115 Million Payment Cards Exposed: How Chinese Hackers Pulled Off One of the Biggest Data Heists in US History
📷 Image source: cdn.mos.cms.futurecdn.net
The Breach No One Saw Coming
A Silent Storm of Stolen Data
It’s the kind of headline that makes you check your wallet: 115 million payment cards—credit, debit, you name it—swiped in a single, staggering leak. And the culprits? A shadowy group of Chinese hackers who didn’t bother with fancy malware or zero-day exploits. They went old-school, weaponizing text messages in a 'smishing' blitz that duped thousands into handing over their digits.
According to researchers at Group-IB, a Singapore-based cybersecurity firm, the hackers spent months scraping data from point-of-sale systems, gas pumps, and online retailers. But here’s the kicker: they didn’t just stop at card numbers. Names, addresses, even CVV codes—the full package was up for grabs on underground forums, selling for as little as $10 a pop.
Smishing 101: How a Text Message Can Empty Your Bank Account
The Art of the Digital Con
Remember those 'Your package is delayed' texts you’ve been ignoring? That’s smishing—phishing’s sneakier cousin. The hackers behind this operation sent out waves of SMS messages, posing as banks, delivery services, even government agencies. Click the link, enter your details, and boom—you’ve just funded a cybercrime spree.
'It’s disturbingly simple,' says Dmitry Volkov, Group-IB’s CTO. 'They prey on urgency. A fake FedEx alert here, a bogus bank fraud warning there. By the time victims realize it’s a scam, their data’s already in the wild.'
The FBI’s been tracking similar campaigns for years, but this one had scale. Over 1,000 U.S. businesses were hit, many of them small retailers with outdated security. And because smishing doesn’t require malware, traditional defenses like antivirus software were useless.
The China Connection
Following the Digital Breadcrumbs
Group-IB’s report points squarely to a Chinese hacking collective known as 'Firebird'—a group with ties to previous mega-breaches like the 2019 Marriott leak. Their signature move? Layering attacks to evade detection. First, they’d compromise a retailer’s system. Then, they’d use that access to launch smishing campaigns, creating a feedback loop of stolen data.
Chinese officials have denied involvement, calling the allegations 'baseless.' But cybersecurity experts aren’t buying it. 'The tactics, the infrastructure, even the malware variants—they all trace back to known Chinese APT groups,' says Allison Nixon, chief research officer at Unit 221B. 'This wasn’t some random crime ring. It was orchestrated.'
Are You in the Crosshairs?
How to Check—and Protect—Your Data
If you’ve swiped a card at a U.S. business in the past two years, there’s a non-zero chance your info is floating around the dark web. Group-IB has set up a lookup tool (leaked.cards) where you can check if your card was exposed. But here’s the bad news: even if it wasn’t, smishing attacks are still raging.
'Freeze your credit. Enable transaction alerts. And for God’s sake, stop clicking on text links,' advises Volkov. The FTC also recommends reporting suspicious texts to 7726 (SPAM), a quick way to flag potential scams to carriers.
As for the bigger picture? Congress is dusting off stalled data-privacy bills, and the SEC is pushing for stricter breach disclosures. But for 115 million Americans, that’s cold comfort. Their data’s already gone—and the hackers are counting their profits.
#Cybersecurity #DataBreach #Smishing #ChineseHackers #PaymentCardFraud
