangs so unlicensed equipment can be immediately confiscated without needing to go through a laborious process of demonstrating it has been used to enable some other crime.
How Information Flows
Many readers will be aware of how quick and easy it can be to ‘share’ information online. Last week’s story about the SMS blaster located in the Sukhumvit district of Bangkok has given me reason to question preconceptions about the total cost of ‘sharing’ information. Somebody has to pay a cost somewhere, and the belief that information will always be cheap or free is likely to lead us to undesirable places if followed to its ultimate conclusion.
Unlike the vast majority of people who ‘share’ stories online, I monitor the flow of information with the intention of finding niche stories that many professionals are unlikely to see unless it is published at a specialist site like Commsrisk. In fact, this week’s article was going to be dedicated to a lengthy comparison of data from the US Federal Trade Commission and Britain’s Information Commissioner’s Office, but that story was postponed to make room for the Klang Valley SMS blaster piece covered above. Monitoring the flow of stories means that I often see the same story dozens of different times, as published by dozens of different channels, before you have read the story on Commsrisk.
The following sequence relates to last week’s headline story. It exemplifies factors that may not be apparent to most of the public, even if they are prolific readers and avid users of social media.
- The Thai press ran the story on 19 November, immediately after attending a briefing run by the police and Thai operator AIS. Here is an example.
- Commsrisk ran the story in English on 22 November. It was actually written on 20 November but Commsrisk now only publishes one article per week, each Friday, to manage the workload in maintaining this site’s output, and to reflect the way social media algorithms work at promoting content for websites that have a niche audience.
- AI-powered spam websites began running the story in English on 23 November. Here is an example. You may ask how I know the article was written by AI. The inference is straightforward when you look at the gross output of websites like these, relative to the number of people working for them. It would not be possible for a human being to write so many articles about so many different topics on a daily basis. These articles are produced by taking words that have already been written by somebody else, then feeding them into an AI to rephrase the content to avoid any copyright claim, and then publishing the output using the equivalent of factory-line automation.
- Mainstream English-language tech news websites ran the story on 24 November. This example is from Bleeping Computer. I can draw no firm conclusions on where they obtained the story from. It could have been from the Thai press, or they might have taken the tip from Commsrisk, or they might have taken their tip from the AI sites. Most of them probably took their tip from another mainstream English-language tech news website, which is why so many published the story on the same day.
This leads me to two conclusions.
- If you think who-pays-for-news-media-and-who-separates-information-from-misinformation is a fucked-up problem that is getting worse, then you are correct. However, from my perspective on the outer rim of the newsiverse, the problem is even worse than you currently appreciate. It is not just the supply-side of specialized news economics that is in trouble, because AI is far more effective at stealing the value enshrined in somebody else’s work than at creating the accurate and original content that must be the foundation for any trustworthy news service. The problem is that even a lunatic extremist like me, who was willing to sustain an insane amount of output over an 18-year period, is questioning why I do not replace myself with regurgitative AI that adds no value whatsoever. Without people like me, nobody is going to discriminate between information and misinformation, whether the source of that misinformation is a partisan politician, a lying marketeer, or the lack of knowledge required to spot when a phrase in Thai has not been translated into an appropriate technical term in English.
- Commsrisk’s version of this story was the only one that alluded to how well AIS detects SMS blasters. And this was likely because I am the only person who wrote words about this story after speaking to the CISO of AIS about how their team detects SMS blasters.
To be clear, I am not going to write on Commsrisk about the methods used by AIS to detect SMS blasters. But knowing those things makes for better and more reliable analysis of what is happening. It helps me to distinguish between important consumer protection initiatives, like the great work being done by AIS, and bullshit marketing that was dominating the output of the English-language press whilst they all waited for somebody else to translate Thai into English. I also respect the fact that the readership of Commsrisk includes fraudsters, so I had better not be too specific when describing how AIS is doing an amazing job of fighting fraud. But if no effort is made by writers to genuinely distinguish between good work and vacuous nonsense then we end up misleading the public because crowd-pleasing fluff will be confused with the products of genuine expertise. This then leads to politicians being pressured by the public to force telcos to waste money on expensive but deeply flawed technologies that will deliver a handsome profit for suppliers but no actual protection for the rest of society.
The strategic failure to address organized crime has bedeviled the communications sector for decades. The last thing we need is policy to be even more influenced by the gimmicks that will typically get most attention on social media. But I see very little evidence of people exercising any restraint in their pursuit of the maximum number of online views, likes and reposts.
So this leaves me in a conundrum.
I could just say ‘fuck it’ and retire again, like I did earlier this year. I have enough money, and I am not motivated to make life easier for people who are lazier and stupider than me. Or I could draw your attention to the growing scale of a problem, without being clear how this will lead to a solution. Some good friends have suggested solutions, although my examination of the data leads me to conclude that none of their proposals would overcome a fundamentally adverse dynamic: ordinary people are so habituated to receiving free information online that they fail to notice they are helping to ensure all future online information will be worthless.
There has been no shortage for suggestions for how I might do things differently. Earlier this week I was asked to bring back Commsrisk TV by a fraud expert who is very experienced but whom I rarely speak with. And just before I started writing up this article, I was in a conversation with a widely-traveled revenue assurance manager who said I should put Commsrisk behind a paywall. These suggestions are gratefully received, but I remain unconvinced. Recent history demonstrates that I needed to retire to stimulate a response which prompted the Mobile Ecosystem Forum to make me an offer that justified keeping Commsrisk alive. If people genuinely want Commsrisk to continue, it would be better if they found a way to signal their need for this content before I start planning my retirement again.
Justice for Joseph
One good thing about being a human being, and not just a soulless automaton that processes words and turns them into other words, is that I can occasionally be proud of things that I say. Joseph Nderitu is a fine person and an exemplary professional, whose experience in working across many different African telcos is only exceeded by his generosity towards everybody he has worked with. He is wiser than me, and I wish I had his accomplishments. He is a pilot, a farmer, a pillar of the community who stands up for the rights of his fellow Kenyans. That was why I was so fucking angry that the corrupt government of Tanzania falsely accused Joseph of crime, throwing him into prison with four other falsely accused Vodacom employees, until the government had extorted the money that was the sole motivation for their shakedown.
Joseph will only discover the following by reading this article, because I did not wish to upset him following the terrible injustice that was done to him. But now is the time for me to share that some so-called professionals told me to distance myself from Joseph for my own good. They told me to worry about the consequences for my reputation. I rather feel that they should be worried about their reputations, because those people all made an enemy of me, and I have a very long memory. They showed themselves to be snakes who would turn on anybody as soon as it becomes convenient, or to be so lacking in professional judgement that they cannot tell the difference between brazen government corruption that follows a well-established pattern and the evidence that would be required to convict somebody of crime in a fair trial. The justice system in Tanzania was blatantly rigged to deny Joseph and his peers a fair trial. Meanwhile, countless governments across the planet do nothing about the real criminals which heroes like Joseph work so hard against.
You may not have read Joseph’s prison journal. You should. I guarantee that you will learn a lot more from Joseph’s insights than from much of the drivel that people have paid me to write. That is why I am proud that Commsrisk published his journal, and that I retain sufficient freedom to ignore the bad advice proffered by people whose opinions I do not value. And I am even more proud to receive one small mention in Joseph’s latest call for justice, which is written with more humanity and humor than I could ever summon.
Other News
- Swiss police warn that smishing scam is targeting users of Twint, the country’s most popular mobile payment service
- US politician describes how China pwned ‘thousands and thousands’ of devices at US telcos
- Philippine politician warns about the rise of ‘guerilla’ scammers
- Austrian former tennis player describes being conned after receiving an SMS from Thailand
- MVNO launches secure service for ‘high risk’ individuals



