Wrong number texts — a brilliant yet simple attack vector

Ben Rothke
3 min readJul 20, 2023

In the world of information security, there are many cutting-edge attacks. Like the one out of Israel, researchers from Ben-Gurion University and the Weizmann Institute created a technique for long-distance eavesdropping they call lamphone.

The lamphone attack allows anyone with a laptop, telescope, and a $400 electro-optical sensor, to listen in on any sounds in a room that’s hundreds of feet away in real-time by merely observing the minuscule vibrations those sounds create on the glass surface of a light bulb inside.

By measuring the tiny changes in light output from the bulb that those vibrations cause, the researchers showed that a spy could pick up sound clearly enough to discern the contents of conversations or even recognize a piece of music. This is straight out of Tom Clancy.

On the opposite end are the low-tech attacks such as iTunes gift card scams and wrong number texts. Max Read has a detailed analysis of those weird wrong-number texts. Rather than being a random wrong number, they are part of sophisticated international scam networks.

These start as a innocuous text message, often with romantic overtones. The scammer aims to get you to invest in their cryptocurrency platform. They get you to invest in their platforms and will provide you with a front-end to track your investments. These front-end consoles look the same as those from JPMorgan Chase & Fidelity. The difference is that the scammer’s platform is all smoke and mirrors.

They constantly make it seem like your investment is significantly increasing, so you will dump more money into it. But when the time comes to withdraw your money, you will find you can’t even get a single satoshi. Their platform is nothing but a window dressing, and your investments were never invested; instead, they were absconded with.

So what should you do if you get one of these texts? Delete it. If you want, you can engage with them to understand their modus operandi. But it will take much patience, as they work very, very slowly to gain your trust. Once they do that, they will start by…



Ben Rothke

I work in information security at Tapad. Write book reviews for the RSA blog, & a Founding member of the Cloud Security Alliance and Cybersecurity Canon.