Key facts
- Organisation
- Hong Kong Facilities Management Company
- Threat
- SMS pumping fraud via botnet-driven one-time password (OTP) system abuse
- Initial access
- Publicly accessible OTP endpoint with no CAPTCHA or anti-automation controls
- Impact
- Almost a million fraudulent international SMS transmitted across five days; six-figure billing exposure to the victim; application servers crashed under load
- Core issue
- The OTP system had no protection against automated callers, making it a free SMS gateway for attackers at the victim's expense
What this case shows
- A single unprotected OTP endpoint can be turned into a direct financial loss vector, with the bill landing on the victim rather than the attacker.
- Per-IP rate limiting offers no protection against distributed botnets: in this case, hundreds of unique addresses each sending one or two requests defeats it entirely.
- Log rotation erases the forensic record needed to scope the full attack. The confirmed transmissions from server logs were less than half of what the SMS provider's records actually showed.
- When an application crashes under attack load, the crash itself is the alarm — but only if someone is watching for it.
Wondering whether your own customer-facing endpoints are protected against automated abuse? Explore Compromise Assessment and Emergency Incident Response.
CHALLENGE
A Hong Kong facilities company received word from its SMS provider in early March 2026 that something was wrong. The provider had flagged a spike in international SMS traffic originating from the company's infrastructure: not the modest daily volume of verification messages the company ordinarily sent to its Hong Kong users, but a torrent of texts addressed to numbers in a single foreign country, dispatched at a rate the system had never seen before. By the time the call came in, the spike had been running for hours.
The company's application sat on cloud-hosted servers behind a standard application gateway, with two production nodes handling user requests. One of those nodes had begun crashing earlier that same morning, its runtime environment exhausting available memory under the weight of incoming traffic. The IT team had assumed the crashes were a capacity problem. They were not. The crashes were a side effect of an attack that had been underway for nearly three hours by then and would continue for another five days before it was fully contained.
What the company did not yet know, and would only learn through Blackpanda's investigation, was that the SMS provider's records showed almost a million fraudulent international messages transmitted from the company's accounts during the incident window. Every one of those messages was billable. None had been authorised. And the route by which they had been sent was not a breached account, a malware infection, or a stolen credential. It was the company's own OTP system, working throughout the attack exactly as it had been designed.
SOLUTION
1. Emergency triage and scope assessment
Blackpanda IR-1 was activated and the Blackpanda IR team responded on the day the SMS provider notified the company. The first question was whether the environment had been breached in a conventional sense, whether attackers had obtained credentials, code execution, or persistence anywhere in the network; or whether the SMS abuse was the entirety of the incident. Within hours, the team had pulled application logs from both production nodes and was cross-referencing the activity against the SMS provider's outbound message records.
2. Forensic reconstruction of the attack pattern
Analysis of the recovered logs revealed two distinct waves of high-volume traffic across two separate days, both targeting the application's OTP system. Investigators traced the attack flow end to end: from the inbound request, through the company's application logic, to the outbound call to the SMS provider's gateway, to the message landing on a foreign mobile number.
The pattern was unambiguous. This was SMS pumping fraud, a long-established scheme in which attackers exploit a legitimate SMS-sending capability to drive traffic to premium or international routes that pay them, or their complicit telco partners, a share of the termination fee. The victim's role in the scheme is to pay the bill.
3. Identification of the structural gap
The OTP system had no CAPTCHA and no challenge-response mechanism. The rate limits in place were configured per IP address, and the attackers had defeated them by distributing traffic across hundreds of unique source addresses, each sending only one or two requests across the entire campaign.
Every individual request sat well below any plausible per-IP threshold. The OTP system, in other words, was working exactly as it had been built. The problem was that it had been built without the controls needed to distinguish an automated abuser from a legitimate user.
4. Log volatility and scope confirmation
Forensic reconstruction confirmed hundreds of thousands of fraudulent transmissions from the two server nodes whose logs Blackpanda was able to recover. The SMS provider's records, however, showed almost double that figure. The shortfall was explained by log rotation: the relevant period on one application server had been overwritten before forensics could preserve it. The company's billing dispute with the carrier therefore rests on the SMS provider's records rather than the company's own logs, a position Blackpanda's report documents in full to support the commercial recovery.
5. Botnet attribution and infrastructure mapping
The application gateway logs, retained only for a limited period, gave investigators a brief but valuable window onto the originating client IPs. The hundreds of unique addresses clustered across nine subnet ranges in Europe and the Americas. All requests shared an identical browser signature, indicating common tooling across the botnet: the kind of operational fingerprint that suggests either a single actor or widely circulated off-the-shelf abuse software.
6. Containment and hardening
The SMS provider blocked all international SMS delivery from the affected accounts, cutting off the ongoing financial bleed. An endpoint detection and response agent was deployed to both application servers to provide visibility against follow-on activity. Network segmentation between the application environment and the company's core internal network was confirmed intact, ruling out lateral movement risk.
The structural fix to the OTP system, adding CAPTCHA or equivalent anti-automation controls, was handed to the company's development team as a priority recommendation, since the change requires application-level work rather than infrastructure remediation.
RESULTS
1. Full scope of the fraudulent traffic documented
Blackpanda confirmed hundreds of thousands of fraudulent SMS transmissions through the company's own forensic record and corroborated the SMS provider's total of almost a million across the full incident window. The discrepancy and its cause, log rotation on one server node, was documented in full so the company can dispute the carrier billing with a complete and defensible evidentiary trail.
2. Attack confirmed as SMS pumping fraud, not a breach
The investigation ruled out credential compromise, malware, and lateral movement. The attack was a financially motivated abuse of legitimate application functionality, exploiting a gap in the OTP system's design rather than a software vulnerability. That distinction matters for the company's regulatory and customer-disclosure obligations.
3. Botnet infrastructure mapped
Hundreds of unique source IPs across nine subnet clusters in Europe and the Americas were identified. All requests carried an identical browser signature, a fingerprint the company's security tooling can now use to detect and block similar campaigns at the gateway before they reach the OTP system.
4. Containment confirmed, monitoring established
International SMS delivery was blocked at the provider level, eliminating ongoing loss. EDR was deployed to the affected servers. Segmentation between the application environment and the company's core network was verified intact, confirming no escalation risk into the broader business.
5. Structural remediation roadmap delivered
The company received a detailed remediation plan covering CAPTCHA implementation on all SMS-triggering endpoints, log retention policy changes to preserve forensic data for at least 30 days, application-layer rate limiting that does not rely on per-IP heuristics, and monitoring rules to alert on anomalous SMS volumes at the application tier rather than waiting for the carrier to call.
SMS pumping fraud is not a sophisticated attack. It requires no malware, no stolen credentials, no insider access. It requires only a public-facing OTP system with no anti-automation controls and a botnet, three commodities the criminal economy supplies cheaply and at scale. Any organisation running a consumer-facing application with phone verification, password reset by SMS, or transactional SMS notifications is a candidate target. The defence is not technically complex. It has to be built in before the attack begins because, once it does, your bill is already running.
FREQUENTLY ASKED QUESTIONS
1. What is SMS pumping fraud, and how does it generate money for attackers?
SMS pumping is a scheme in which attackers exploit an application's OTP system, or any endpoint that triggers SMS, to dispatch large volumes of texts to premium-rate or international numbers. The attackers, or telecommunications operators complicit in the scheme, collect a share of the termination fees that the victim's SMS provider pays to deliver the messages. The victim sees a sudden, unexplained spike in its SMS bill. The attackers collect revenue. The Cybersecurity and Infrastructure Security Agency (CISA) and the Communications Fraud Control Association have documented the pattern for several years, and it has grown alongside the global expansion of SMS-based authentication.
2. Why didn't rate limiting stop the attack?
Rate limits configured per source IP are defeated by distributed botnets, because each address only needs to send one or two requests across the entire campaign. In this case, attackers used hundreds of unique IP addresses, keeping each one well below any plausible per-IP threshold while still generating aggregate volume sufficient to dispatch almost a million messages. Effective protection requires application-layer controls, CAPTCHA, challenge-response, or behavioural analysis, that operate independently of source IP.
3. Could this attack have been detected earlier?
Yes, but only with monitoring designed for this specific failure mode. Two signals were available before the SMS provider's call: a sudden surge in outbound SMS volume at the application tier, and a runtime crash on one of the servers caused by the request flood. Neither was being monitored against a baseline. SMS-volume alerting at the application layer, set against historical patterns rather than absolute thresholds, would have caught the first wave within minutes of it starting.
4. What is the financial exposure for an organisation in this situation?
Two distinct cost categories apply. The first is direct SMS billing with international message rates varying by destination but can run from a few cents to over a dollar per message, meaning a campaign of this scale can produce a bill in the high six figures or beyond. The second is the operational cost of the response, including forensic investigation, remediation, and any business disruption from application crashes during the attack. Whether the SMS provider absorbs any of the direct billing depends on the commercial terms of the relationship and the strength of the forensic evidence that the volume was fraudulent. This case illustrates why preserving that evidence, not just for technical scoping but for commercial recovery, matters from the first hour of an incident.
5. Is SMS pumping fraud common in Asia?
It is a regional pattern, not an isolated case. Any consumer-facing application that triggers SMS, phone verification at signup, password reset, transaction confirmation, two-factor authentication, is a candidate target. Hong Kong, Singapore, and other markets with high SMS-based authentication adoption are particularly exposed, because the install base of vulnerable OTP systems is large and the SMS infrastructure processing the fraudulent traffic is locally accessible. Blackpanda's incident response engagements across the region have surfaced the same attack pattern across multiple verticals, including consumer services, financial services, and digital platforms.
6. What should an organisation do this week if it thinks it may be exposed?
Three steps, in order. First, inventory every endpoint in every customer-facing application that triggers an SMS for any reason: verification, reset, notification, alert. Second, check whether each of those endpoints has CAPTCHA or equivalent anti-automation controls, and whether rate limits survive distributed traffic rather than per-IP heuristics. Third, ask the SMS provider whether it offers velocity alerts on the account and, if so, set them at a threshold meaningfully below current legitimate volume. The defensive posture is not technically complex. It does require someone to have built it deliberately, before the first fraudulent message goes out.
WHAT THIS MEANS FOR YOUR ORGANISATION
The instructive feature of this case is not the attack itself. SMS pumping is well documented and the techniques are familiar to anyone who has worked in fraud or anti-abuse. The instructive feature is the gap the attack exploited: a competently built, production-grade application with an OTP system that did exactly what it was supposed to do, and could not distinguish a legitimate user from an automated abuser. The OTP system was not vulnerable in the way a software flaw is vulnerable. It was working as specified. The specification was the problem.
Two things follow from that. The first is that this category of incident is largely invisible to conventional security tooling. EDR, network monitoring, and vulnerability scanners will see nothing wrong, because nothing technical is wrong: the application is sending SMS messages because it is supposed to send SMS messages. Detection has to happen at the application layer, on the metric of how many, against a baseline of how many is normal. Most organisations have not built that monitoring. The second is that the remediation is not a heavy engineering programme. CAPTCHA, distributed rate limiting, SMS-velocity alerting, and a conversation with the SMS provider about contractual fraud protection are decisions, not development sprints. The reason organisations do not make them is that nobody asked, and the cost of not asking only becomes apparent in retrospect, when the bill arrives.
Blackpanda's Compromise Assessment examines the abuse surface of customer-facing applications alongside the conventional security perimeter, identifying OTP systems and similar endpoints that are exploitable not because they contain vulnerabilities, but because they will serve any caller who asks. For organisations that want the assurance of immediate, fixed-cost incident response when a fraud campaign or other incident lands, Blackpanda IR-1 provides 24/7 activation with a four-hour SLA and a single annual response credit, built for the reality that the first call, when an SMS provider rings with an unusual question, is the call that determines everything that follows.
ABOUT BLACKPANDA
Blackpanda is a Lloyd’s of London–accredited insurance coverholder and Asia’s leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack. Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert.
Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.
