Chinese international students in the United Kingdom have been targeted by Chinese-speaking scammers for over a year as part of a scheme dubbed RedZei (aka RedThief).
In a blog post published last week, Will Thomas (@BushidoToken), a cybersecurity researcher, stated, “The RedZei fraudsters have chosen their targets carefully, researched them, and realized it was a rich victim pool ripe for exploitation.”
Using a new pay-as-you-go U.K. phone number for each wave to render phone number-based blocking ineffective, the threat actors have taken steps to circumvent the measures taken by users to prevent scam calls.
Thomas, highlighting the scammers’ meticulous tradecraft, stated that the threat actor alternates between SIMs from multiple mobile carriers, including Three, O2, EE, Tesco Mobile, and Telia.
The lucrative RedZei campaign may have begun as early as August 2019, according to a report from The Guardian about a visa scam that duped Chinese students into paying enormous sums of money to avoid deportation.
| Country Code | Phone Number | Carrier | Call Date | Call Time (UK) | Voicemail Theme |
| UK | +44 7737 359848 | Three | 29-Dec-22 | 12:43 | Bank of China |
| +44 7521 967428 | O2 | 16-Dec-22 | 12:52 | ? | |
| +44 7415 787846 | EE | 30-Nov-22 | 11:55 | ||
| +44 7523 322875 | O2 | 28-Nov-22 | 18:35 | DHL parcel | |
| +44 7419 756102 | EE | 28-Nov-22 | 15:38 | ? | |
| +44 7575 186994 | Three | 31-Oct-22 | 15:21 | CMLink | |
| +44 7497 580997 | EE | 30-Oct-22 | 12:45 | CMLink | |
| +44 7544 631585 | O2 | 29-Oct-22 | 13:05 | CMLink | |
| +44 70 3401 7692 | ? | 09-Jun-22 | 12:57 | NHS number | |
| Ireland | +353 (89) 499 6551 | Tesco Mobile | 27-Apr-22 | 13:59 | ? |
| UK | +44 7927 345761 | O2 | 26-Apr-22 | 12:42 | |
| Norway | +47 473 22 658 | Telia | 22-Feb-22 | 11:19 | |
| UK | +44 7752 209561 | O2 | 27-Nov-21 | 13:14 | |
| +44 7601 619184 | ? | 17-Jul-21 | 10:32 | ||
| +44 7975 868059 | EE | 18-May-21 | 11:49 |
The method of operation entails calling potential targets once or twice a month from a unique U.K. phone number and leaving an “unusual” automated voicemail message if the calls go unanswered.
The voicemails impersonate the Bank of China, China Mobile, and the Chinese embassy to manipulate the students into divulging their personal information.
“Other themes exploited by RedZei include ‘abnormal usage of your NHS number’ and international parcels being delivered by DHL,” Thomas noted, noting that both are common concerns among Chinese students studying in the UK.
