French newspaper Libération has unveiled ties between shady Chinese exporters and the gang that sent hundreds of thousands of SMS phishing messages by driving IMSI-catchers around the suburbs of Paris. Regular Commsrisk readers will remember that the existence of the gang was identified by accident when police stopped and searched the car of a lone driver behaving suspiciously on the evening of December 30, 2022. The police noticed an odd set of aerials lying on the back seat of the car, then followed the wires to equipment which they initially mistook for a bomb (pictured). Further investigation uncovered a criminal operation where both the car and a former ambulance had been repeatedly driven around the suburbs of Paris, blasting SMS messages and collecting numbers from any phone nearby with the intention of fooling recipients into sharing personal data with a fake health insurance website. Libération now reports that the man accused of selling the IMSI-catchers used in both vehicles is a Chinese arms dealer who travelled the world whilst claiming to sell LED lights. Per their article, with my translation beneath:
Officiellement, il s’appelle Kevin Yin et travaille comme vendeur pour un obscur fabricant chinois de luminaires. Une couverture commerciale banale qui s’accommode mal de son extrême discrétion, ses profils numériques multiples et ses incessants déplacements internationaux, que ce soit aux Etats-Unis, en Espagne, au Mexique, au Pérou, au Japon ou encore au Tchad. En réalité, ce Chinois de 45 ans, dont la véritable identité est Yin N., commercialise du matériel de surveillance et d’espionnage haut de gamme.
Officially, his name is Kevin Yin and he works as a salesman for an obscure Chinese lighting manufacturer. The banal commercial appearances conflict with the extreme secrecy of multiple digital profiles and continuous international travel, whether to the United States, Spain, Mexico, Peru, Japan or Chad. In reality, this 45-year-old Chinese, whose real identity is Yin N., sells high-end surveillance and spying equipment.
Kevin Yin came to the attention of police investigators because of the receipt of a EUR18,430 (USD19,940) payment from a ‘digital marketing’ business established by two ringleaders of the Paris smishing gang. He was thought to represent several Chinese technology businesses, and then US police shared intelligence about Yin N.’s real identity. An international arrest warrant was issued against him, with French magistrates emphasizing the ‘worrying risk of proliferation’ of tools that infringe privacy across France and Europe. The magistrates also observed that the risk of these devices proliferating had been exacerbated by the conflict in Ukraine.
Yin N. was eventually arrested in Geneva, Switzerland, as he prepared to board a flight to Toronto, Canada. Swiss authorities were concerned about the supply of IMSI-catchers to Wagner, the Russian mercenary army that is known to use IMSI-catchers in their African operations. When they searched his luggage, the police discovered four USB sticks, three mobile phones, two Chinese passports, nine bank cards, and a Peruvian driving license. Peru is unusual amongst South American countries because of its historic ties to China. Police recently tackled the human trafficking of Malaysians taken to Peru to work in scam compounds of the same type typically run by ethnic Chinese gangsters around East Asia.
The search of Yin N.’s luggage also yielded a business card on behalf of Armortech, a business that supplies missile systems, attack drones and other high-tech weapons of war. Under interrogation, Yin N. eventually admitted to working for Thinkwell, a company based in Shenzhen that provides monitoring technology to the Chinese police. Thinkwell has sought to expand sales of its monitoring equipment in Latin America, Nigeria and France. Yin N. was reluctant to detail the capabilities of this equipment, beyond admitting that it could be used to broadcast messages. He also stated the export of potentially privacy-infringing technology could occur because of ‘connections with Chinese political leaders’ but that Thinkwell takes no responsibility because it is up to their customers to obey the laws in their country. Yin N. admitted under interrogation to selling ‘sample’ equipment to the business run by the ringleaders of the Paris smishing gang.
China is waging a metaphorical war on telecoms and internet scammers at a level unlike any other country. Thousands of workers in scam compounds based in other countries have been arrested and handed over to Chinese law enforcement, sometimes despite opposition from local human rights lawyers. The extent to which countries like Myanmar, Cambodia and the Philippines have permitted and assisted cross-border police raids on scam compounds could be considered to be the most advanced examples of international collaboration in targeting the organized criminals responsible for the frauds that most commonly plague consumers. So it would be deeply hypocritical if China’s rulers were simultaneously facilitating the same kinds of frauds by allowing Chinese firms to make and export equipment used by criminals. But such an attitude to selling and distributing technology would fit with the hybrid warfare model exemplified by the cyber methods of espionage and disruption that Russia exploits in parallel with conventional tactics in Ukraine. The first public admission that China possesses ‘network attack forces’ came in a respected Chinese military journal way back in 2015.
Paying subscribers to Libération will be able to read their article here.
