Cybercriminal groups, leveraging advanced phishing kits from a China-based collective (e.g., 'Outsider'), targeted **Charles Schwab** customers to compromise brokerage accounts. The attackers exploited SMS-based multi-factor authentication (MFA) to gain unauthorized access, then used hijacked accounts to manipulate foreign stock prices via a **‘ramp-and-dump’ scheme**. By coordinating purchases of low-value stocks (e.g., Chinese IPOs or penny stocks) across multiple compromised accounts, they artificially inflated share prices before dumping holdings—leaving legitimate investors with worthless assets. The FBI and FINRA flagged this as a systemic threat, with victims facing **unrecoverable financial losses** due to the collapse of manipulated stocks. Schwab acknowledged the risk but noted industry-wide vulnerabilities in SMS-based verification. The attack also exposed weaknesses in brokerage MFA systems, where phished one-time codes enabled persistent account takeovers. While Schwab implemented mitigations (e.g., client advisories), the fraudsters’ use of **pre-positioned trades** and **cross-border coordination** (via Chinese exchanges) minimized traceability, amplifying reputational and financial harm.
TPRM report: https://www.rankiteo.com/company/charles-schwab
"id": "cha843081625",
"linkid": "charles-schwab",
"type": "Cyber Attack",
"date": "8/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Unknown (targeted by phishing '
'kits)',
'industry': 'Financial Services',
'location': 'United States',
'name': 'Charles Schwab',
'size': 'Large (34+ million client accounts as of '
'2023)',
'type': 'Brokerage Firm'},
{'customers_affected': 'Unknown (vulnerable to phishing '
'due to SMS MFA)',
'industry': 'Financial Services',
'location': 'United States',
'name': 'Fidelity Investments',
'size': 'Large (40+ million individual investors)',
'type': 'Brokerage Firm'},
{'customers_affected': 'Unknown (less vulnerable due to '
'U2F support)',
'industry': 'Financial Services',
'location': 'United States',
'name': 'Vanguard',
'size': 'Large (30+ million investors globally)',
'type': 'Brokerage Firm'},
{'industry': 'Varied (often small-cap or shell '
'companies)',
'location': 'China/Hong Kong',
'name': 'Unspecified Chinese IPO/Penny Stock Companies',
'size': 'Small to Mid-Sized',
'type': 'Publicly Traded Firms'},
{'customers_affected': 'Unknown (suffer unrecoverable '
'losses)',
'location': 'Global',
'name': 'Legitimate Investors in Targeted Stocks',
'type': 'Individual/Retail Investors'}],
'attack_vector': ['SMS Phishing (Smishing)',
'Mobile Phishing Kits (Telegram-distributed)',
'Spoofed Brokerage Alerts (iMessage/RCS)',
'One-Time Passcode (OTP) Interception',
'Compromised Mobile Wallets (Apple/Google Pay)',
'Coordinated Trading via Hijacked Accounts'],
'customer_advisories': ["Schwab: 'Emerging fraud trends' notice (2025)",
'General: Avoid SMS-based MFA; report phishing '
'attempts'],
'data_breach': {'data_encryption': 'Unlikely (phished in plaintext)',
'data_exfiltration': 'Yes (credentials sold/used for fraud)',
'personally_identifiable_information': ['Names (via brokerage '
'accounts)',
'Phone Numbers (SMS '
'OTP delivery)',
'Financial Account '
'Details'],
'sensitivity_of_data': 'High (financial account access, '
'payment instruments)',
'type_of_data_compromised': ['Brokerage Account Credentials',
'One-Time Passcodes (OTP)',
'Payment Card Data',
'Mobile Wallet Enrollment '
'Tokens']},
'date_publicly_disclosed': '2025-02',
'description': 'Cybercriminal groups, primarily based in China, are using '
'advanced phishing kits to compromise brokerage accounts and '
"manipulate foreign stock prices through a 'ramp-and-dump' "
'scheme. The attackers exploit SMS-based multi-factor '
'authentication (MFA) weaknesses to gain access to victim '
'accounts, liquidate existing positions, and coordinate mass '
'purchases of targeted stocks (often Chinese IPOs or penny '
'stocks) to artificially inflate prices. Once the price peaks, '
'the fraudsters sell their holdings, leaving legitimate '
'investors with worthless shares. The scheme leverages '
'compromised mobile wallets, Telegram-coordinated phishing '
"kits (e.g., from vendor 'Outsider'), and AI/LLM-assisted "
'development to evade detection. The FBI and FINRA have issued '
'advisories about this emerging threat, which shifts focus '
'from traditional payment fraud to securities manipulation.',
'impact': {'brand_reputation_impact': ['Brokerages: Perceived Security '
'Weaknesses',
'Mobile Wallet Providers: Association '
'with Fraud',
'Chinese Stock Exchanges: Suspicion of '
'Market Manipulation'],
'customer_complaints': 'Likely high (unrecoverable investment '
'losses)',
'data_compromised': ['Brokerage Account Credentials',
'One-Time Passcodes (OTP)',
'Payment Card Data (for mobile wallet '
'enrollment)',
'Trading History/Position Data'],
'financial_loss': 'Unspecified (catastrophic collapse in share '
'prices for legitimate investors)',
'identity_theft_risk': 'High (via compromised brokerage/mobile '
'wallet credentials)',
'legal_liabilities': ['Potential SEC/FINRA Enforcement Actions',
'Class-Action Lawsuits from Affected '
'Investors',
'Regulatory Scrutiny of MFA Practices'],
'operational_impact': ['Disruption of Legitimate Trading Activity',
'Increased Fraud Detection/Response Costs '
'for Brokerages',
'Erosion of Trust in SMS-based MFA'],
'payment_information_risk': 'High (mobile wallet enrollment fraud)',
'systems_affected': ['Brokerage Trading Platforms (e.g., Schwab, '
'Fidelity, Vanguard)',
'Mobile Wallets (Apple Pay, Google Pay)',
'SMS/OTP Delivery Systems',
'Chinese Stock Exchanges (targeted IPOs/penny '
'stocks)']},
'initial_access_broker': {'backdoors_established': 'Yes (persistent access '
'via compromised mobile '
'wallets)',
'data_sold_on_dark_web': 'Yes (stolen credentials, '
'mobile wallets with '
'enrolled cards)',
'entry_point': ['Spoofed Brokerage Alerts '
'(iMessage/RCS)',
'SMS Phishing (USPS/toll road lures '
'for card data)',
'Telegram-Distributed Phishing Kits '
'(e.g., Outsider’s templates)'],
'high_value_targets': ['Brokerage Accounts with '
'Trading Privileges',
'Chinese IPO/Penny Stocks '
'(low liquidity, easy to '
'manipulate)'],
'reconnaissance_period': '2022–2024 (evolution from '
'USPS tolls to '
'brokerages)'},
'investigation_status': 'Ongoing (FBI seeking victims; brokerages monitoring)',
'lessons_learned': ['SMS-based MFA is Insufficient for High-Risk Transactions '
'(e.g., trading, mobile wallets)',
'Phishing Kits Rapidly Adapt to New Targets (e.g., shift '
'from USPS tolls to brokerages)',
'Coordinated Fraud Schemes Exploit Cross-Border '
'Regulatory Gaps',
'AI/LLMs Accelerate Phishing Kit Development and '
'Customization',
'Human-in-the-Loop Phishing (e.g., OTP interception '
'farms) Bypasses Automation Defenses'],
'motivation': ['Financial Gain (Stock Price Manipulation)',
'Fraudulent E-Commerce/Tap-to-Pay Transactions',
'Sale of Compromised Accounts/Devices on Dark Web',
'Exploitation of Cross-Border Regulatory Gaps'],
'post_incident_analysis': {'corrective_actions': ['Brokerages: Stricter MFA '
'Policies (e.g., Schwab’s '
'app-based OTP)',
'Industry: Shared '
'Intelligence on Phishing '
'Kit Vendors',
'Regulators: Updated '
'Guidance on Securities '
'Fraud via ATO',
'Tech Platforms: Disruption '
'of Telegram Phishing Kit '
'Sales'],
'root_causes': ['Over-Reliance on Phishable MFA '
'(SMS/OTP)',
'Lack of Cross-Account Trading '
'Pattern Detection',
'Delayed Adoption of U2F/Physical '
'Keys',
'Telegram’s Role as a Marketplace '
'for Phishing Tools',
'Regulatory Arbitrage (U.S. '
'brokerages vs. Chinese '
'exchanges)']},
'recommendations': [{'actions': ['Mandate U2F/Physical Security Keys for '
'High-Risk Actions',
'Implement Behavioral Analytics for Trading '
'Patterns',
'Restrict Mobile Wallet Enrollment to '
'Bank-Owned Apps',
'Monitor Telegram/Dark Web for Phishing Kit '
'Sales'],
'for': 'Brokerage Firms'},
{'actions': ['Enable U2F or App-Based MFA (Avoid '
'SMS/Call)',
'Monitor Accounts for Unauthorized Trades',
'Report Suspicious Activity to '
'Brokerage/FINRA'],
'for': 'Investors'},
{'actions': ['Coordinate Cross-Border Fraud '
'Investigations (U.S.-China)',
'Update MFA Guidelines for Financial Sector',
'Penalize Firms Relying on Phishable '
'Authentication'],
'for': 'Regulators'},
{'actions': ['Require In-App Enrollment for New Devices',
'Implement Device Fingerprinting to Detect '
'Bulk Fraud'],
'for': 'Mobile Wallet Providers'}],
'references': [{'date_accessed': '2025-02',
'source': 'FINRA Advisory on Ramp-and-Dump Schemes'},
{'date_accessed': '2025-02',
'source': 'FBI Victim Outreach (Feb 2025)'},
{'source': "KrebsOnSecurity: 'Outsider’ Phishing Kit Vendor "
'Targets Brokerages',
'url': 'https://krebsonsecurity.com'},
{'source': 'SecAlliance Research (Ford Merrill)'},
{'date_accessed': '2025-01',
'source': 'Schwab Client Advisory (2025)'}],
'regulatory_compliance': {'regulations_violated': ['Potential SEC Rules on '
'Market Manipulation '
'(e.g., 10b-5)',
'FINRA Rules on Fraudulent '
'Trading',
'GDPR/CCPA (if EU/CA '
'residents affected by '
'data breaches)'],
'regulatory_notifications': ['FINRA Advisory '
'(public)',
'FBI Victim Outreach '
'(Feb 2025)']},
'response': {'communication_strategy': ['FINRA Advisory on Ramp-and-Dump '
'Risks',
'Schwab Client Communications (Feb '
'2025)',
'Media Outreach (e.g., '
'KrebsOnSecurity, SecAlliance)'],
'containment_measures': ['Brokerages Monitoring for Suspicious '
'Trading Patterns (e.g., Schwab)',
'Enhanced MFA Requirements for Mobile '
'Wallet Onboarding',
'Client Advisories on Emerging Fraud '
'Trends'],
'enhanced_monitoring': 'Yes (brokerages tracking coordinated '
'trading)',
'incident_response_plan_activated': 'Yes (FINRA advisory, FBI '
'victim outreach)',
'law_enforcement_notified': 'Yes (FBI seeking victim information '
'as of Feb 2025)',
'remediation_measures': ['Schwab: Multi-Layered Fraud Mitigation '
'(e.g., disrupting SMS-based '
'verification exploits)',
'Fidelity/Vanguard: Push for '
'U2F/Physical Security Key Adoption',
'Industry-Wide Coordination on Phishing '
'Kit Takedowns'],
'third_party_assistance': ['SecAlliance (CSIS Security Group) - '
'Research/Tracking',
'KrebsOnSecurity - Public '
'Disclosure']},
'stakeholder_advisories': ['FINRA: Warned member firms about controlled '
'trading activity',
'Schwab: Communicated risks to clients (early '
'2025)',
'Fidelity/Vanguard: Likely internal alerts (not '
'publicized)'],
'threat_actor': [{'affiliation': 'China-based phishing collective',
'name': 'Outsider (aka Chenlun)',
'platform': 'Telegram (@outsider, formerly @chenlun)',
'role': 'Phishing kit developer/vendor',
'specialization': 'Mobile phishing kits targeting '
'brokerages, postal services, and toll '
'operators'},
{'affiliation': 'Telegram-coordinated communities',
'name': 'Unnamed China-based Phishing Groups',
'role': 'Operational execution (account compromise, stock '
'manipulation)',
'targets': 'U.S. brokerage customers (e.g., Schwab, '
'Fidelity, Vanguard)',
'tools': 'AI/LLM-assisted phishing kits, bulk mobile device '
'farms'}],
'title': 'Ramp-and-Dump Scheme Targeting Brokerage Customers via '
'Sophisticated Phishing Kits',
'type': ['Financial Fraud',
'Phishing',
'Securities Manipulation',
'Account Takeover (ATO)',
'Mobile Wallet Fraud'],
'vulnerability_exploited': ['Weak SMS-based Multi-Factor Authentication (MFA)',
'Lack of U2F/Physical Security Key Enforcement',
'Phishable OTP Tokens for Mobile Wallet '
'Provisioning',
'Brokerage Platforms Allowing MFA via Text/Call',
'Delayed Detection of Coordinated Trading '
'Patterns']}