Decoding China’s Global Cyber-Financial Warfare: Loan App Scams, Data Theft & Economic Sabotage | Exclusive

The ED, Kochi Zonal Office recently arrested two men — Sayid Muhammad and Varghese TG — in connection with a fake Chinese loan app scam. The accused had arranged at least 500 mule bank accounts, witnessing a total credit of Rs 719 crore, used in the process of acquisition of Proceeds of Crime (POC) generated from victims of the loan app scam. The accused duo had also arranged 26 cryptocurrency accounts on WazirX, a crypto trading platform, linked to those mule bank accounts. The ED, in its investigation, has revealed that the accused were involved in facilitating cross-border remittances in the form of cryptocurrencies of Rs 115.67 crore to crypto wallets based overseas.

According to sources, these apps trap people in three steps. “Data harvesting, extortion and money laundering via cryptocurrency. The apps work around these core areas," said sources.

Sources said the role of Chinese Communist Party (CCP), United Front Work Department (UFWD), Chinese military People’s Liberation Army’s (PLA) cyber units and the Ministry of State Security (MSS) is clear in these scams.

The global losses are estimated at over $3 billion (Rs 25,000+ crore) since 2020.

STATE’s BACKING: UFWD, SSF & MSS

Sources say the CCP, through the UFWD, tasks groups to infiltrate foreign economies via “private" firms. Examples of the link include Mpurse (India) and Xiamen Zhiyuan (Philippines) which were tied to the UFWD-linked Hong Kong shell companies.

The PLA’s Strategic Support Force (SSF), its cyber division, is linked to loan app server farms in Guangdong, said sources. An example being how the Nigerian EFCC found PLA-linked IPs in EasyCash servers.

Their MSS also plays a key role in these scams aimed at destabilising economies, say sources. The role of operatives such as Jianming Zhu (Hong Kong) and Hong Gaosheng (fugitive) have proved it, they added.

CHINA’S LOAN APP SCAMS WORLDWIDE

INDIA (2020-2024)

Apps: My Cash, M Rupee, Cashbean 300+ apps, 50M+ downloads

Money Laundering: Rs 141 crore via WazirX to OKX (Malta) and China.

Method: Blackmail morphed photos sent to contacts. There have been at least 12 deaths by suicide in Telangana and Karnataka.

CCP Link: Mpurse Services (Jianming Zhu) tied to HK shell firms

NIGERIA (2021-2023)

Apps: EasyCash, Sokoloan (banned by Google)

Losses: $500 million+ stolen

Debt bondage: 400% interest rates

Data sold to Chinese firms (confirmed by Nigerian EFCC).

CCP Link: Operatives found to be attached to Guangzhou cybercrime rings.

PHILIPPINES (2022-2024)

Apps: PesoQ, CashLending (100+ apps)

Losses: ₱10 Billion (Rs 1,500 crore)

Method: AI voice scams, fake calls threatening arrest. Funds routed via Binance PH to China

CCP Link: Xiamen Zhiyuan Tech (blacklisted by Bangko Sentral)

VIETNAM (2023)

Apps: VayNhanh, MoneyCat (50+ apps)

Losses: ₫2 Trillion (Rs 700 crore)

Method: SIM swap frauds to hijack bank accounts. Money moved via Tether (USDT) to Huobi (China)

CCP Link: Hainan-based fintech firms under MSS radar

KENYA (2022-2023)

Apps: Okash, KashKash (banned by CBK)

Losses: KSh 20B Rs 1,200 crore

Method: Fake CRB threats and credit score blackmail. Crypto exits via Binance moved to Kunlun Tech (Beijing).

CCP Link: Chinese “tourists" arrested in Nairobi running call centers.

THE CHINESE PLAYBOOK: COMMON TACTICS

Here’s a look at how they execute the scams:

PHASE 1: INFILTRATION

This step involves registration of shell companies such as Truekindle in India, and SokoLending in Nigeria. For this, they may also bribe local officials, as has been seen in Kenya and Philippines.

PHASE 2: DATA HARVESTING

They steal contacts, photos and location, which is then used for blackmail. The data is then sold to Chinese surveillance firms such as Zhenhua Data.

PHASE 3: MONEY LAUNDERING

This involves the transfer of money from Crypto USDT to Binance/OKX to China. Further, the money travels through the hawala network in Dubai or middlemen in Nepal.

PHASE 4: DISAPPEAR

Once the transfer is completed, the servers are burnt and the operatives flee via Nepal or Myanmar. Later, they reappear under new names such as Cash rebranded as QuickRupee.