hunt.io via Reddit

Hunt.io reveals AI smishing ring hitting 19 nations

cybersecurity smishing threat-intelligence active-campaign

Key insights

  • A single threat actor ran coordinated smishing across 19 countries using AI-generated multilingual lures tied to shared C2 infrastructure.
  • Targets spanned government agencies, postal services, and telecoms providers across three continents simultaneously.
  • Active credential and payment data collection was still in progress when Hunt.io published its disclosure.

Why this matters

AI-generated multilingual lure production has eliminated the language barrier that previously constrained smishing campaigns to single-country operations, enabling one actor to replicate what once required a distributed, multilingual team. The shared C2 infrastructure spanning 19 countries means any coordinated law enforcement action in one jurisdiction now has the technical basis to cover activity in all the others, raising the stakes for international incident response frameworks. For security vendors and AI practitioners, this is among the first large-scale documented cases where AI content generation functions as the primary scaling mechanism inside credential-theft infrastructure rather than as a peripheral enhancement.

Summary

Hunt.io has traced a live smishing operation spanning 19 countries across three continents to a single organized threat actor using shared command-and-control infrastructure. The campaign targets government agencies, postal services, and telecoms with AI-generated multilingual SMS lures, routing victims to mobile-optimized phishing pages built to harvest credentials and payment data. The AI-generated lures let one operator credibly impersonate local postal services and government bodies across multiple languages without needing native speakers, which is the core scaling mechanism that makes this operation structurally different from conventional smishing campaigns. Essentially: (Hunt.io, unidentified threat actor) a single group running AI-assisted credential theft at a scale previously associated with nation-state operations. - Active victim collection was still ongoing at the time of Hunt.io's disclosure. - Shared C2 infrastructure across all 19 country-variants rules out loosely affiliated copycat activity. - Telecom provider targeting raises the possibility of SIM-swap-enabling data collection beyond basic credential harvesting. Multi-country phishing at this scale no longer requires a distributed multilingual team; AI handles the localization layer.

Potential risks and opportunities

Risks

  • Government agencies in targeted countries face ongoing credential exposure if the shared C2 infrastructure remains active after Hunt.io's disclosure.
  • Telecoms providers hit by the campaign could face NIS2 regulatory scrutiny in EU jurisdictions if subscriber data exfiltration is confirmed.
  • Postal service brands used as impersonation lures across all 19 countries face customer trust erosion during the still-active collection window.

Opportunities

  • Mobile threat defense vendors (Lookout, Zimperium, Trusteer) gain concrete grounds to advance smishing detection budget conversations at targeted telecoms and government agencies.
  • Threat intelligence platforms (Recorded Future, Group-IB) can use Hunt.io's published C2 indicators to upsell infrastructure-monitoring subscriptions to newly alert enterprise customers.
  • Multilingual AI content detection firms have a named, multi-country case study to anchor security pitches to postal operators and government IT teams now on heightened alert.

What we don't know yet

  • Attribution behind the threat actor: geographic origin and any state-nexus were not confirmed in Hunt.io's public disclosure.
  • Whether Hunt.io's disclosed C2 indicators have triggered infrastructure takedowns or disruptions as of the publication date.
  • Which specific 19 countries were targeted: Hunt.io's report did not enumerate all countries publicly, leaving the full victim scope unclear.

Originally reported by hunt.io

Read the original article →

Original headline: Hunt.io Exposes Global Smishing Operation Hitting 19 Countries Across 3 Continents, Targeting Governments, Postal Services, and Telecoms