Do Son 
Chinese cybercriminals are aggressively promoting Lucid, a phishing-as-a-service platform tailored for large-scale attacks on mobile device users. Since its launch in mid-2023, Lucid has been leveraged in campaigns targeting 169 organizations across 88 countries. Unlike traditional SMS phishing, Lucid employs secure communication protocols—Apple’s iMessage and Android’s RCS—enabling it to evade spam filters and vastly expand its reach.
The platform is distributed via a subscription model through a Telegram channel, which now boasts over 2,000 members. For a weekly fee, attackers gain access to more than a thousand phishing domains, sophisticated mass-messaging tools, and a suite of fake-site generators. These counterfeit sites are meticulously crafted to mimic popular services and governmental entities, including USPS, DHL, Amazon, Amex, HSBC, and E-ZPass.
Researchers at Prodaft have attributed Lucid to the Chinese threat actor XinXin, previously associated with a similar phishing toolkit known as Darcula v3. This suggests possible technological or operational overlap between the two platforms.
Lucid is capable of dispatching up to 100,000 phishing messages per day, often disguised as urgent tax notifications, delivery updates, or fines for unpaid tolls. Each message is adorned with falsified logos, localized in both language and geography, and fine-tuned using geofencing techniques to increase the likelihood of engagement.
Cybercriminals operate vast “farms” of iOS and Android devices, populated with disposable Apple IDs and configured to exploit vulnerabilities in mobile carrier infrastructure, allowing for large-scale dissemination of phishing messages.
In one revealing instance, Prodaft captured video footage of phishing campaigns being conducted from within a moving vehicle—a calculated demonstration designed to emphasize just how accessible and user-friendly the operation is, even for individuals with no technical expertise.
Victims are lured to fraudulent landing pages where they are prompted to submit personal and financial information—names, addresses, card numbers, and other sensitive data. Valid credentials are then sold on underground markets or used directly to siphon funds.
Lucid significantly lowers the barrier to entry for cybercrime. Novices can launch effective phishing campaigns with minimal technical know-how or financial investment, fueling the proliferation and increasing the sophistication of these operations. According to Prodaft, Lucid’s rapid spread is attributable not only to its technical efficacy but also to its commercially-driven model. Regular updates, automation, and an intuitive interface make the service especially appealing to criminals seeking scalable and cost-efficient attack vectors.
To avoid falling victim, individuals are urged to exercise vigilance—never click on links from unsolicited messages and always verify information through the official websites of service providers.
