China-linked fraud network exploits stolen Massachusetts identities to target U.S. banks
seksan Mongkhonkhamsao via Getty Images
It’s not clear who exactly the Chinese operatives are, but the scheme has been ongoing and persistent, said Socure executive Jordan Burris.
A wave of fraudulent banking and credit card applications linked to a potential China-based cyber operation is hitting major U.S. financial institutions, with more than 9,100 cases publicly identified so far.
The operatives are leveraging stolen identities from Massachusetts, suggesting a potential tie-in to recent state-based data breaches, according to findings from identity verification firm Socure released last week.
Many of the fraudulent applications are linked to a newly registered domain, Luuinet.com, which was created in China in 2023, Socure says. This domain alone has been linked to 5,500 suspicious applications, all featuring gibberish email addresses meant to bypass conventional fraud detection. The attackers also appear to be using automated processes to generate these email addresses.
The timing of the applications aligns with working hours in China. Activity spikes occur during daytime hours in China and taper off around lunch and dinner breaks, the firm’s blog post says.
The perpetrators are also relying on virtual private networks and proxy networks to mask their locations, with 89% of flagged applications coming from IP addresses significantly further from the applicant’s supposed address.
The phone numbers, email addresses and actual identities of real world individuals hoovered up in the sham applications have no correlation with one another, indicating presence of a synthetic fraud ring, the company says.
“This has been an ongoing, persistent threat from China [and] from other countries to disrupt what is our largely digital economy within the U.S.,” Jordan Burris, Socure’s public sector vice president, told Route Fifty in an interview. “And I think for far too long, we’ve not paid close enough attention as to what is occurring.”
The exclusive focus on Massachusetts identities suggests the attackers are exploiting a specific data breach. Nearly 2,500 data compromises occurred in Massachusetts in 2023, followed by almost 3,000 in 2024, according to breach notification reporting made available by the state.
It’s not entirely clear who the Chinese operatives are, assuming they are indeed working on behalf of China, Burris said. He added that attribution is difficult.
“The main point here, and what we’re seeing, is that — whether it is that it is a different country that is leveraging what would be a Chinese based domain — or whether they were leveraging something within the U.S. in particular, they’re doing it at scale,” he said.
Chinese government-aligned cyber units have made headlines for months as they’ve been found infiltrating troves of critical infrastructure systems around the world. One particular group, widely known as Salt Typhoon, breached the systems of at least nine American telecom firms and dozens of others communications operators around the world.
More recently, another Chinese group known as Silk Typhoon, infiltrated multiple Treasury Department systems, including sensitive offices involved in sanctioning and assets control, as well as the Committee on Foreign Investment in the U.S., which conducts national security reviews of foreign acquisitions.
Other adversaries are involved in financial fraud tactics. North Korea has grown particularly infamous for its schemes aimed at stealing money for Pyongyang’s missile programs. The Justice Department recently indicted five people for their involvement in fraudulently obtaining remote work opportunities used to funnel earnings back to the DPRK.
NEXT STORY: Preparing for battle: Cybersecurity incident response for public bodies