SMS Pumping Fraud: The $60M Telecom Attack Linked to OTP Bots
Table of contents
SMS pumping fraud, also known in the telecom industry as Artificially Inflated Traffic or AIT fraud, is a category of telecom abuse in which attackers trigger massive volumes of fake one-time password requests against a platform’s authentication system, forcing the platform to pay for SMS deliveries that serve no legitimate purpose.
In December 2022, Elon Musk claimed during a Twitter Spaces session that the platform was losing approximately $60 million per year to the attack and named 390 telecom operators outside North America as participating in the scheme, though X as a company never formally confirmed the figure.
The economic model relies on a rogue telecom operator who shares revenue with the fraud actor for every SMS terminated on their network, which means the attacker does not need to compromise any account or steal any credentials to extract value, and the attack therefore stays profitable even when every individual login attempt fails. The same Telegram-based criminal ecosystem that runs OTP bot account takeover attacks is increasingly running SMS pumping in parallel, since the infrastructure required to trigger massive OTP volumes is essentially the same.
Quick facts
| Field | Detail |
|---|---|
| Attack name and aliases | SMS pumping fraud, AIT fraud, artificially inflated traffic, SMS toll fraud, A2P toll fraud |
| Typical victim profile | Any platform sending SMS OTP to user-supplied phone numbers without aggressive rate limiting or country filtering |
| Attacker profile | OTP bot operators, telecom-adjacent fraud groups, and rogue mobile network operators in revenue-share arrangements |
| Documented scale | Elon Musk claimed Twitter was losing approximately $60M/year (Dec 2022); CFCA reported $41.82B total telecom fraud globally in 2025, with IRSF (the related category) at $6.23B in 2023; Twilio’s Verify Fraud Guard has blocked over $62M in customer SMS pumping losses since 2022 |
| Primary technical signal | Anomalous SMS volume concentrated on a small set of country prefixes with high termination rates |
| Detection window | Often months between attack onset and identification, because the cost increase is typically attributed to organic growth |
| Connection to OTP bots | Shared Telegram-based infrastructure, shared operators, and identical OTP-generation mechanics |
| Primary fix | Strict per-account and per-IP rate limiting on OTP generation, country allow-lists for SMS delivery, and phishing-resistant MFA as the longer-term path |
What SMS pumping fraud actually is
SMS pumping is one of those attacks that becomes obvious in hindsight and almost invisible while it is happening, since the mechanics are straightforward but the financial damage flows through a part of the business that security teams rarely watch closely. The attacker exploits the fact that any platform offering SMS-based account verification, password reset, or two-factor authentication has built an automated system that will, on demand, generate and send a text message to any phone number a user submits. That system was designed for legitimate users who want to log in, but it does not actually verify that a login is intended, that an account exists, or that the phone number belongs to a real person who wants to receive anything. It simply takes a number, generates a code, and sends a message.
What the attacker does is build an automated script that submits phone numbers to the victim platform’s signup or login flow at scale, triggering hundreds of thousands or millions of SMS sends to a carefully chosen set of phone numbers that the attacker controls or has access to revenue from. The platform’s CPaaS provider, which might be Twilio, Sinch, Vonage, MessageBird, or one of several other major vendors, dutifully sends each message and charges the platform a per-message fee that depends on the destination country. That fee can be as low as a fraction of a cent for messages to the United States or France, or as high as several cents for messages to certain markets in Asia, Africa, and the Middle East where SMS termination rates are structurally elevated.
The attack does not need to succeed at anything except generating message volume, since the platform pays for the message regardless of whether the recipient ever sees it, replies to it, or completes the login flow on the other side. The result is a steadily growing telecom invoice that finance teams typically interpret as either organic user growth or as an unexplained but minor accounting variance, until someone eventually looks closely enough at the country distribution of outgoing SMS traffic to notice that something is wrong.
The Communications Fraud Control Association has been tracking AIT and the closely related International Revenue Share Fraud (IRSF) as categories since the early 2020s, and their biennial Global Fraud Loss Survey has placed them among the fastest-growing categories of telecom abuse. The CFCA’s most recent figures put total global telecom fraud at $41.82 billion in 2025, up from $38.95 billion in 2023, with IRSF alone accounting for $6.23 billion of the 2023 total. Most individual SMS pumping losses are silent, since platforms generally do not disclose the attacks even when they identify them, and the public visibility of the category is driven largely by a few high-profile claims, including Musk’s 2022 statement and the cumulative figures published by CPaaS providers based on what their fraud-prevention tooling has blocked.
The rogue operator: where the money actually goes
The part of this attack that most coverage glosses over, and the part that makes it profitable rather than just expensive, is the role of the telecom operator on the receiving end of the SMS traffic.
Every cross-border SMS terminates on a specific mobile network operator that earns a fee for delivering the message, which is normally part of how the global SMS system pays for itself through interconnect agreements between carriers. In the SMS pumping case, the attacker has a commercial arrangement with a rogue or complicit operator in a market with weak telecom regulation, under which the operator shares a portion of the termination fee back to the attacker for every message delivered. The economics work the same way whether the arrangement is a formal revenue-share contract or an informal handshake:
- The platform pays its CPaaS provider the normal per-message rate for traffic its own systems requested.
- The CPaaS provider pays the terminating operator the standard interconnect fee for delivering the message.
- The terminating operator kicks back a share to the fraud actor, who has no direct relationship with the victim platform at any point.
Every link in this chain except the last one is a normal commercial transaction, which is why the attack is so hard to stop at any single point and why no CPaaS-side defence has been able to eliminate the category. Twilio reports that its Verify Fraud Guard has blocked more than $62 million in customer losses and over 569 million suspected fraud attempts since launch, with Sinch, Plivo, and MessageBird publishing similar research, but the cat-and-mouse dynamic favours the attacker as long as a profitable terminating operator exists somewhere in the world.
The geographic concentration of the attack reflects this, with destinations across South and Southeast Asia, West Africa, and Central Asia named most frequently in industry research from Twilio, Sinch, and the GSMA Fraud and Security Group. The specific markets shift over time as particular operators are sanctioned or face commercial pressure from larger carriers, but the structural incentive does not change, and any platform reviewing its own SMS country distribution should focus less on the absolute geography and more on whether that distribution matches its actual user base.
How it connects to the OTP bot market
The Telegram-based criminal ecosystem we wrote about in our recent piece on the OTP bot market is the same ecosystem that runs much of the SMS pumping activity now visible in telecom fraud data, and the overlap is not coincidental. Both attacks require the ability to programmatically trigger OTP generation against a target platform at scale, which is the core operational primitive that OTP bot infrastructure was already built to provide. Once an operator has invested in the scripts, the proxy networks, and the platform-specific signup automation needed to run an OTP bot service, repurposing that same infrastructure to run SMS pumping is a straightforward extension that opens a second revenue stream without requiring any new technical capability.
What changes between the two attacks is purely the goal. In the account takeover use case, the attacker needs the OTP message to actually reach the legitimate target and be socially engineered out of them, so the destination phone number is the real victim and the success of the attack depends on the credibility of the social engineering script. In the SMS pumping use case, the attacker does not care whether the recipient ever sees the message, since the revenue is generated by the act of delivery itself, and the destination phone number is selected for its termination economics rather than because the attacker wants to compromise any specific account.
This is why the same JokerOTP, SMSRanger, and similar operations that law enforcement has profiled in connection with account takeover attacks have also been linked to SMS pumping activity in CPaaS provider research, and why disrupting one part of the ecosystem tends to provide some temporary relief on the other. The operators are not separate criminal organisations running separate businesses; they are the same people running an integrated portfolio of telecom-adjacent fraud, with the specific mix of attacks they run at any given moment depending on which markets are most exploitable that week.
Why this stays invisible for so long
The detection problem with SMS pumping is not really a technical one, since the traffic patterns that distinguish fraudulent OTP volume from legitimate growth are reasonably clear once anyone bothers to look at them. The actual problem is organisational, since the cost shows up in the wrong place to be caught quickly.
Telecom invoices typically arrive monthly, are reviewed by finance teams rather than security teams, and are usually evaluated against a budget that was set based on projected user growth. When the invoice comes in higher than expected, the default interpretation is that the platform’s growth has outpaced the budget, which is usually a good problem and not one that triggers urgent investigation. The finance team passes the variance through, the budget gets adjusted for the next quarter, and the attack continues unimpeded. The security team, meanwhile, sees nothing in its own dashboards, since the attack does not generate any successful logins, does not compromise any accounts, does not produce any alerts in the SIEM, and does not show up in any of the security metrics the team is paid to watch.
This organisational gap is why the attack has historically been measured in months between onset and identification, even at platforms with mature security operations. The Twitter / X disclosure that put a $60 million annual figure on the loss was made possible only because the new ownership and the resulting financial scrutiny forced an unusually detailed audit of the company’s telecom spend, and similar disclosures from other companies have almost all come during financial restructurings, acquisitions, or audits where someone with both telecom and security context happened to look closely at the SMS line items.
The implication for any platform sending SMS at material volume is that the question is not whether SMS pumping is happening, since at sufficient scale the answer is almost certainly yes to some degree, but how much of the current telecom spend is fraudulent and how that share is trending over time. Most platforms genuinely do not know the answer to that question, and discovering it requires a specific kind of cross-functional review that finance and security teams almost never run together.
How to detect SMS pumping in your own traffic
The detection signals that distinguish SMS pumping from organic OTP traffic are not subtle, but they require looking at the right data, which often lives with the CPaaS provider rather than inside the platform’s own systems.
The single most diagnostic signal is the country distribution of outgoing SMS traffic. Legitimate user bases produce SMS volume that broadly mirrors the platform’s user geography, with messages flowing to the same countries from which the platform sees its real product usage. SMS pumping produces traffic that flows to a small set of high-termination-rate countries that the platform’s actual user base barely touches. A US-focused fintech that suddenly sees a meaningful share of its SMS volume going to South or Southeast Asia, or a European e-commerce platform with growing SMS traffic to markets where it does not transact, is almost certainly being pumped, regardless of what the user signup numbers from those markets look like.
The second strong signal is the ratio of OTP messages sent to authentication events that actually complete. A platform with a healthy authentication funnel sees most of its OTP recipients enter the code and complete the login, since users requesting an OTP are by definition trying to log in. A platform being pumped sees a growing share of OTP messages that are never followed by a code entry, because no human is on the other end of the message to enter anything. This ratio degrades gradually as pumping volume grows, and an unexplained downward trend is usually the earliest internal signal that something is wrong before the telecom invoice arrives to confirm it.
The third signal is the phone number distribution itself. Legitimate user bases produce phone numbers with a recognisable shape, in which numbers are evenly distributed across the carrier ranges of the countries that match the platform’s geography, with most numbers having been in active use for years and many appearing in standard phone number reputation databases as known consumer lines. SMS pumping campaigns produce phone numbers that cluster heavily in narrow ranges associated with specific terminating operators, often with no presence in reputation databases and no signal of prior commercial activity, which makes them detectable in aggregate even when each individual number looks plausible in isolation.
Most CPaaS providers now offer some form of anomaly detection that watches these signals and surfaces suspected pumping to their customers, but the alerting is generally only as good as the customer’s willingness to act on it, and the providers themselves earn revenue from the messages they send, which creates a structural conflict that some customers have raised concerns about over the past few years. Building your own detection on top of the raw SMS traffic data, with thresholds calibrated to your specific geography and growth profile, generally produces better results than relying on provider-supplied alerts alone.
How to actually defend against it
The defensive playbook for SMS pumping has three layers, and most platforms have implemented none of them at the level required to actually stop the attack.
- Rate limiting per account, per IP, per phone number, and per autonomous system. Most platforms operate with rate limits calibrated against accidental misuse rather than deliberate exploitation, which means they provide effectively no defence. Tighten the limits so a legitimate user never hits them but an automated script does.
- Country filtering on SMS delivery. Any platform with a defined geographic market should refuse to send SMS to countries outside that market, or require manual review for first-time sends to unusual destinations. This single control would eliminate the majority of current SMS pumping losses, and the reason it is not implemented more widely is product reluctance to formally close geographies the platform might one day want to enter.
- Phishing-resistant MFA as the long-term fix. Moving authentication to FIDO2 hardware keys or passkeys, as covered in the OTP bot market piece, removes the SMS channel entirely. A platform that does not send authentication codes by SMS cannot be pumped, and the SMS pumping cost is a direct line item that makes the case for migration unusually clear to finance leaders.
Until these controls are fully deployed, dark web and Telegram monitoring of the operator ecosystem provides early warning that a platform has been added to attacker targeting lists, often days or weeks before any visible attack volume appears on the SMS invoice. This is the same monitoring discipline that produces early warning for OTP bot account takeover attacks, since the operator infrastructure is shared.
How CybelAngel helps
CybelAngel’s Dark Web Monitoring and Cyber Threat Intelligence modules continuously surveil the Telegram channels, criminal forums, and underground marketplaces where the same operators who run OTP bot account takeover services advertise SMS pumping infrastructure and recruit customers. The intelligence flow is the same one that informs our OTP bot detection work, and clients with both products typically see SMS pumping targeting signal alongside account takeover signal in their daily alert flow.
For organisations operating SMS-based authentication at material scale, our REACT team can run a dedicated assessment of operator chatter mentioning your platform, your brand, or the authentication endpoints that pumping campaigns typically target, and can provide ongoing monitoring tuned to the specific markets where you operate.
Talk to our REACT team about SMS pumping exposure
FAQ
SMS pumping fraud is a category of telecom abuse in which attackers trigger massive volumes of fake one-time password requests against a platform’s authentication system, forcing the platform to pay for SMS messages that serve no legitimate purpose. The attacker shares revenue with a rogue or complicit mobile network operator that receives the messages, and the attack is profitable regardless of whether any individual login attempt ever succeeds, since the value is generated by the act of message delivery rather than by any subsequent account compromise.
OTP bot account takeover targets specific user accounts, requires the attacker to intercept and use the one-time password to complete a login, and generates value through stolen funds or account access. SMS pumping targets the platform itself rather than its users, generates value through telecom revenue share rather than through account access, and does not require any individual attack to succeed at anything other than generating SMS volume. Both attacks rely on the same Telegram-based infrastructure and are often run by the same operators in parallel.
The most widely cited figure is Elon Musk’s December 2022 claim that Twitter was losing approximately $60 million per year to the attack, though Twitter as a company never formally confirmed it. The Communications Fraud Control Association puts global telecom fraud at $41.82 billion in 2025, with International Revenue Share Fraud (the closely related and structurally identical category) accounting for $6.23 billion of that figure in 2023. Twilio reports that its Verify Fraud Guard product has blocked more than $62 million in customer losses to SMS pumping specifically since launching the tool in 2022, which gives some sense of the scale of attempted attacks at one CPaaS provider alone. Any platform sending SMS at material volume without aggressive rate limiting and country filtering is almost certainly losing some amount to pumping, with the share of total telecom spend that is fraudulent typically ranging from a few percent for platforms with good controls to double-digit percentages for platforms with no defences in place.
The destinations shift over time as specific operators are sanctioned or self-regulate, but industry research published by Twilio, Sinch, and the GSMA Fraud and Security Group consistently names markets across South and Southeast Asia, West Africa, and Central Asia, where SMS termination rates are structurally elevated and regulatory enforcement is uneven. Any platform seeing meaningful SMS volume to countries outside its actual user geography should treat that volume as suspect until proven otherwise.
The most diagnostic signal is the country distribution of outgoing SMS traffic, since pumping concentrates volume in a small set of high-termination-rate countries that the platform’s real user base does not match. Other strong signals include a declining ratio of OTP messages sent to authentication events that actually complete, and an unusual phone number distribution in which generated numbers cluster heavily in narrow ranges associated with specific terminating operators rather than reflecting the natural shape of a real user base. Most CPaaS providers offer some level of anomaly detection that watches these signals, but building your own detection on top of the raw traffic data generally produces better results than relying on provider alerts alone.
The Telegram-based criminal ecosystem that operates OTP bot account takeover services largely overlaps with the operators running SMS pumping campaigns, since both attacks require the ability to programmatically trigger OTP generation against a target platform at scale. Once an operator has built the scripts, proxy networks, and platform-specific signup automation needed for OTP bots, extending that infrastructure to run SMS pumping is a straightforward additional revenue stream that requires no new technical capability. JokerOTP, SMSRanger, and similar named operations have all been linked to both attack categories in security research published over the past three years.
The categorical solution is to move authentication away from SMS entirely, toward phishing-resistant alternatives such as FIDO2 hardware security keys and passkeys, since a platform that does not send SMS for authentication cannot be pumped. For platforms that need to continue using SMS in the short term, aggressive rate limiting and country filtering can eliminate the majority of current losses, and dark web monitoring provides early warning of operator targeting before pumping volume appears in the telecom invoice. No single control short of removing SMS from the authentication flow can fully eliminate the attack while the underlying telecom economics remain unchanged
About the author
