Introduction

During routine monitoring of suspicious discount and giveaway-themed domains, our research team uncovered a commercial traffic broker infrastructure operating at scale across multiple regions. Rather than running a single scam or phishing campaign, this infrastructure specializes in harvesting, profiling, and monetizing victim traffic, which is then routed to downstream threat actors, and finally redirecting them to the pig butchering scams or Telegram account hacking.

The broker operates hundreds of short-lived websites hosted on disposable top-level domains (TLDs) such as .xyz, .top, and .cn. All of these sites leverage brand-themed lures that reference well-known local and international organizations across banking, telecommunications, retail, airlines, utilities, and digital payment ecosystems. Importantly, the brands observed are not the end targets themselves but are used as trust anchors to attract users and increase engagement.

To maximize effectiveness, the infrastructure heavily localizes its lures. Pages are dynamically adapted to specific countries and regions, abusing national holidays, religious festivals, seasonal sales, and public events to create urgency and legitimacy. From a user’s perspective, these sites often resemble promotional microsites advertising free gifts, cash rewards, discounts, or exclusive offers tied to familiar brands.

The phishing kit usually filters out non-mobile users by checking for the platform used to navigate to the phishing page and the window dimensions. This renders URL scan engines that don’t handle such cases ineffective. This behavior enables us to confidently conclude that mobile-based messaging platforms like WhatsApp, Telegram, and Messenger actively disseminate this campaign.

The campaign uses the reputation of local and international brands to appear benign. We have found more than 300 brands across 100 countries being used 

Global Reach: A Single Lure Framework, Localized at Scale

One of the most striking aspects of this campaign is not just its volume, but its deliberate regional localization.

Based on phishing page titles scraped across thousands of domains, we observed the same underlying lure framework reused globally, while being carefully adapted to:

• Local languages and scripts

• National holidays and religious festivals

• Regionally trusted brands, banks, utilities, and retailers

This strongly indicates a centralized traffic broker platform operating at a global scale, rather than opportunistic, region-specific phishing. We identified more than 300 brands being targeted by this campaign.

India & South Asia: Most heavily targeted with lures themed around Republic Day, Independence Day, and government subsidies, localized across major Indian languages and abusing brands like Paytm, PhonePe, GPay, SBI, Jio, and Reliance Retail.

Sri Lanka & Maldives: Campaigns centered on Independence Day narratives, telecom rewards, and national banks, impersonating brands such as Dialog, SLTMobitel, SriLankan Airlines, and Dhiraagu in Tamil, Sinhala, and English.

East & Southern Africa: High campaign volume leveraging New Year promotions, free mobile data, and utility subsidies, with regional localization in Swahili, Amharic, and Kinyarwanda and abuse of Safaricom, MTN, Equity Bank, and TANESCO.

Middle East & Iran: Lures closely aligned with Islamic holidays like Ramadan and Eid, impersonating Digikala, Snapp!, Qatar Airways, and regional banks, delivered in Persian, Arabic, and Urdu.

Latin America: Well-localized Spanish and Portuguese lures exploiting New Year giveaways, Carnival promotions, and national holidays, abusing brands such as Nequi, Banco Pichincha, Assaí Atacadista, and Chedraui.

Europe, North America & East Asia—Lower-volume but persistent activity targeting retail and airline brands like Lidl, Costco, REWE, Air Canada, and American Airlines, typically framed as anniversary or New Year reward campaigns.
‍

[Click Here To Download Full Research Paper]