Chinese Student Arrested for Orchestrating Large-Scale Smishing Scam to Steal Personal Information

In a striking demonstration of coordinated law enforcement and industry action, a Chinese student has been sentenced to over a year in prison at the Inner London Crown Court for orchestrating a highly sophisticated smishing campaign using illegal SMS Blaster equipment.

Ruichen Xiong, a student from China, operated the scam between March 22 and 27, 2025, targeting tens of thousands of unsuspecting victims in Greater London by harvesting their personal details for fraudulent purposes.

The conviction follows a meticulous investigation and arrest carried out by the Dedicated Card and Payment Crime Unit (DCPCU), a specialist police force financially supported by the UK banking industry.

Their success was made possible only through close collaboration with major mobile network operators, including BT, Virgin Media O2, Vodafone, Three, and Sky, as well as the National Cyber Security Centre (NCSC) and Ofcom, the UK’s communications regulator.

Technical Details: How the Smishing Attack Worked

Xiong’s method showcased a new level of technical sophistication rarely encountered in street-level fraud. Xiong installed an “SMS Blaster,” a device designed to simulate a legitimate mobile phone mast, in the boot of his black Honda CR-V.

As he drove around London, the equipment emitted signals that were stronger than those of genuine mobile towers nearby, causing the mobile phones in the area to automatically connect to his fraudulent transmitter.

Once connected, Xiong could send mass text messages to all phones within range. These messages were carefully crafted to imitate communications from trusted organisations such as banks, government bodies, and utility companies.

The messages contained malicious links, which, when clicked, redirected victims to fake websites designed to steal sensitive information, including names, addresses, and financial details.

This form of attack, known as “smishing” (SMS phishing), draws its effectiveness from the appearance of legitimacy and the use of psychological manipulation, encouraging recipients to click on links urgently or provide information out of fear of missing out on vital notifications.

Industry experts noted that such mobile network spoofing devices are illegal to possess and operate.

The SMS Blaster’s ability to hijack legitimate network traffic and target high concentrations of people in busy areas, such as London, made Xiong’s operation particularly dangerous.

Collaboration, Vigilance, and Consumer Protection

Paul Curtis, Detective Chief Inspector of the DCPCU, praised the joint effort, warning: “Criminals are sophisticated and will continuously make attempts to bypass fraud prevention measures. Customers must stay alert to potential threats, especially suspicious text messages.”

Virgin Media O2 Director of Fraud Prevention, Murray Mackenzie, reported that their systems had blocked over 168 million fraudulent texts in the previous two years, while Les Anderson, Chief Information Security Officer at BT, highlighted the crucial role of tech teams in supporting law enforcement with technical intelligence.

Ollie Whitehouse of the NCSC called the conviction “a powerful example of what can be achieved through close collaboration.” At the same time, Ofcom emphasized the need for a collective, cross-industry response as scammers become increasingly sophisticated.

The DCPCU has since arrested seven more suspects and seized seven illegal SMS Blasters, disrupting several ongoing smishing frauds.

Advice for Consumers

Authorities urge the public to:

• Report suspicious text messages by forwarding them to 7726 or via in-app reporting.
• Contact your bank immediately if you believe you have been scammed.
• Report to Action Fraud on 0300 123 2040.

The “Take Five to Stop Fraud” campaign advises consumers to pause and think before providing personal information, to challenge suspicious requests, and to be cautious when clicking on unsolicited links even if the sender appears genuine.

Getting a second opinion and remembering that legitimate companies will never rush or panic you are crucial steps in protecting yourself.

This case demonstrates both the evolving threat posed by cyber-enabled crime and the power of collaboration and vigilance in protecting consumers from fraud.