What is the 'ramp and dump' scheme?

The 'ramp and dump' scheme is a fraudulent tactic where cybercriminals manipulate foreign stock prices using compromised user credentials to artificially drive up share prices without external promotion.

Where has recent ramp-and-dump activity been traced?

Recent ramp-and-dump activity has been traced to a bustling Chinese-language community on Telegram.

How do cybercriminals exploit vulnerabilities in brokerage multi-factor authentication systems?

Cybercriminals exploit vulnerabilities in brokerage multi-factor authentication systems, particularly those relying on phishable one-time passcodes (OTPs) delivered via SMS or automated calls.

Chinese Cybercriminals Use Phishing Kits for 'Ramp and Dump' Stock Manipulation

Q: How does the 'ramp and dump' scheme differ from traditional pump and dump scams?

Unlike traditional pump and dump scams, ramp and dump schemes do not rely on ginning up interest in the targeted stock on social media. Instead, they preposition themselves in the stock they wish to inflate using compromised accounts.

Q: What kind of stocks are targeted in the 'ramp and dump' scheme?

The 'ramp and dump' scheme targets low-liquidity stocks, such as Chinese initial public offerings (IPOs) or penny stocks.

FBI seeks information from victims of a new stock manipulation scheme called 'ramp and dump'. The scammers use compromised accounts to artificially inflate share prices, exploiting vulnerabilities in brokerage multi-factor authentication systems.

Cybercriminal groups have shifted their focus to targeting customers of brokerage services, using sophisticated phishing kits that convert stolen card data into mobile wallets in a scheme known as 'ramp and dump'. This tactic leverages compromised user credentials to manipulate foreign stock prices, circumventing traditional security controls. The phishers use multiple compromised brokerage accounts in unison to artificially drive up share prices without external promotion.

What Happened

The so-called 'ramp and dump' scheme borrows its name from age-old "pump and dump" scams, wherein fraudsters purchase a large number of shares in some penny stock and then promote the company in a frenzied social media blitz to build up interest from other investors. The fraudsters dump their shares after the price of the penny stock increases to some degree, causing a sharp drop in the value of the shares for legitimate investors.

With ramp and dump, the scammers do not need to rely on ginning up interest in the targeted stock on social media. Instead, they will preposition themselves in the stock that they wish to inflate, using compromised accounts to purchase large volumes of it and then dumping the shares after the stock price reaches a certain value.

In February 2025, the FBI said it was seeking information from victims of this scheme. The Financial Industry Regulatory Authority (FINRA) has issued advisories highlighting how this manipulation stems from controlled trading by malicious actors, resulting in catastrophic share price collapses that mirror traditional scams but operate through internal market dynamics.

Background and Context

Ford Merrill, a security researcher at SecAlliance, has tracked recent ramp-and-dump activity to a bustling Chinese-language community that is quite openly selling advanced mobile phishing kits on Telegram. These kits, refined over the past three years, enable attackers to preposition themselves in low-liquidity stocks, such as Chinese initial public offerings (IPOs) or penny stocks.

The phishers use compromised accounts to purchase large volumes of the targeted stock and then dump their shares after the stock price reaches a certain value. This method exploits vulnerabilities in brokerage multi-factor authentication (MFA) systems, particularly those relying on phishable one-time passcodes (OTPs) delivered via SMS or automated calls.

Platforms like Schwab and Fidelity offer OTP options that can be intercepted during phishing attacks, where victims are lured via spoofed messages claiming account suspension and prompted to enter credentials and verification codes. Even app-based push notifications remain susceptible if attackers initiate logins with stolen data, tricking users into approval.

Why it Matters

The ramp-and-dump scheme is a significant concern for the adult industry, as it highlights the evolving tactics of cybercriminals. The use of compromised brokerage accounts and MFA vulnerabilities demonstrates the need for robust security measures to protect against these types of attacks.

The fact that these phishing kits are being sold openly on Telegram underscores the sophistication and organization of the groups behind them. This level of coordination and resources is a clear indication that these groups are not just individual hackers, but rather well-funded and structured operations.

What Comes Next

Merrill notes that the rapid pace of innovations produced by these China-based phishing vendors is due in part to their use of artificial intelligence and large language models to help develop the mobile phishing kits. This trend is likely to continue, with these groups integrating LLMs into their development cycle to make it more rapid.

The technologies they are building have helped lower the barrier of entry for everyone, making it easier for new actors to join the scene. This has significant implications for the industry, as it means that even smaller-scale operations can now access sophisticated tools and techniques previously only available to larger groups.

Key Facts

Cybercriminal groups have shifted their focus to targeting customers of brokerage services using sophisticated phishing kits.
The 'ramp and dump' scheme leverages compromised user credentials to manipulate foreign stock prices, circumventing traditional security controls.
Platforms like Schwab and Fidelity offer OTP options that can be intercepted during phishing attacks.
The phishers use multiple compromised brokerage accounts in unison to artificially drive up share prices without external promotion.
The Financial Industry Regulatory Authority (FINRA) has issued advisories highlighting how this manipulation stems from controlled trading by malicious actors.