Full Report
What HappenedOfficers from the City of London Police’s Dedicated Card and Payment Crime Unit (DCPCU) secured the conviction of a man who used an SMS Blaster device to send fraudulent text messages as part of an organised criminal operation in London.The conviction relates to an investigation that previously led to the sentencing of Ruichen Xiong in July 2025, who was apprehended while driving a vehicle in North London as the device was in operation. During that incident, officers in the vicinity received fraudulent text messages purporting to be from HMRC.Ruichen Xiong was a student from China who drove around London using the SMS Blaster between 22 and 27 March 2025, sending messages to tens of thousands of potential victims.Following Xiong’s arrest and subsequent conviction, enquiries identified another individual called Di Li who was a key organiser. Li facilitated Xiong’s involvement by arranging access to the device, assisting with obtaining a vehicle, and supporting his day-to-day living costs.Xiong had accrued significant gambling debts after arriving in the UK as a student. To pay off his debts, Li instructed that he could repay what he owed by driving routes in a car with the SMS Blaster.On 20 August 2025, officers searched Li’s home address, where digital evidence was recovered showing communications between Li and Xiong relating to the deployment of the SMS blaster. Li was arrested on 1 September 2025 and charged with offences linked to the operation.At the court trial, Li’s defence was that the device was intended for “advertising” purposes and described himself as a middleman acting on behalf of an individual based in China. He maintained that he had been merely attempting to help Xiong repay his debts.Analyst CommentAn SMS Blaster acts as a portable mobile phone mast that forces nearby mobile devices to connect to it by silently downgrading it to 2G while they try to connect to 5G or LTE. By doing so, criminals can bypass safeguards designed to block malicious senders and harmful links, enabling them to deliver fraudulent messages directly to victims nearby without needing their phone numbers. The SMS Blaster allow an operator to customise all aspects of the messages, so they can make it look like it has come from a genuine organisation like HMRC, the UK tax authority.SMS Blasters are a relatively new technology for scammers. Police in the UK only encountered them for the first time in 2025, but they have been used in other parts of the world. SMS Blaster are also a type of IMSI catcher that mirrors the capability of law enforcement tools such as a Stingray.When used in busy metropolitan areas, they allow criminals to easily send out SMS phishing messages to hundreds of people at a time. These SMS messages typically have a malicious link that host scam websites that trick victims into entering their personal details. These details can then used by fraudsters to make payments, steal funds, or resell it to others.This report also highlights the concerning trend of organised cybercrime gangs from China are actively hunting for individuals who are financially vulnerable (like students with gambling debts) to conduct high-risk in-person operations. Defensive TakeawaysBlock and Report: If you receive a suspicious text message, do not engage with it. Instead, forward it to 7726, a free reporting service, and block the number.Move Away from SMS: If your organisation relies on SMS for One-Time Passcodes (OTPs), this threat highlights that the SMS sender ID can be perfectly spoofed locally. Organisations should migrate to authenticator apps, hardware tokens, or application push notifications to avoid spoofing.Proactive Takedown Programs: Since the attack relies on hosting malicious links to harvest credentials, defenders can perform proactive domain monitoring. Detecting and taking down lookalike domains immediately minimises the impact.Relevant Sourceshttps://www.cityoflondon.police.uk/news/city-of-london/news/2026/june/man-jailed-for-role-in-sms-blaster-fraud-operation-following-city-of-london-police-investigationhttps://www.ukfinance.org.uk/news-and-insight/press-release/police-warn-sms-scams-following-prison-sentence-criminal-whohttps://www.theguardian.com/money/2025/jun/24/police-sms-scams-blaster-texts-smishingRelevant CTI Resourceshttps://www.m3aawg.org/blog/SMSBlasterEngagementSeries
Analysis Summary
# Incident Report: Organized Smishing Operation via SMS Blaster
## Executive Summary
Law enforcement dismantled an organized criminal operation in London that utilized "SMS Blaster" technology to bypass cellular security and deliver fraudulent messages to tens of thousands of citizens. The investigation led to the conviction of Ruichen Xiong, who deployed the device, and Di Li, a key organizer acting as a middleman for a China-based entity. The operation targeted financially vulnerable individuals to facilitate large-scale credential harvesting and financial fraud.
## Incident Details
- **Discovery Date:** March 2025
- **Incident Date:** March 22 – March 27, 2025 (Initial active deployment)
- **Affected Organization:** General public; fraudulent messages spoofed HMRC (UK Tax Authority)
- **Sector:** Public / Financial Services (Fraud)
- **Geography:** London, United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** March 22, 2025
- **Vector:** Proximity-based radio frequency (RF) manipulation using an SMS Blaster.
- **Details:** The device acted as a rogue base station, forcing nearby mobile devices to downgrade to 2G to bypass modern encryption/filtering and broadcast fraudulent SMS messages.
### Lateral Movement
- **N/A:** This was a mobile smishing operation rather than a network intrusion. The "movement" involved the physical transit of the device via vehicle through high-density North London routes to maximize victim exposure.
### Data Exfiltration/Impact
- **Details:** Tens of thousands of messages were sent. While specific exfiltration volumes are not listed, the intent was to drive traffic to malicious links to harvest personal details and banking credentials for financial theft.
### Detection & Response
- **Detection:** In March 2025, police officers in North London received fraudulent HMRC texts on their own devices while in the vicinity of the suspect's vehicle.
- **Apprehension:** Ruichen Xiong was arrested in flagrante delicto (while the device was operating) in July 2025.
- **Investigation:** Digital forensics of Xiong’s devices identified Di Li as the facilitator.
- **Secondary Response:** On August 20, 2025, Li’s home was searched, yielding digital evidence of coordination. Li was arrested on September 1, 2025.
## Attack Methodology
- **Initial Access:** RF Spoofing / Rogue Base Station (IMSI Catcher).
- **Persistence:** Physical deployment; the attacker drove specific routes daily to maintain a "fresh" pool of victims.
- **Defense Evasion:** 2G Downgrade Attack. By forcing phones to 2G, the attackers bypassed 5G/LTE security safeguards and network-level spam filters.
- **Credential Access:** Phishing/Smishing via lookalike domains (e.g., spoofing HMRC).
- **Collection:** Credential harvesting via malicious web forms hosted on external domains.
- **Impact:** Financial fraud, identity theft, and potential resale of stolen data.
## Impact Assessment
- **Financial:** High potential loss across "tens of thousands" of recipients; operational costs for law enforcement.
- **Data Breach:** Compromise of personal identifiable information (PII) for victims who engaged with the links.
- **Operational:** Disruption of local cellular signal integrity in targeted areas.
- **Reputational:** Erosion of trust in SMS-based communications and government (HMRC) notifications.
## Indicators of Compromise
- **Behavioral indicators:** Mobile devices unexpectedly dropping from 5G/LTE to 2G; receipt of unsolicited "HMRC" texts with URLs; presence of suspicious vehicles loitering in busy metropolitan areas.
- **Network indicators:** Unofficial/rogue cellular broadcast signals (Stingray-like behavior).
- **Domains:** Phishing URLs (typically hxxps[://]lookalike-hmrc-gov[.]uk - *generic example based on report*).
## Response Actions
- **Containment:** Physical seizure of the SMS Blaster device and the vehicle used in the operation.
- **Eradication:** Arrest and successful conviction of both the operator (Xiong) and the organizer (Li).
- **Recovery:** Public awareness campaigns by the City of London Police and UK Finance warning of the new technology.
## Lessons Learned
- **Vulnerability of SMS:** SMS Sender IDs are easily spoofed locally, bypassing carrier-grade filters.
- **Exploitation of Vulnerability:** Organized crime groups are specifically recruiting financially vulnerable individuals (students with gambling debt) to perform high-risk "boots-on-the-ground" technical attacks.
- **Technological Shift:** The arrival of SMS Blasters in the UK (first seen in 2025) represents a significant escalation in localized smishing capabilities.
## Recommendations
- **Transition from SMS:** Organizations should move away from SMS for Multi-Factor Authentication (MFA) and One-Time Passcodes (OTPs) in favor of Authenticator Apps or physical hardware tokens.
- **Proactive Takedowns:** Implement automated monitoring for lookalike domains to take down phishing sites before they can be utilized in a "blaster" campaign.
- **Public Education:** Encourage users to report suspicious texts by forwarding them to **7726**.
- **RF Monitoring:** Law enforcement and telecommunications providers should deploy detection capabilities for rogue 2G base stations in metropolitan hubs.