Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted

In May 2026, Romania's official government payment portal Ghișeul.ro posted a public security warning after citizens began reporting fraudulent SMS messages impersonating the platform. That warning pointed to something much larger.

Our investigation, using Hunt.io's crawler database and IP intelligence, traced that single impersonation campaign to a coordinated smishing operation spanning 19 countries across Europe, the Americas, and the Caucasus.

The same infrastructure hitting Romanian taxpayers was also targeting DPD delivery customers in the UK and Ireland, road police portals in Bulgaria and Armenia, tax authorities in Greece, and T-Mobile users in the United States.

Here is what we found.

Key Observations

• 1,628 malicious URLs confirmed active across 19 countries and multiple sectors, all linked by a single campaign tracking identifier embedded in the HTML of every page.

• Targeted countries span three regions: Europe (Romania, United Kingdom, Ireland, Spain, France, Bulgaria, Slovenia, Latvia, Greece, North Macedonia, Lithuania, Estonia, Albania, Kosovo, Montenegro), the Americas (United States, Trinidad & Tobago), and the Caucasus (Georgia, Armenia).

• 32 backend IP addresses spanning 6 geographic regions, with infrastructure distributed across Tencent Cloud (15 IPs), Alibaba Cloud (3 IPs), Cloudflare CDN (14 IPs), and ALEXHOST in Moldova (2 IPs).

• Two distinct phishing templates in use: a modern Vue.js single-page application used across the majority of domains, and a Bootstrap-based clone that appears to have been scraped directly from the legitimate Ghișeul.ro site.

• A single 128-character metadata hash present across all 1,628 URLs acts as a persistent campaign fingerprint, making it possible to track new infrastructure as it comes online.

Here is how we traced it.

Background: The Ghișeul.ro Impersonation

The legitimate Ghișeul.ro platform (https://www.ghiseul.ro/ghiseul/public/) recently posted a prominent security warning on their homepage: "Atenție la Phishing! Ghișeul.ro nu anunță prin SMS sau e-mail apariția unei obligații de plată. Nu da click pe link-uri suspecte, verifică întotdeauna expeditorul și adresa URL înainte de a acționa. Fii vigilent, protejează-ți datele!"

Translation: Warning about Phishing! Ghișeul.ro does not announce payment obligations via SMS or email. Do not click on suspicious links; always verify the sender and URL before taking action. Be vigilant, protect your data!

ADR and DNSC confirmed they were actively monitoring the situation. The warning went out on May 7, 2026. By that point the campaign had already been running for weeks. Here is what victims were actually walking into.

Attack Flow Analysis: Four-Stage Phishing Process

The campaign runs victims through four stages. Each one is designed to do a specific job: establish trust, manufacture urgency, collect card data, and buy time for exfiltration.

Stage 1: Initial Landing Page - Trust Establishment

The victim arrives at a convincing replica of the official Ghișeul.ro interface displaying "Verificare amenzi rutiere" (Traffic Fine Verification) at https://ghiseal[.]lat/ro/#/index.

The page copies the legitimate portal closely, including:

• Official Ghișeul.ro branding and color scheme

• Navigation menu items: "Acasă", "Instituții înrolate", "Legislație", "Întrebări frecvente", "Contact"

• "SERVICIU OFICIAL ONLINE" badge to establish legitimacy

• Three-step process indicator: 1. Verificare (Verification), 2. Detalii (Details), 3. Plată (Payment)

• Form requesting vehicle registration number with placeholder "Ex. B 123 ABC"

• Trust indicators: "Conexiune SSL criptată - Date protejate" (SSL encrypted connection - Protected data)

• Feature badges promoting: "Informații oficiale", "Plată cu cardul", "Disponibil 24/7", "Dovadă digitală"

The registration number collected here is likely used to make the next stage feel more convincing.

Stage 2: Fabricated Fine Details - Urgency Creation

Upon entering a vehicle registration number, the victim is presented with entirely fabricated traffic fine details. This page displays:

• Vehicle registration number confirmation: "B 123 BC"

• Fictitious fine details:

• Process number: "53535652"

• Violation type: "Depășirea vitezei" (Speeding violation)

• Violation date: "15/05/2026"

• Due date: "22/05/2026"

• Status: "În așteptare plată" (Awaiting payment)

• Payment amount: 420.00 lei (approximately €84 USD)

• Warning messages creating urgency: "A fost găsită o amendă rutieră" (A traffic fine was found) marked as "În așteptare plată" (Awaiting payment)

The page includes a legal-sounding reference to "Conform Legii nr. 18 din 4 decembrie de aplicare, sancțiunile neachitate pot genera penalități de întârziere" (According to Law no. 18 of December 4 on application, unpaid sanctions may generate late penalties). This false legal citation adds perceived legitimacy while creating pressure to pay immediately.

A payment summary box on the right displays the total amount and includes a green "Continuă către plată" (Continue to payment) button.

Stage 3: Payment Information Collection - Credential Harvesting

The victim proceeds to a professional-looking payment interface titled "Plata amenzilor" (Fine Payment).

Harvested Data:

1. Cardholder name: "TITULARUL CARDULUI - Așa cum apare pe card"

2. Card number: "NUMĂRUL CARDULUI - 0000 0000 0000 0000" (16 digits)

3. Expiration date: "DATA EXPIRĂRII - MM/AA"

4. CVV security code: "CVV - 3-4 cifre"

Visual Deception:

• Realistic card visualization labeled "GHISEUL.RO - RO" with chip graphic

• Payment summary displaying: Registration "B 123 BC", Description "Amendă rutieră", Amount "420,00 lei"

• Prominent green button: "PLĂTEȘTE 420,00LEI" (PAY 420.00 LEI)

At this point the attacker has everything they need: full card number, expiry, and CVV.

Stage 4: Processing Deception - Data Exfiltration

After the victim submits their payment information, a loading screen appears with the message "SE ÎNCARCĂ..." (LOADING...) accompanied by an animated spinner graphic. This serves multiple purposes:

1. Creates the illusion of legitimate processing - Victims believe their payment is being processed through official channels

2. Provides time for data exfiltration - The submitted credit card details are transmitted to the attackers' infrastructure

3. Prevents immediate suspicion - A loading delay seems normal for payment processing

4. May redirect to fake confirmation page - After sufficient delay, victims may see a false "payment successful" message or fabricated receipt

By the time the victim realizes something is wrong, the card data is already gone.

Investigation Methodology

We used Hunt.io's crawler database and IP intelligence to hunt across multiple pivot points:

1. Initial Discovery: Domain enumeration targeting "ghiseul" variations not hosted on legitimate infrastructure.

2. JavaScript Fingerprinting: Asset-based clustering using unique filenames and hashes found in the HTML body.

3. Language Pattern Analysis: URL structure matching (/{language-code}/#/index) to identify multi-country scope.

Pivot 1: Initial Domain Discovery

We queried Hunt.io's HuntSQL crawler database for URLs containing "ghiseul" that were not resolving to the legitimate ghiseul.ro domain.

Example Query:

SELECT 
*
FROM 
crawler
WHERE url LIKE '%ghiseul%'
  AND NOT hostname = 'ghiseul.ro'
  AND timestamp gt '2026-05-01'

                
Copy

Example Output:

The query returned 11 unique URLs active in May 2026, revealing multiple fraudulent domains using variations of the legitimate service name.

• http://ghiseul-ro[.]shop/

• http://ghiseul-ro[.]sbs/

• http://ghiseul[.]cfd/pay

• https://www.ghiseulro[.]cyou/ro/

• https://www.ghiseul-ro[.]cfd/ghiseul/public/

• http://ghiseul.eu[.]cc/pay

• https://www.ghiseul-ro[.]bond/ghiseul/public/

• https://www.ghiseul.govro[.]one/ghiseul/public/

• http://ghiseul-ro[.]cyou/

• https://ghiseul[.]cyou/pay

• https://ghiseul[.]autos/ro/

Technical Analysis: Two Distinct Templates

Template 1: Modern Single-Page Application (SPA) - 11 URLs

The majority of discovered domains employ a sophisticated Vue.js-based single-page application. These sites share an identical HTML structure with a distinctive technical fingerprint.

All Template 1 sites contain a 128-character hexadecimal string in the HTML <head>:

This identifier serves as a campaign tracking token and became the basis for our most comprehensive pivot (Pivot 4).

This is followed by a series of unusual meta tags that serve no legitimate SEO purpose but appear to be internal tracking mechanisms:

The most distinctive feature is extensive HTML obfuscation through hundreds of meaningless span elements. These spans contain randomly generated attributes designed to defeat signature-based detection:

<span cache-krykl0="p>p+%"!}s|" temp-tuabxwz="d#y$|l#f" 

      data-ouy="g+=p*w?eg" info-flf="+u!o'$t@" 

      class="q3w8v1rz b66df868e23d" aria-hidden="true" 

      data-q="5756505bc94149dda328a2721561cab6" 

      data-eee19="363590090" style="display: contents;">

                
Copy

Similarly, the asset loading is consistent across all SPA template instances. The B0cMf6vN.js file is the primary application bundle, DNINFtUF.js is a preloaded module dependency, and Vx8ldEBt.css contains the stylesheet. These exact filenames appear identically across all Template 1 instances, indicating centralized asset hosting or build pipeline.

Template 2: Traditional Bootstrap Framework - 1 URL

A single domain "ghiseul[.]eu.cc/pay" uses a completely different architecture that employs traditional multi-page application structure with Bootstrap 3.x framework:

<title>Ghiseul.ro - Sistemul National Electronic de Plata Online</title>

<link rel="stylesheet" href="/www.ghiseul.ro/ghiseul/public/css/bootstrap.min.css">

<link rel="stylesheet" href="/www.ghiseul.ro/ghiseul/public/css/bootstrap-theme.css">

<link rel="stylesheet" href="/www.ghiseul.ro/ghiseul/public/css/simple-line-icons.css">

<link rel="stylesheet" href="/www.ghiseul.ro/ghiseul/public/css/font-awesome.min.css">

<link rel="stylesheet" href="/www.ghiseul.ro/ghiseul/public/css/jquery-ui.structure.min.css">

                
Copy

The resource paths reference /www.ghiseul.ro/ghiseul/public/, which mimics the legitimate site's directory structure, indicating the template was likely built by copying the original.

Unlike Template 1's focus on traffic fines, Template 2 targets toll payment fraud:

<h2 data-v-77216ba1="">Notificare de tranzit fără TAG</h2>

<p data-v-77216ba1="">Această notificare necesită atenția dumneavoastră imediată pentru regularizarea plății taxei de drum.</p>

                
Copy

Translation: "Notification of transit without TAG - This notification requires your immediate attention to settle the road tax payment."

The consistent appearance of the B0cMf6vN.js asset across all Template 1 instances is particularly significant. This same file hash across multiple domains confirms centralized infrastructure management and strongly suggests all Template 1 sites are operated by the same threat actor or group using automated deployment tools.

Pivot 2: JavaScript Asset Fingerprinting

Since every Template 1 site loads /assets/B0cMf6vN.js, we used that filename as a pivot:

Example Query:

SELECT 
*
FROM crawler
WHERE body LIKE '%/assets/B0cMf6vN.js%'
  AND timestamp gt '2026-05-01'
ORDER BY timestamp DESC

                
Copy

Example Output:

The result shows 4 additional domains that are still operational at the time of analysis. These domains share identical infrastructure fingerprints, confirming they are part of the same operation.

• http://ghisaul[.]lat/ro

• https://ghiseal[.]lat/ro/

• https://ghizeul.lat/ro/

• https://ghisiul.lat/ro/

These domains use deliberate typosquatting variations of "ghiseul" (ghisaul, ghiseal, ghizeul, ghisiul) to capture victims who mistype the legitimate domain name.

Pivot 3: Language Pattern Analysis - Multi-Country Scope

To map the full scope beyond Romania, we looked at the URL structure shared across the fraudulent sites.

All identified phishing domains follow a consistent pattern: /{two-letter-language-code}/#/index.

We built a query to track the campaign across regions:

Example Query:

SELECT
  *
FROM
  crawler
WHERE
  final_url RLIKE '/[a-z]{2}/#/index'
  AND timestamp > '2026-05-01'
ORDER BY
  timestamp DESC

                
Copy

Example Output:

The query returned 134 unique URLs, revealing a massive multi-country phishing operation targeting at least 19 countries across Europe, the Americas, and the Caucasus. The campaign demonstrates sophisticated localization, with phishing sites impersonating government portals, traffic police departments, postal services, and commercial entities in each target region.

The table below breaks down the 134 domains by impersonation type:

Estonia (ee) - 1 domain

• Target: Road traffic fines/police services

• Example: hoiatustrahv.politsei[.]gov-ee[.]bond

Lithuania (lt) - 1 domain

• Target: Government services (likely SUMIN - tax/payment system)

• Example: sumin[.]lrv-lt[.]shop

Armenia (hy) - 3 domains

• Target: Road Police services

• Examples: roadpolice-am[.]icu, roadpolice-am[.]shop, roadspolice[.]lat

Slovenia (si) - 11 domains

• Target: e-Uprava (National e-Government Portal)

• Examples: govl[.]lat, gove[.]lat, govk[.]lat, govsi[.]bar, gov-si[.]xin, govh[.]lat, govo[.]lat, govj[.]lat, gov-si[.]sbs, gov-si[.]qpon, gov-si[.]cam, e-uprava[.]gov-si[.]shop

Bulgaria (bg) - 7 domains

• Target: MVR (Ministry of Internal Affairs - traffic fines)

• Examples: mvrcc[.]lat, mvr[.]lat, mvri[.]lat, mvrbg[.]ink, mvrbg[.]sbs, mvrx[.]lat, mvrbg[.]life

Latvia (lv) - 6 domains

• Target: CSDD (Road Traffic Safety Directorate) and DPD delivery

• Examples: e-csddlv[.]top, e.csdd[.]govlv[.]cam, dpde[.]lat, dpdlv[.]bond, dpd-lv[.]top

Spain (es) - 11 domains

• Target: SEUR (parcel delivery service) and Fanveris

• Examples: seur-rmvxq[.]club, seur-hxrz[.]org, seur-fghij[.]org, seur-bcdef[.]cc, seur-cztwp[.]club, seur-fqlap[.]cyou, seur-zkryw[.]cloud, seur-rxkmd[.]cyou, seur-hijkl[.]cc, seur-yzabc[.]com, seur-jwqec[.]link, fanveris[.]cyou

North Macedonia (mk) - 3 domains

• Target: MVR (Ministry of Internal Affairs)

• Examples: mvr-gov-mk[.]cyou, mvr.govmk[.]one, mvr.govmk[.]cam

English-speaking regions (en) - 71 domains

• Target: Generic DSV-branded infrastructure (likely delivery/logistics scam)

• Pattern: dsv[xx].{tld}/en/#/index with multiple TLDs (.sbs, .cfd, .cyou, .icu, .shop, .lat)

• Examples: dsvag[.]sbs, dsvav[.]cfd, dsvxk[.]cyou, dsvcv[.]cfd, etc.

Ireland (ie) - 1 domain

• Target: DPD delivery service

• Example: dpd.ie-com[.]vip

Albania (al) - 1 domain

• Target: Vodafone (telecommunications)

• Example: vodafaone[.]shop

United Kingdom (uk) - 1 domain

• Target: Tesco (retail loyalty/rewards)

• Example: tesco-redeem-check[.]bond

Generic/Multi-region (pc) - 2 domains

• Target: E-commerce/shopping platforms

• Examples: worldmartonline[.]com, gobal-store-hub[.]shop

This infrastructure represents a coordinated phishing operation targeting government payment portals, traffic fine systems, parcel delivery services, and telecoms across 19 countries on three continents.

Pivot 4: Unique Campaign Identifier - Full Scale Revelation

Every phishing page in this campaign carries the same metadata identifier in the HTML <head> section.

Example Code:

<meta name="keywords" content="39dabeddef7c2f0806110b305bd8ca7307c13ac987e7c64fc1d46752868a258958eba99f16413f522a4961dfb0956598336fc258794664ccc9f71f25e8f688c5">

                
Copy

That 128-character string is a campaign fingerprint. We queried the crawler database for it directly:

SELECT 
*
FROM crawler
WHERE body LIKE '%39dabeddef7c2f0806110b305bd8ca7307c13ac987e7c64fc1d46752868a258958eba99f16413f522a4961dfb0956598336fc258794664ccc9f71f25e8f688c5%'
AND timestamp gt '2026-05-01'

                
Copy

Example Output:

The query returned 1,628 URLs. The breakdown shows a campaign primarily concentrated in the UK (558 DPD URLs) and the US (39 T-Mobile and DMV URLs), with government portal targets spread across Eastern Europe and the Caucasus.

The affected countries and organizations are summarized in the following table.

The following chart illustrates the geographical distribution of identified URL targets, highlighting a significant concentration of activity within specific regions.

The URL analysis shows the top-level domains used in this ongoing campaign in the following graph.

With the full URL scope mapped, we turned to the backend infrastructure hosting all of it.

Infrastructure Analysis

Using Hunt.io's IP intelligence, we mapped the backend infrastructure behind the Romanian domains. Five distinct IP addresses served the 19 URLs from Pivots 1 and 2, spread across multiple regions to make takedowns harder.

Expanding beyond the Romanian campaign, the full 32-IP infrastructure reveals a broader multi-provider hosting strategy built for resilience and jurisdictional complexity.

Tencent Cloud (AS132203) - 15 IPs

Tencent is the primary provider, with 15 servers across Singapore (43.160.242[.]3, 43.160.221[.]174, 43.160.250[.]19), Germany/Frankfurt (43.157.17[.]77, 43.157.122[.]50, 43.157.64[.]211, 43.165.4[.]234, 43.157.25[.]170, 43.165.3[.]200, 43.165.4[.]68, 43.165.1[.]208, 43.165.62[.]39, 43.157.91[.]129), and United States/Santa Clara (43.153.72[.]244, 43.173.74[.]207).

The Singapore instance at 43.160.250[.]19 hosts 25 domains and has been active since June 26, 2025, indicating nearly year-long operational persistence. The Frankfurt deployment at 43.165.1[.]208 serves 9 domains and was first detected on February 28, 2026. The Santa Clara instance at 43.153.72[.]244 is the most heavily utilized server in the entire infrastructure, hosting 72 domains. Domain counts range from 4 to 156 per IP, with 43.157.17[.]77 (156 domains) and 43.157.25[.]170 (116 domains) serving as high-capacity hubs.

All run standardized Ubuntu/Debian Linux with OpenSSH (versions 8.9p1-9.6p1) and nginx web servers. First-seen timestamps range from May 2023 to May 2026, indicating continuous infrastructure expansion over three years.

Cloudflare Global Anycast (AS13335) - 14 IPs

The operation extensively leverages Cloudflare's global CDN network, with 14 anycast IP addresses, each with 3,400-5,000 domains routing through them.

Notable IPs include 104.21.80[.]54, 172.67.199[.]16, 172.67.206[.]239, 104.21.23[.]164, 104.21.16[.]182, 104.21.61[.]204, 172.67.196[.]175, 104.21.83[.]233, 104.21.34[.]64, 104.21.75[.]129, 172.67.137[.]96, 172.67.136[.]71, and 104.21.8[.]35.

All expose standard CloudFlare Load Balancer services on ports 80/443 plus cPanel management ports (2082, 2083, 2086, 2087, 2095, 2096, 8080, 8443, 8880).

Two Cloudflare anycast IPs in the cluster, 104.21.16[.]182 and 104.21.34[.]64, have other domains routing through them that carry Tactical RMM and Cobalt Strike signatures. These are unrelated to this smishing campaign but worth flagging for teams monitoring the broader IP range.

172.67.156[.]124 is one of 14 Cloudflare anycast IPs in the cluster, with 4,000+ domains routing through it, exposing cPanel/WHM management ports (2082, 2083, 2086, 2087, 2095, 2096) alongside standard HTTP/HTTPS.

Alibaba Cloud (AS45102) - 3 IPs

Three Frankfurt-based servers (47.245.142[.]76, 47.91.88[.]57, 47.254.147[.]205) host 12, 30, and 22 domains, respectively. All expose SSH (port 22) and nginx web servers (ports 80/443), with 47.254.147.205 showing the longest operational history (first seen March 2024).

ALEXHOST Moldova (AS200019) - 2 IPs

Two servers in Chisinau, Moldova (80.96.58[.]119, 80.96.58[.]68) represent the only non-cloud VPS infrastructure.

Both run OpenSSH 9.9 and nginx, with unusual ports 887/888 exposed, potentially for custom control panels.

Geographic Distribution

The infrastructure spans 6 regions: Singapore (3 IPs), Germany/Frankfurt (10 IPs), United States/Santa Clara (2 IPs), Moldova/Chisinau (2 IPs), Global Anycast (14 IPs), and one miscategorized IP. The spread gives the operation low-latency access to European targets, with Asian and North American servers as backup.

The choice of providers also introduces a deliberate legal obstacle. Using both Tencent Cloud and Alibaba Cloud, both Chinese companies, creates jurisdictional complexity. Both operate international infrastructure but are subject to Chinese law domestically, potentially complicating cross-border law enforcement requests from European authorities.

Mitigation Measures

• Watch the domain, not the branding. This campaign puts real effort into copying the visual identity of legitimate portals. The Ghișeul.ro replica is convincing enough that a distracted user would not notice the difference. The one thing attackers cannot fake is the domain. If the URL is not the official government or service domain, close the tab.

• No government portal sends payment demands by SMS. That is not how Ghișeul.ro, MVR, CSDD, or any of the other impersonated services operate. Any message creating urgency around an unpaid fine or toll, with a link attached, is a scam. The due date and penalty language in these messages are fabricated.

• Typosquatting is deliberate. Domains like ghisaul[.]lat, ghiseal[.]lat, and ghizeul[.]lat are not accidents. They are designed to catch users who mistype the real domain or scan. Slow down and read the full URL before entering any information.

• For security teams: the 128-character metadata hash is your fastest detection pivot. Scanning for it across your monitoring infrastructure will surface active campaign URLs before takedowns happen. The HuntSQL query is documented in this report.

• If you operate one of the impersonated brands, set up automated monitoring for typosquat registrations on cheap TLDs (.lat, .shop, .cyou, .bond, .sbs, .cfd). This campaign registers new domains continuously and Dynadot is the registrar of choice.

Infrastructure Observables

This investigation is based on a large set of infrastructure-level observables, including 1,628 malicious URLs, 32 backend IP addresses across six geographic regions, and associated hosting metadata tied to active smishing infrastructure targeting government portals, postal services, and telecoms across 19 countries.

Given the scale of the dataset and the fact that this campaign is still active and rotating infrastructure, publishing a static list here would provide limited operational value. The 128-character campaign hash remains a working pivot, and new domains continue to surface under the same cluster signature.

➔ Teams interested in accessing the full dataset with attribution context, historical tracking, and real-time updates can reach out to Hunt.io to discuss research collaboration or operational access.

Conclusion

Phishing campaigns at this scale don't stay contained. They rotate infrastructure, add new lure templates, and move on to the next country before most defenders have finished blocking the last batch of domains.

The operators behind this campaign are not particularly careful. They reused the same 128-character hash across 1,628 pages. They deployed identical JavaScript assets across dozens of domains. They kept servers running on the same ASNs for months. Those are the kinds of mistakes that make large-scale tracking possible, and exactly the kind of signal Hunt.io is built to catch.

The Romanian warnings from ADR and DNSC were the right call, but they went out without IOC lists, without infrastructure data, and without any way for defenders to take action beyond telling citizens to be careful. That gap is what this report tries to fill.

The 128-character hash is still a working pivot. The 32 IPs are documented. The campaign is still active.

If you are responsible for protecting any of the 19 countries or brands named here and want to track this campaign further or run similar infrastructure hunting against threats targeting your organization, reach out to the Hunt.io team.