Tracking Adversaries: RedZei, Chinese-speaking scammers targeting Chinese students in the UK


Welcome to the final BushidoToken blog of 2022. Over the last year or so, an associate of mine in the UK has been targeted by a persistent Chinese-speaking scammer. The scammer often calls once or twice a month from a unique UK-based phone number and, if left unanswered, leaves an unusual automated voicemail. 

I got the recorded voicemails and identified that they are almost certainly scam calls from Chinese-speaking fraudsters targeting Chinese international students at universities in the UK. I have tracked this campaign for over a year and built a profile on the group's activities based on just the calls and voicemails they have left. I am now disclosing these attempts and subsequently tracking this activity group as "RedZei" (aka "RedThief").

The RedZei fraudsters have chosen their targets carefully, researched them and realized it was a rich victim group that is ripe for exploitation. A quick OSINT search found several recent articles about this apparently lucrative malicious campaign:

The compelling aspect about this scam is how well the attempts were crafted and the careful tradecraft employed to evade traditional steps users take to block such scams. For each wave of scam calls, RedZei will mostly use a new pay-as-you-go +44 UK phone number every time from one of the main mobile network operators (MNOs). This essentially renders blocking the scammers phone numbers ineffective. 

Further, as RedZei alternates between SIMs from several UK mobile carriers it is difficult for the telecom companies to stop this type of activity. As the activity is also in Chinese, the carriers are less likely to investigate this campaign to additional effort required. The RedZei group, and others like it, are therefore effectively operating with impunity and will continue to do so for the foreseeable future.

Figure 1 - Calls associated with RedZei campaign 

Figure 1 contains a timeline of when these scam calls are made, including the origin of the caller's number, the mobile carrier (identified using OSINT), the date and time of the call, as well as the theme of the call. As I am not a Chinese speaker and did not get all of the voicemails verified by Chinese speakers, the theme of some of them is currently unknown. The phone numbers in plaintext are available in a Gist here.

Some of the key attributes of the RedZei gang includes leveraging Chinese enterprises, such as the Bank of China or China Mobile (CMLink) to social engineer the international students into providing their personal details. Other themes exploited by RedZei includes the "abnormal usage of your NHS number" and international parcels being delivered from DHL, which are both common concerns for Chinese students studying in the UK. 

Figure 2 - Diamond Model highlighting the attributes of RedZei

To build a better understanding of the RedZei scammers, I created a simple Diamond Model diagram to highlight the attributes of the activity group for continued tracking (see Figure 2).

If you're interested in listening to the Chinese scam calls and translating the ones I was not able to, I have uploaded them to SoundCloud here:

Please feel free to leave a comment on the Gist here if you are able to translate calls from any of the numbers referenced in this blog.

Thanks for reading. Happy New Year and have a good 2023!

UPDATE: GitHub user "freela819" has kindly provided additional context on surrounding the nature of the other calls made by the RedZei group (available in the Gist here). Additional voicemail themes leveraged by RedZei includes masquerading as Chinese government officials, such as the Chinese Embassy in the UK, the Chinese Ministry of Industry and Information Technology (MIIT), and the Chinese Communications Administration, as well as other couriers such as Royal Mail and UPS. 

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks