Full Report
Welcome to the final BushidoToken blog of 2022. Over the last year or so, an associate of mine in the UK has been targeted by a persistent Chinese-speaking scammer. The scammer often calls once or twice a month from a unique UK-based phone number and, if left unanswered, leaves an unusual automated voicemail. I got the recorded voicemails and identified that they are almost certainly scam calls from Chinese-speaking fraudsters targeting Chinese international students at universities in the UK. I have tracked this campaign for over a year and built a profile on the group's activities based on just the calls and voicemails they have left. I am now disclosing these attempts and subsequently tracking this activity group as "RedZei" (aka "RedThief").The RedZei fraudsters have chosen their targets carefully, researched them and realized it was a rich victim group that is ripe for exploitation. A quick OSINT search found several recent articles about this apparently lucrative malicious campaign:https://www.itv.com/news/utv/2022-05-09/students-scammed-out-of-105k-after-bogus-chinese-authorities-callshttps://www.bournemouth.ac.uk/news/2022-12-15/scam-warning-chinese-studentshttps://news.liverpool.ac.uk/2021/09/29/fraud-scam-warning-for-international-students/https://www.ucl.ac.uk/students/news/2022/jun/fake-police-scam-targeting-chinese-studentshttps://www.theguardian.com/money/2019/aug/31/fraudsters-target-chinese-students-in--visa-scamThe compelling aspect about this scam is how well the attempts were crafted and the careful tradecraft employed to evade traditional steps users take to block such scams. For each wave of scam calls, RedZei will mostly use a new pay-as-you-go +44 UK phone number every time from one of the main mobile network operators (MNOs). This essentially renders blocking the scammers phone numbers ineffective. Further, as RedZei alternates between SIMs from several UK mobile carriers it is difficult for the telecom companies to stop this type of activity. As the activity is also in Chinese, the carriers are less likely to investigate this campaign to additional effort required. The RedZei group, and others like it, are therefore effectively operating with impunity and will continue to do so for the foreseeable future.Figure 1 - Calls associated with RedZei campaign Figure 1 contains a timeline of when these scam calls are made, including the origin of the caller's number, the mobile carrier (identified using OSINT), the date and time of the call, as well as the theme of the call. As I am not a Chinese speaker and did not get all of the voicemails verified by Chinese speakers, the theme of some of them is currently unknown. The phone numbers in plaintext are available in a Gist here.Some of the key attributes of the RedZei gang includes leveraging Chinese enterprises, such as the Bank of China or China Mobile (CMLink) to social engineer the international students into providing their personal details. Other themes exploited by RedZei includes the "abnormal usage of your NHS number" and international parcels being delivered from DHL, which are both common concerns for Chinese students studying in the UK. Figure 2 - Diamond Model highlighting the attributes of RedZeiTo build a better understanding of the RedZei scammers, I created a simple Diamond Model diagram to highlight the attributes of the activity group for continued tracking (see Figure 2).If you're interested in listening to the Chinese scam calls and translating the ones I was not able to, I have uploaded them to SoundCloud here: Will · Chinese scammers targeting Chinese students in the UK BushidoToken · RedZei (unidentified themes)Please feel free to leave a comment on the Gist here if you are able to translate calls from any of the numbers referenced in this blog.Thanks for reading. Happy New Year and have a good 2023! UPDATE: GitHub user "freela819" has kindly provided additional context on surrounding the nature of the other calls made by the RedZei group (available in the Gist here). Additional voicemail themes leveraged by RedZei includes masquerading as Chinese government officials, such as the Chinese Embassy in the UK, the Chinese Ministry of Industry and Information Technology (MIIT), and the Chinese Communications Administration, as well as other couriers such as Royal Mail and UPS.
Analysis Summary
# Threat Actor: RedZei (aka RedThief)
## Attribution & Identity
**Identification:** A group of Chinese-speaking fraudsters operating scam campaigns.
**Aliases:** RedZei, RedThief.
**Known Associations:** None explicitly named, but part of a broader ecosystem of financially motivated scammers. Highly sophisticated in their social engineering, leveraging specific geopolitical and cultural contexts.
## Activity Summary
RedZei is a persistent threat actor engaged in long-running financial scam campaigns targeting Chinese international students attending universities in the UK. The group has been tracked for over a year, making frequent contact (once or twice a month) via phone calls. The scams are carefully crafted and researched to exploit victim vulnerabilities. The group utilizes themes related to Chinese entities (like the Bank of China or China Mobile) or common concerns like "abnormal usage of your NHS number" and international DHL parcel delivery issues.
## Tactics, Techniques & Procedures
- **Social Engineering:** Relies heavily on sophisticated voice call-based social engineering, often leaving automated voicemails.
- **Impersonation:** Impersonates Chinese authorities or entities (e.g., Bank of China, CMLink).
- **Evasion:** Employs tradecraft to evade blocking mechanisms by frequently rotating UK-based pay-as-you-go (+44) phone numbers from various mobile network operators (MNOs).
- **Language:** Communication is conducted in Chinese.
- **Operational Security/Tradecraft:** The use of multiple MNO SIMs/numbers makes telecom-level disruption difficult.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text, but the activities align conceptually with **T1566.001 (Phishing: Spearphishing Attachment)** or general **T1562 (Impair Defenses)** through deception, and primarily **T1598 (T1598: Spearphishing for Information)** when viewing it as targeted social engineering delivery.
## Targeting
- **Sectors:** Education (specifically international students).
- **Geography:** Targeting individuals located in the **UK**.
- **Victims:** Chinese international students at various UK universities (examples of universities whose warnings were noted include Bournemouth University, Liverpool University, and UCL).
## Tools & Infrastructure
- **Malware Families Used:** None explicitly mentioned (This appears to be a purely voice/social engineering campaign, not a malware delivery campaign based on the excerpt).
- **Infrastructure (C2, domains, IPs):**
- **Phone Numbers:** Constantly rotating UK-based pay-as-you-go phone numbers (+44 prefixes) sourced from various UK mobile network operators (MNOs).
- **Defanged Infrastructure:** A Gist containing plaintext phone numbers was referenced: `https[:]//gist.github[.]com/BushidoUK/ac6981bab9b2c1befacfe05c51a804df`
- **Audio Artifacts:** SoundCloud user "Will" was linked to uploaded scam call recordings: `https[:]//soundcloud[.]com/will-364676454`
## Implications
RedZei represents a high-volume, financially motivated criminal operation that effectively exploits cultural trust and specific vulnerabilities (such as immigration or legal status concerns) endemic to the international student population. Their use of disposable UK mobile infrastructure makes them resilient to simple blocking methods, suggesting they operate with relative impunity, as UK carriers may be less incentivized to fully investigate non-English language calls. This threat is likely to continue targeting this high-value victim pool.
## Mitigations
- **Number Rotation Defense:** Advise targets that receiving calls from numerous different UK numbers shortly after hangs-up is a major red flag.
- **Carrier Coordination:** Telecom providers should enhance monitoring for campaigns exhibiting high call volume from newly provisioned/short-lived pay-as-you-go numbers originating from specific MNOs, especially when language barriers might reduce internal monitoring efficacy.
- **Awareness Campaigns:** Universities must continuously warn Chinese students about social engineering tactics involving impersonating Chinese authorities, Bank of China, NHS, or DHL related to parcels.
- **Authentication Verification:** Students should be trained to never trust unsolicited information received via phone and to immediately hang up and contact the official organization (e.g., the embassy, their university support office, or the bank via a known, independently verified number) to confirm legitimacy.