Mobile Scammers Focus on Brokerage Accounts in ‘Ramp and Dump’ Cashout Scheme

August 15, 2025

Cybercrime Groups Target Brokerage Customers

Recent research indicates that cybercrime groups utilizing advanced phishing techniques are now focusing on brokerage customers. These groups, which use sophisticated phishing kits to funnel stolen card data into mobile wallets, are adapting their strategies as security measures on trading platforms restrict direct fund transfers. Instead, they manipulate foreign stock prices by employing multiple compromised securities accounts simultaneously.

This tactic is being referred to as “lamps and dumps,” a twist on the classic “pump and dump” scam. In typical pump and dump schemes, scammers purchase large volumes of penny stocks and then artificially inflate interest through aggressive social media marketing, only to sell off their shares once the price peaks, which leads to steep declines for legitimate investors. With lamps and dumps, however, scammers exploit compromised accounts to acquire numerous shares and sell once the price rises without needing to generate social media hype.

According to FBI reports, they are actively seeking information from victims affected by this scheme. Manipulation in this variation primarily stems from coordinated trading activities by fraudsters. An advisory from the Financial Industry Regulatory Authority (FINRA) highlights that unsuspecting investors often face catastrophic losses as stock prices plummet.

Ford Merrill, a security researcher from SecAlliance, has traced recent lamps and dumps to vibrant Chinese communities that openly market advanced phishing kits through platforms like Telegram. They often synchronize with other actors to strategically purchase specific Chinese IPOs.

Merrill notes that these phishing gangs utilize stolen securities accounts to settle positions and make immediate sell-offs when prices rise. The victims may be left holding worthless shares, which isn’t ideal for either party involved.

In earlier years, phishing tactics largely revolved around text messages or spoofing entities like the US Postal Service, tricking recipients into providing sensitive information under the guise of overdue fees. This would allow fraudsters to register the victim’s card details onto mobile wallets. If victims share a one-time code, they inadvertently enable the scammers to gain control over their payment methods.

These gangs often load multiple stolen cards into a single digital wallet, later reselling them to crooks who carry out fraudulent transactions online.

The tactics employed by these China-based phishing groups reveal significant vulnerabilities among many US financial institutions that rely on single-time tokens for mobile wallet setups. Fortunately, many institutions have ramped up their authentication procedures since the scams surfaced two years ago, requiring card registration through their official apps.

However, as is often the case, when one tactic is thwarted, the criminals find alternative targets. Recently, the spotlight has turned towards customers of major brokerage platforms.

Outsiders

Merrill points out various Telegram channels operated by skilled phishing kit sellers exhibiting how features can be customized for different targets. One such kit, from a vendor called “Outsider,” includes ready-made templates for executing attacks on brokerage accounts.

Chen Ran, related to this phishing landscape, previously gained attention for overseeing a network that victimized customers of over a dozen postal services globally. Their phishing messages, often sent via iMessage or Google’s RCS, warn recipients of account suspensions and prompt them to log in, directing them to a fake page designed to harvest login credentials and verification codes.

While one phishing kit may specifically target Schwab clients, it is easily adaptable to other platforms, making brokerage accounts particularly appealing to scammers due to their multi-factor authentication procedures.

Schwab stated they continuously inform clients about emerging scam trends and the strategies employed by fraudsters. They also actively monitor and respond to suspicious activities.

Like Schwab, other brokerage firms provide multi-factor authentication options, but many of these channels remain vulnerable to phishing attacks. Some customers have been tricked into approving fraudulent login requests based on stolen information, as security measures are still imperfect.

Vanguard, for instance, offers an option to use physical security keys alongside login credentials, providing a stronger layer of protection that can’t be easily compromised.

The Perfect Crime?

Merrill describes the lamps and dumps scheme as somewhat of a “perfect crime” because it essentially creates a distance between the victim’s accounts and the fraudster’s activities. They can purchase stocks on personal accounts, and exchanges typically don’t raise any red flags, making it easier for them to manipulate market prices.

It remains uncertain how these cybercriminals coordinate their operations or if they adopt accounts right before using them to influence stock values. Some evidence suggests these groups have a well-established support network, allowing them to operate seamlessly.

Research indicates that these phishing groups often employ individuals who monitor bank responses in real time, reacting promptly to victims who provide their verification codes. The evolution of these tactics is heavily influenced by advanced technologies, including AI and language models, which streamline the process of developing phishing kits.

Merrill concludes that as these technologies become integrated, the possibilities for criminals will only expand, making it easier for new actors to enter this illicit field.