Chinese Phishing-as-a-Service Platforms Use Live MFA Interception to Tokenize Stolen Cards Into Digital Wallets
Google Threat Intelligence Group warns that Chinese-language phishing-as-a-service platforms are using AI, encrypted messaging, and real-time OTP interception to bypass MFA and provision stolen payment cards into attacker-controlled digital wallets worldwide.
Google Threat Intelligence Group has issued a warning about a sophisticated wave of digital wallet fraud orchestrated by Chinese-language phishing-as-a-service (PhaaS) platforms. These operations leverage artificial intelligence, encrypted messaging, and a technique called live MFA interception to bypass multifactor authentication and tokenize stolen payment cards into attacker-controlled digital wallets. The report highlights a growing trend where fraudsters are able to provision stolen cards globally, defeating standard authentication protections that were designed to secure mobile payments.
The attack chain begins with targeted phishing campaigns that trick victims into revealing their one-time passwords (OTPs) in real time. Using AI-generated lures and encrypted chat platforms like Telegram, the attackers engage victims in convincing conversations that prompt them to share the OTP codes sent to their phones. This live interception allows the fraudsters to complete the MFA challenge that would normally block unauthorized card enrollment into digital wallets such as Apple Pay, Google Pay, or Samsung Pay.
Once the OTP is captured, the attackers immediately use it to provision the stolen card details into a digital wallet under their control. The card data itself is often obtained from previous data breaches or card-not-present fraud, but the critical innovation is the ability to bypass the MFA step that issuers rely on to verify the cardholder's identity during wallet enrollment. This effectively tokenizes the stolen card, allowing the fraudster to make contactless payments or online purchases as if they were the legitimate cardholder.
The Google Threat Intelligence Group report specifically names the abuse of AI tools and real-time OTP theft as the core attack vector. The PhaaS platforms offer these capabilities as a service, lowering the barrier to entry for less technically skilled criminals. The platforms also use encrypted messaging to coordinate attacks and distribute stolen credentials, making them harder for law enforcement to monitor.
The impact of this fraud is global, as the digital wallet platforms targeted are used worldwide. Financial institutions and payment networks are now racing to update their fraud detection systems to identify patterns consistent with live MFA interception. Some banks have begun implementing behavioral biometrics and device fingerprinting to detect when a card is being enrolled from an unfamiliar device or location, even if the OTP is correctly entered.
This development underscores a broader shift in cybercrime: attackers are no longer just stealing credentials; they are actively intercepting authentication in real time. As digital wallets become more ubiquitous, the security community must adapt to threats that target the very mechanisms designed to protect them. Google's warning serves as a critical reminder that MFA, while still effective against many attacks, is not infallible—especially when human psychology is exploited alongside technical trickery.