Beyond the Email: How New Mobile Phishing Scams Are Causing a “Ramp-and-Dump” Stock Frenzy
Groups of cybercriminals specializing in mobile phishing have discovered a new way to profit from stolen credentials. Whereas they once focused on transferring compromised cards into digital wallets and selling them for fraudulent transactions, their attention has now shifted to brokerage services.
Researchers at SecAlliance report a surge in so-called “ramp and dump” schemes, in which hijacked investor accounts are used to artificially inflate stock prices before selling them off at a premium. The mechanics closely mirror traditional pump-and-dump manipulations, but without the need to generate hype through social media.
The playbook is straightforward: criminals first purchase shares of a chosen company, then use large numbers of compromised brokerage accounts to sharply increase trading volume. This activity drives prices upward, allowing them to sell at the peak and secure profits. The account holders, however, are left with devalued stocks, while brokerage platforms are forced to manage both financial losses and customer outrage. In February 2025, the FBI had already announced its search for victims of such schemes.
According to SecAlliance, much of the supporting infrastructure for these attacks emerges from the Chinese-speaking corners of Telegram, where pre-built mobile phishing kits are openly traded. These kits enable spoofing of SMS, iMessage, and RCS notifications, convincingly imitating alerts from well-known brokers. Victims are tricked into believing their account has been frozen due to suspicious activity and are urged to verify their credentials via a provided link. Once they land on a fraudulent page, they unknowingly surrender their login, password, and one-time code, granting attackers full access to their accounts.
The roots of this evolution trace back to 2022–2024, when criminals widely distributed phishing SMS messages impersonating U.S. postal services and toll operators. The objective then was to use verification codes to add victims’ cards to a criminal’s mobile wallet. Such devices, often loaded with dozens of stolen cards, were sold in bulk and used for contactless purchases and online fraud.
The weak point was SMS-based one-time authentication, which attackers intercepted with ease. Today, while many banks have strengthened the process by requiring confirmation through mobile apps, this shift has merely driven criminals toward new targets—brokerage platforms.
One figure who has gained notoriety in this sphere is the phishing-kit developer Outsider (formerly known as Chenlun). Her products allow customized templates for a variety of trading platforms. Demonstration videos on her channels showcase tools that mimic the interfaces of Charles Schwab, though they can just as easily be adapted for other market players.
The core vulnerability lies in the fact that many brokers still rely on SMS or voice codes for two-factor authentication, leaving them exposed to these kinds of attacks. Unlike Schwab or Fidelity, which offer multiple delivery channels for verification, only the deployment of hardware security keys under the U2F standard, as adopted by Vanguard, truly mitigates phishing risks.
The danger is compounded by the fact that entire groups are dedicated to distributing and exploiting these tools, increasingly employing automation and artificial intelligence to accelerate phishing-kit development. According to researchers, such developers leverage large language models for translation, interface generation, and simplified coding—lowering the barrier for new entrants and fueling the emergence of ever more sophisticated attacks.
The greatest peril of the “ramp and dump” scheme is its near invisibility: criminals can operate legitimate accounts on Asian exchanges, and the sudden surge in stock prices appears to be nothing more than a natural market fluctuation. In the end, the victims are investors whose accounts are compromised, along with the brokerage firms themselves—forced to confront a new wave of fraud that fuses social engineering, technical subterfuge, and weaknesses in multi-factor authentication systems.
