A Network of Chinese Telegram Users Is Advertising Toolkits That Allow Scammers to Easily Steal Victims’ Credit Card Information
If you’ve recently gotten a text claiming you owe a few bucks in unpaid tolls, you’re not alone — and you definitely shouldn’t click the link. A flood of scam messages has been hitting phones across the U.S., warning people they missed a toll payment and need to settle up before fees pile up. But it’s not just a harmless prank — it’s a widespread, coordinated cybercrime operation fueled by scam kits sold on Telegram.
Scam Texts Lead to Fake Payment Pages Designed to Steal Your Info
The scam messages often look official, telling you there’s a small fee due for an unpaid E-ZPass or toll road charge. They include a link to what looks like a legitimate payment page. But instead of paying a fine, victims are unknowingly handing over their credit card numbers and personal details to criminals.
Law enforcement agencies in states like New York, Maryland, Virginia, and Indiana have already issued warnings. Meanwhile, the FBI’s Internet Crime Complaint Center has received over 60,000 reports of these toll scams, according to a spokesperson.
“We have no idea who’s behind this. We just know it keeps coming and it keeps changing every few days,” said Jennifer Givner, spokesperson for the New York State Thruway Authority. “We’re handling a couple dozen calls on a daily basis, people calling just to make sure.”
Telegram: A Hotbed for Toll Scam Toolkits
While some authorities are still unsure who’s behind the wave of scam messages, cybersecurity researchers have traced the tools and techniques back to Telegram, the Dubai-based messaging app. On Telegram, Chinese-speaking users are openly advertising phishing kits — ready-made scam tools — that help cybercriminals build fake payment pages and steal credit card details in real time.
“There’s a lot of people using the kits. There’s no one person,” said Genina Po, a threat researcher at cybersecurity firm Proofpoint. “A lot of them are Chinese users. The Chinese language is a big part of this scene.”
Researchers say these kits can be rented or bought outright, making it easy for even amateur scammers to launch convincing phishing campaigns. One researcher, Ford Merrill from SecAlliance, said the scam has gained serious traction since early 2023 and continues to grow rapidly.
Toll Scams: The New Face of an Old Phishing Trick
Before these scammers pivoted to fake toll bills, similar kits were being used to spoof messages from the U.S. Postal Service, claiming packages were undelivered. The switch to toll payments came after scammers noticed how effective the small-dollar deception was — most people don’t think twice about settling a $5 or $10 fee.
“Once one of them figures out something that works, others jump on it immediately,” said Merrill. “By early February, we saw the first toll scams in the U.S. Within days, three other operators were pushing toll road scams too.”
Phishing kits advertised on Telegram now mimic a wide variety of toll systems, from E-ZPass and Bay Area FasTrak to Georgia’s Peach Pass, Oklahoma’s Pike Pass, and Louisiana’s GeauxPass.
Real-Time Credit Card Theft and Fake Wallets
These phishing kits don’t just steal your credit card — they help criminals build a digital version of it in seconds. When victims enter their card details on the fake payment site, the info is sent directly to scammers, who can use it to generate a scannable fake card and load it into Apple or Google Wallet.
Scammers can also intercept two-factor authentication texts. If a victim receives a code from Apple or Google and mistakenly types it into the fake page, they’re unknowingly giving scammers full access to their digital wallet.
Scammers Use Leaked Data to Target Victims
Part of what makes these scams so widespread is the availability of hacked phone numbers. The cybercrime underground regularly trades massive datasets of stolen information. In fact, U.S. companies reportedly sent out more than 100 million notices last year warning customers that their phone numbers may have been exposed in data breaches, according to the Identity Theft Resource Center.
Can the Scams Be Stopped?
So far, there’s no clear answer. The CTIA, which represents telecom giants like AT&T, Verizon, and T-Mobile, said in a statement that it’s committed to stopping illegal text scams — but admitted that criminals are increasingly turning to encrypted platforms like Telegram, where carriers have no visibility or control.
Apple declined to comment. Samsung didn’t respond. Google, in a statement, said: “Security is core to the Google Wallet experience and we work closely with card issuers to prevent fraud.”
Telegram, often criticized for being an unregulated hub for criminal activity, has recently come under scrutiny after CEO Pavel Durov was detained and charged by French authorities. He has promised more moderation, but the platform remains a key tool for online scammers.
Who’s Behind the Scam?
Despite evidence linking the scams to Chinese-speaking cybercriminals on Telegram, no U.S. agency has officially named suspects or detailed plans to pursue them. The FBI did not comment on whether it has identified the culprits or intends to take action.
A spokesperson from China’s embassy in Washington, D.C., told NBC News that the country “stands firm in combating crimes of telecom and online fraud,” and urges Chinese citizens abroad to “abide by local laws.”
But in reality, justice may be hard to come by. Unlike Russia — where cybercriminals are protected from extradition — China does have extradition treaties with some countries, though not with the United States. And while the U.S. has charged individuals linked to China’s state-sponsored hacking operations, arrests are rare.
