A copy-pasted Florida statute. A reply that breaks Apple's last defence. A rogue cell tower in a car. The story behind the text on your phone.
Aaron Davis nearly paid the $6.99. The Waterbury, Connecticut resident told CBS affiliate WFSB on April 8 that he came close to clicking through before he noticed the citation at the bottom of the text.
Florida Administrative Code 15C-16.003.
Davis lives in Connecticut. The Florida statute does not apply to him. Could not apply to him. The scammers had not bothered to swap the citation when they ported their template across the border.
Cherie Leavitt, of Wolcott, told the same WFSB segment she had received an identical text. So did roughly a million other Americans across at least twenty states between January and April. The Federal Trade Commission posted its formal consumer alert on April 14, 2026, headlined plainly: That text about a traffic violation is probably a scam. One week earlier, on April 7, the FBI's Internet Crime Complaint Center had released its 2025 annual report, the first ever to clear one million complaints in a single year, with reported losses of $20.877 billion.
Two federal documents in two weeks. Neither of them named the people responsible. Neither of them mentioned the Toronto cybercrime unit that had, three weeks earlier, made the only physical arrests on this entire continent for the operation that was generating those texts. Neither of them named the rogue cell tower. Neither of them mentioned the Florida statute about temporary registration tags that scammers in Henan province had decided to make famous.
This is a story about a billion-dollar fraud whose most diagnostic feature is a copy-paste error. About a single keystroke that defeats Apple's flagship anti-phishing protection. About what happens when the only American legal response to a Chinese phishing-as-a-service empire is a civil lawsuit filed by Google. And about a Detective Sergeant in Toronto whose unit did what the U.S. Department of Justice has not.
Start with the statute.
What the Text Says
Reproduced from sample messages documented by The Ticket Clinic and the Cybersecurity Association of Pennsylvania.
Final Notice: Enforcement Penalties Begin April 5
Pursuant to Florida Administrative Code 15C-16.003, you are required to settle any outstanding traffic violations before your scheduled court hearing. Failure to do so will result in the following:
- Suspension of your vehicle registration
- Suspension of your driver's license, with a 35% reinstatement fee
- Negative credit reporting
- Prosecution and additional court fees
Please reply Y, then exit the SMS, re-open the SMS activation link, or copy it into your browser. Pay $6.99 to resolve.
The same Florida statute number has been documented in scam texts sent to recipients in Pennsylvania, Maryland, Ohio, Connecticut, North Carolina and Tennessee. None of those states use Chapter 15C. The rule itself governs how long a Florida vehicle dealer must keep electronic temporary-registration paperwork. Five years.
A Rule About Paperwork
Chapter 15C of the Florida Administrative Code is titled Electronic Vehicle Issuance Systems. It governs how authorized dealers in Florida produce and retain temporary registration documents. Rule 15C-16.003 is one provision inside that chapter. Its subject is record retention. Five years.
Nothing in 15C-16.003 has anything to do with traffic violations. Nothing in it concerns hearings, suspensions, license reinstatement fees, or credit reporting. The rule does not apply to drivers. It applies to motor-vehicle dealers operating in Florida. The penalty for non-compliance, such as it exists, is administrative against the dealer, not the driver.
Citing it in a Florida-targeted scam text is sloppy. Citing it in an Ohio-targeted scam text is, in a precise sense, impossible. Ohio does not have a Chapter 15C. Pennsylvania does not. Maryland does not. None of these states is bound by Florida's administrative code. A Pennsylvania resident receiving a text that threatens Pennsylvania license suspension under Florida regulatory authority is being told something that cannot be true under any reading of either state's law.
And yet the citation works.
It works because almost nobody reads it. The text is intimidating; the dollar figure is small; the deadline is short. The citation lends a veneer of legitimacy that fades only on second look. The Ticket Clinic, a Florida traffic-ticket law firm, was one of the first to flag the misattribution publicly in March 2025. The Cybersecurity Association of Pennsylvania followed with a statewide alert in early 2026. Blue Water Healthy Living, a community paper in Michigan, ran a fact-check piece. None of these advisories has slowed the campaign.
What 15C-16.003 actually tells you, if you read it as a forensics document instead of a legal one, is that the people writing these texts are working from a single template. They are not localizing. They are not lawyers. They are not even particularly careful. They are running volume.
Reply Y
Apple iMessage, by default, disables the clickable link in any message that arrives from a sender not in your contacts. The protection has been in place for years. It is one of the more useful safety defaults in any consumer messaging product. The traffic-violation texts include, near the bottom, a small instruction: please reply Y, then exit the SMS, re-open the SMS activation link, or copy it to a browser.
Reply Y.
That is it. That is the whole thing. Once you have replied to the unknown sender with anything at all, including a single letter, iMessage now treats the conversation as one between known correspondents. The link becomes clickable. Apple's anti-phishing default is gone, and you have undone it yourself, with one keystroke, on the explicit instruction of the people trying to phish you.
Swiss threat-intelligence firm PRODAFT documented the mechanic in detail in its March 24, 2025 report on the Lucid phishing-as-a-service kit. Identical Reply-Y instructions appear in templates produced by Lighthouse and Darcula, two related kits we will get to shortly. PRODAFT's analysts describe the design as a deliberate two-channel evasion: the kit gets to send Android-friendly templates and iOS-friendly templates from the same backend, the iOS users perform a small ritual that downgrades their own protection, and the kit operators get a measurable signal that any recipient willing to reply is at least minimally engaged.
Apple has not, as of this writing, committed to changing the behaviour. There has been no security advisory. No announcement at WWDC. No published patch. The mechanic remains exploitable in current iOS releases.
Numbers Without a Number
The IC3 2025 Annual Report dropped on Tuesday, April 7. Headline figures: 1,008,597 total complaints, the first year ever to clear one million. Reported losses of $20.877 billion, up 26 percent from 2024. Investment fraud at $8.648 billion, business email compromise at $3.046 billion, phishing and spoofing at 191,561 complaints, and government impersonation at 32,424 complaints, nearly double the prior year.
Those are the numbers. The number that is not in the report is a discrete dollar figure for smishing. The IC3 does not publish one. Phishing-and-spoofing aggregates voice, email, and SMS phishing under a single complaint code. Government impersonation includes traffic-ticket scams alongside IRS impersonation, jury-duty scams, and a long tail of other variants. The FTC's separate 2024 Sentinel data put total text-scam losses at $470 million across all variants, more than five times the 2020 total. The FBI's 2024 Internet Crime Report logged 59,271 complaints specifically related to unpaid-toll texts.
Toll texts are the older cousin of the traffic-violation campaign. Same kit infrastructure. Same Mandarin-speaking developer base. Different lure. The toll variant peaked in 2024 and never quite went away; the traffic-violation variant emerged in late 2025 and went vertical in March 2026, which is why the FTC alert showed up when it did.
Seven days separated the IC3 report and the FTC alert. The agencies did not coordinate, formally. They did not need to. The pattern was visible to anyone watching the data, which is to say to anyone whose job it is to watch the data, which is to say to the FTC and the FBI.
What was missing from both documents was the obvious next sentence. Neither agency named a kit. Neither named a developer. Neither named a country of origin. Neither acknowledged that, three weeks before the FTC alert, a municipal police service in Ontario had arrested two men in connection with the same campaign and seized the device they had been driving around downtown Toronto in. The American government was issuing warnings. The Canadian government was making arrests. Both countries' citizens were getting the same texts.
The American government was issuing warnings. The Canadian government was making arrests. Both countries' citizens were getting the same texts.
Three Kits, One Ecosystem
Resecurity, an American threat-intelligence firm, coined the phrase Smishing Triad in August 2023. The original USPS-impersonation campaign that triggered the term had three distinguishing features: it ran on a kit sold through Telegram, it targeted American consumers at scale, and the developer chatter was in Mandarin. Resecurity's analysts gave it a name. The name stuck.
Three years later the Triad is no longer a single kit. It is an ecosystem. PRODAFT's threat-actor taxonomy distinguishes three closely-related operations under what is now widely called the Triad umbrella, plus one older outlier whose code feeds the others.
- Lighthouse (PRODAFT designation LARVA-241), built by an alleged developer using the alias Wang Duo Yu. Subscription pricing of $88 per week or $1,588 per year, documented in Netcraft's September 2025 report on the kit. The kit Google sued in November 2025.
- Lucid (LARVA-242), developed by an actor or group using the alias XinXin. PRODAFT's March 24, 2025 dossier put Lucid at 169 targeted entities across 88 countries, a self-reported 100,000 messages per day, roughly 5 percent conversion, a 2,000-member Telegram resale channel, and 129 distinct active instances per month.
- Darcula (LARVA-246), the youngest of the three. NRK, the Norwegian public broadcaster, published a four-part investigative series titled The Hunt for Darcula starting on May 4, 2025, after a months-long collaboration with Mnemonic, a Norwegian security firm.
The cousin in the family is Magic Cat, the older codebase that powers Darcula and earlier Triad campaigns. NRK's reporters identified Magic Cat's lead developer as a man they called Yucheng C., 24, of Henan province.
Three siblings, one cousin. They share infrastructure. They share Telegram resale channels. They share a developer pool centred in Henan. Disrupting one operator does not disrupt the kit. Disrupting the kit does not disrupt the marketplace. Disrupting the marketplace does not disrupt the developer pool. This is the central operational fact of the entire problem space.
The Cell Tower in the Trunk
Beginning in November 2025, customers of Telus and Bell in downtown Toronto began receiving smishing texts that the carriers could not find in their own network logs. Carey Frey, Telus's Chief Security Officer, told the Globe and Mail that the only mechanism consistent with the evidence was a rogue mobile transmitter operating outside the carrier network entirely.
An SMS Blaster. Sometimes called an IMSI-catcher in the surveillance literature. A portable rogue cellular base station, small enough to fit in the trunk of a car, that broadcasts a stronger signal than nearby legitimate towers, forces handsets within range to associate with it instead, harvests their IMSI numbers, and pushes SMS messages directly into the device's modem. The messages never traverse a carrier network. Carrier-side spam filtering, sender-ID validation, abuse heuristics, none of them ever see the message, because from the carrier's perspective the message does not exist.
Frey and his counterpart Nicholas Payant, Chief Information Security Officer at BCE's Bell Canada, worked with the Toronto Police Service's Coordinated Cyber Centre to help locate the device. The investigation, which TPS code-named Project Lighthouse, ran from November 2025 through the end of March 2026.
On March 31, officers arrested Dafeng Lin, 27, of Hamilton, and Junmin Shi, 25, of Markham. On April 21, Weitong Hu, 21, of Markham, surrendered. Three men, 44 combined offences, including mischief endangering life — the SMS Blaster's broadcasts had degraded local 911 access — multiple counts of personation, false information, possession of forgery instruments, conspiracy, intercepting private communication, and trafficking identity information.
Detective Sergeant Lindsay Riddell of the Coordinated Cyber Centre led the investigation. Deputy Chief Robert Johnson chaired the press conference on April 23. The TPS press release described Project Lighthouse as a first-of-its-kind SMS Blaster investigation in Canada. It is also a first-of-its-kind anywhere in North America.
The Protocol Underneath
The SMS Blaster works for the same reason the Smishing Triad kits work, which is the same reason every smishing campaign of the past fifteen years has worked. Short Message Service has no sender authentication.
There is no SPF for SMS. No DKIM. No DMARC. The originating-address field of an SMS is a free-form string set by whatever equipment is sending the message. The Signalling System No. 7 protocol that underlies cellular message routing was specified in the 1970s for a world in which a small number of national telephone monopolies trusted each other to be honest about who was placing what call. That trust assumption has been functionally dead since deregulation in the 1990s. The protocol has never been replaced.
Rich Communication Services, the GSMA-standardized successor to SMS, supports verified-sender authentication through its RCS Business Messaging profile. Apple added native peer-to-peer RCS to iOS in iOS 18, released September 16, 2024, and added RCS Business Messaging support in iOS 18.1 the following month. Cross-carrier authentication is partial. Cross-platform is patchy.
Apple's iMessage link-disabling for unknown senders is, in this context, a workaround for a protocol that was never designed for trust. The Reply-Y mechanic is the kit operators' workaround for that workaround. Until cross-carrier RCS Business Messaging authentication is universal, the SMS layer will remain structurally exploitable.
The Registrars Nobody Is Regulating
The kits need cheap domains in volume. Lucid, Lighthouse and Darcula each cycle through thousands of throwaway domains per campaign window, used for a few hours or days and abandoned before takedown processes catch up.
The NetBeacon Institute found one registrar, Dominet HK Limited, accounting for roughly 55 percent of all unique phishing domains observed in its March 2025 dataset despite managing only a tiny fraction of the generic top-level domain market. Spamhaus logged 211,406 separate abuse detections on the .top top-level domain across October 2024 through March 2025. ICANN issued a Notice of Breach to .TOP Registry on July 16, 2024. It has not followed that notice with any meaningful public consequence.
Spamhaus also tracked the .xin top-level domain operating with more than 82 percent of registered domains flagged malicious in the same reporting window. A namespace where four out of five domains are malicious is not functioning as an ordinary commercial registry. It is functioning as smishing infrastructure.
Where the Money Goes
A stolen card number is not money. The kits' competitive advantage over older skimming and database-leak ecosystems is the end-to-end automation of the cash-out chain, and the chain runs through Cambodia.
Recorded Future's Insikt Group published the canonical reference on the next link in that chain on August 14, 2025. The technique is called ghost-tapping. Stolen card details, harvested by the smishing kits along with the SMS-delivered one-time passcodes needed for wallet enrollment, are loaded into Apple Pay or Google Pay credentials on attacker-controlled devices. The provisioned wallets are then used for rapid-fire NFC purchases at compliant merchants, often luxury goods convertible to cash through grey-market resale.
The Singapore Police Force reported in February 2025 that it had recorded at least 656 cases of unauthorized contactless transactions between October and December 2024, with at least 502 involving cards linked to Apple Pay. Reported losses came to at least 1.2 million Singapore dollars.
From the luxury-goods resale layer, proceeds flow into stablecoin rails. The Huione Group in Cambodia became the principal off-ramp from carded-goods resale into Tether on the Tron blockchain. The U.S. Treasury Department's Financial Crimes Enforcement Network issued a final rule on October 14, 2025 severing the Huione Group from the U.S. financial system under Section 311 of the USA PATRIOT Act.
Smishing kits, ghost-tap, USDT on Tron, and the compounds are not separate criminal economies. They are four phases of one supply chain.
Google Sues. The DOJ Does Not.
On November 12, 2025, Google filed a civil action in the U.S. District Court for the Southern District of New York, captioned Google LLC v. Does 1 through 25, case number 1:25-cv-09421-LAK, before Judge Lewis A. Kaplan. The complaint pleads RICO, Lanham Act trademark infringement, and the Computer Fraud and Abuse Act. Defendants are identified by aliases, including Wang Duo Yu and CoSmile. The complaint alleges over one million victims worldwide, more than 32,000 distinct USPS-spoofing sites, and exposure of up to roughly 115 million U.S. payment cards through Lighthouse-driven smishing between July 2023 and October 2024.
The same day, Google's General Counsel publicly endorsed three pieces of pending federal legislation: the Foreign Robocall Elimination Act, the Scam Compound Accountability and Mobilization Act, and the Guarding Unprotected Aging Retirees from Deception Act.
That endorsement is, in effect, a concession that the existing federal toolbox is inadequate to the scale of the wave. Google has named the operators in court. Google is doing the things federal law-enforcement agencies would normally be expected to do.
Federal law enforcement, meanwhile, has done what.
The legal infrastructure for sanctions and indictments against Chinese-origin cyber operators exists. It was used in December 2024 against Sichuan Silence Information Technology Company and Guan Tianfeng over the 2020 Sophos firewall exploitation wave. It has not been used here. No OFAC designation against Lighthouse, Lucid, Darcula, Magic Cat, Wang Duo Yu, XinXin or Yucheng C. No DOJ indictment. No public explanation for the asymmetry.
Who Is Not Talking
The American carriers have said almost nothing. AT&T, Verizon and T-Mobile have issued no traffic-text-specific public statements during the 2026 wave. CTIA has not commented. None of the three U.S. national carriers has made a senior network-security executive available for substantive interview in the cycle.
By contrast, Telus and Bell security leaders did speak publicly in Canada, and they did so while helping Toronto investigators attribute the SMS Blaster method. The contrast is sharp.
State courts have been louder than the carriers. Tennessee's Supreme Court issued a warning on April 6, 2026. Kansas followed on April 25. Delaware's judiciary published its own alert on April 26. What is missing is national judicial-branch coordination. The kits exploit exactly that patchwork.
The Platform That Did Not Change
Pavel Durov, founder and chief executive of Telegram, was arrested at Paris-Le Bourget airport on August 24, 2024 by French authorities acting on a JUNALCO warrant. He was placed under formal investigation on August 28 and released on five-million-euro bail. Telegram subsequently announced limited cooperation with law-enforcement data requests.
Lighthouse, Lucid and Darcula resale channels are still on Telegram. Customer-support bots are still operational. Subscription tiers remain accessible. On currently available evidence, the operational impact of Telegram's post-arrest cooperation on the smishing-kit marketplace is approximately zero.
The FTC has been issuing materially identical smishing alerts since the early 2010s. Do not click. Do not reply. Forward the message to 7726. Report it at ReportFraud.ftc.gov. Verify any claimed government communication through an independently typed URL. The losses continue to rise because consumer education is structurally insufficient as a primary control against an attack whose marginal cost per attempt is effectively zero.
The Indian Raids
There is one precedent for breaking a cross-border phone-and-text fraud campaign at scale, and it matters. Beginning in October 2016, Indian authorities, eventually including the Central Bureau of Investigation, conducted raids on call centres in Thane, Mumbai, Ahmedabad, Noida, Kolkata and Delhi tied to the IRS impersonation scam. Peak victim flow declined sharply after those raids. The scam was not extinguished, but it was disrupted.
The lesson is direct. Consumer education had not worked. Domestic enforcement against money mules had not worked. Voluntary carrier action had not worked. Physical raids in the country where the infrastructure existed did work. Whether that 2016 template can be adapted to the 2026 smishing ecosystem depends on diplomatic relationships the United States does not currently have with the countries that matter most, and on a willingness to use sanctions and indictment authorities that the Sichuan Silence precedent shows are technically available.
What to Watch
The wave will not break. Waves of this kind do not break. They erode, or they do not. Three things, if they happen in 2026 or 2027, would erode it faster than the underlying economics rebuild it.
First, cross-carrier RCS Business Messaging authentication at sufficient scale that consumers learn to treat the absence of a verified-sender badge as a fraud signal. This is the protocol-layer fix.
Second, House passage of the SCAM Act, S.2950. The Senate passed the bill on December 8, 2025. It now sits in the House. If enacted, the sanctions and tracing authorities it creates attach to the Cambodia and Myanmar compound ecosystem at the cash-out layer. This is the financial-rails fix.
Third, ICANN registrar-accreditation reform with consequence. The indicator is whether ICANN moves beyond Notices of Breach to actual accreditation termination for registrars repeatedly named in abuse reports, and whether registry-level oversight on TLDs operating above eighty-percent malicious-domain saturation produces measurable change. This is the infrastructure-layer fix.
If two of the three move, the loss curve bends. If none of them moves, the IC3 2027 Annual Report will look very much like the 2025 edition that landed on April 7, the FTC will issue its fifteenth nearly-identical alert, and another driver in another state will get another text.
Maybe the next one will not have Florida 15C-16.003 in it. The kit operators are not lawyers. They are not careful. But they do read their press, and the press has been telling them, in plain English, exactly which detail in their template is giving them away.
Watch for that to change.