BANGKOK/TORONTO — When Thai police pulled over a white Suzuki moving through Bangkok’s busiest shopping districts last August, the officers trailing it were already receiving the proof on their own phones — fake banking alerts, broadcast live by the hardware in the trunk of the car ahead of them.

What they found inside looked nothing like the tools of a street-level fraudster. A bank of circuit boards glowing under green indicator LEDs, dense wiring harnesses, red-flagged signal modules, a false base station, a router, a power unit, a shark-fin antenna bolted to the roof — technology more consistent with a foreign intelligence signals unit than a phone scamming operation.

The two men arrested, aged 23 and 25, were not its architects. They were low-level mules. One admitted to being paid roughly $100 a day to run two shifts through the city, blasting as many as 10,000 phishing messages to every mobile device within range. He had been recruited by a Cambodian acquaintance, trained remotely by a boss who shipped the equipment from China. He had never met the Chinese man running the operation.

That model — military-grade mobile hardware, disposable local operators, remote Chinese command — has now evidently arrived in North America.

In what Toronto Police are calling the first investigation of its kind in Canada, three young men bearing mainland Chinese names — all in their 20s — have been charged with 44 offences after a mobile SMS blaster was detected by Canadian national cybersecurity investigators in downtown Toronto in November 2025 and tracked moving across the Greater Toronto Area for months.

By the time search warrants were executed at residences in Markham and Hamilton in late March, investigators had recorded more than 13 million network disruptions — moments when devices were cut off from legitimate cellular networks and, in some cases, from emergency services. Two of the three accused face charges of mischief endangering life.

The scale dwarfs anything previously documented in the global case record analyzed by The Bureau. But to senior American officials who have spent years tracking Chinese transnational crime, the emergence of Toronto as a node for cybercrime deploying state-level technology would fit the logic of a city some have described as a command and control center for fentanyl money laundering across North America.

The Toronto arrests fit a pattern that has unfolded across at least a dozen jurisdictions in the past 18 months, from Bangkok to Belgrade, from Jakarta to the London Underground.

In every substantiated case, the operational signature is nearly identical. Vehicles carry concealed false base stations. Low-level operators — Thai nationals, Chinese students, local hires — drive pre-assigned routes through dense urban areas, broadcasting smishing messages that impersonate banks, government agencies, couriers, and telecom providers. Victims who click are directed to fake websites engineered to harvest banking credentials and one-time passcodes. Accounts, police have said in multiple cases, are drained within minutes.

In Bangkok in August 2025, police investigated two simultaneous vehicle-based operations within weeks of each other, both linked to unnamed Chinese handlers who communicated via Telegram and paid operators daily fees equivalent to between $100 and $153.

In Jakarta in March 2025, Indonesian police arrested two Chinese nationals operating false base transceiver stations to impersonate banks, while publicly stating that the mastermind remained at large and had been placed on a wanted list.

In Athens in early 2025, two Chinese nationals were arrested after police found an SMS blaster and related equipment in a car. In Serbia in December 2025, two Chinese nationals were arrested on allegations they belonged to a gang operating across several European countries.

On the London Underground, the crime group head was publicly named: Zhijia Fan, 48, who directed operations that concealed blasting devices inside luggage as suspects rode commuter rail through the city.

In every case, upstream command — the Chinese boss who ships the equipment, sets the routes, collects the data — remains unnamed, uncharged, and beyond reach.

The Cambodia thread has its own logic.

A Thai police statement records the 25-year-old Bangkok suspect describing recruitment through a Cambodian contact and remote training by a Chinese boss who shipped the hardware from abroad — a supply chain that points directly toward an infrastructure Western governments and investigative journalists have spent years documenting: the scam compound ecosystem of Cambodia’s special economic zones, anchored by networks linked to the Prince Group and associated operations in Sihanoukville.

Those compounds, run by Chinese criminal syndicates with reported ties to Chinese Communist Party-adjacent political protection, function as franchise hubs: centralized technical capacity, remote management, disposable local labor. Separate US government proceedings have identified senior figures within that ecosystem as holding both organized crime affiliations and connections to Chinese state-linked entities. The SMS blaster model fits that logic exactly — standardized equipment, leadership and infrastructure inside China, outsourced risk.

Thai police records reviewed by The Bureau offer the most granular account yet of how that supply chain actually functions.

Mr. Noparat, 25, one of the two men arrested in the August Suzuki case, told investigators he was first approached in February 2025 by a Cambodian national — a waiter at a Khao San Road bar — who recruited him to drive for his Chinese boss and the boss’s girlfriend.

A package subsequently arrived from China, described as containing a spare battery. Inside were a false base station transmitter, a Wi-Fi router, an antenna, and a power plug, along with 2,000 baht as a deposit and remote SMS instructions on how to install and operate the device. Noparat ran his first shifts from his ex-girlfriend’s car at 3,300 baht a day; when the Chinese boss later covered the cost of a rental car, the daily rate was adjusted down to 1,350 baht. The equipment, the routes, the payment structure — all of it managed remotely, by a man he never met.

Toronto Police, in their April announcement of Project Lighthouse, did not address the nationality of the three accused, did not identify any upstream handler or financier, and declined to show the public what they had actually seized. At a news conference, Detective Sergeant Lindsay Riddell displayed an image of an SMS blaster recovered in a United Kingdom case — not Toronto’s. “The ones we seized in Toronto were uniquely built and we’re not sharing those publicly for safety reasons,” she said. The Royal Canadian Mounted Police’s National Cybercrime Coordination Centre participated in the investigation; what it has found has not been disclosed.

The three men charged — Dafeng Lin, 27, of Hamilton; Junmin Shi, 25, of Markham; and Weitong Hu, 21, of Markham — face a combined 44 counts including fraud, identity offences, unauthorized interception of private communications, and, in the cases of Lin and Shi, mischief endangering life. Police allege the devices were operated from vehicles moving across the region, reaching tens of thousands of mobile devices. During those disruptions, Riddell said at the news conference, access to 911 could be impacted.

What Canadian authorities have not yet said publicly is the question the global pattern makes unavoidable: who sent the equipment, who designed the routes, and who collected what was stolen.

The answer, if the pattern holds, may lie in a broader architecture that American investigators have already spent years mapping.

David Asher, a former senior official in the first Trump administration who has studied Chinese criminal networks extensively, has described Toronto as a command and control center for Chinese transnational money laundering across the Western Hemisphere — a hub where financial flows, criminal infrastructure, and diaspora networks converge.

Drug Enforcement Administration investigators recognized Toronto’s centrality during the TD Bank money laundering investigation, which culminated in October 2024 when TD Bank agreed to pay more than US$3 billion in penalties to American regulators, including the Financial Crimes Enforcement Network and the Department of Justice, for failing to maintain adequate anti-money laundering safeguards and allowing criminals to launder hundreds of millions of dollars.

“In almost all the investigations as far as money laundering, we’d seize their phones, and see Canada light up like a Christmas tree,” Asher said in a previous interview with The Bureau.

Asher has described a recruitment architecture that maps with striking precision onto the SMS blaster model now documented in Toronto. Chinese international students, he has said, are systematically tasked — within networks operating under Beijing’s foreign influence apparatus, including the United Front Work Department — to serve as financial mules, depositing fentanyl cash for Triads and Mexican cartels into North American banks.

Investigators, Asher has said, believe financial institutions have been allowing individuals from China on student visas to move billions of dollars a month through major American banks. The Toronto SMS blaster case has not been publicly linked to those networks, and Toronto Police have made no such assertion.

But the pattern — young Chinese men in their 20s, operating sophisticated equipment they did not build, recruited into a structure whose upper tiers remain invisible — is one that Asher and the investigators he has worked with have seen before.