Analysis of Phone and Electricity Recharge Money‑Laundering Schemes in Illicit Apps

Recently, while browsing forums, the author noticed a post about whether recharging VIP status in a certain app truly grants VIP privileges. The investigation revealed that many recharge interfaces in questionable apps are actually for phone‑bill or electricity‑bill top‑ups, and only larger amounts are processed through various collection codes.

During previous malware analyses, the author also encountered many adult‑content apps that used integrated payment interfaces for illicit transactions. These recharge methods—phone and electricity top‑ups—appear novel, prompting a deeper look into their workflow.

The author initiated payment requests within the app to see who received the electricity or phone‑bill payments. Each transaction targeted a different recipient, leading to the discovery that the recharges are not made through official channels but via small online shops, public accounts, or direct agents who act as intermediaries. These intermediaries cannot deliver funds instantly; the waiting time varies.

Industry Chain Process

The entire chain involves an unsuspecting user A and a user B who uses the illicit app. Money that would normally go directly to a criminal group is first funneled through user A, making the flow extremely covert and difficult to trace.

Textual Interpretation

User A discovers discounted recharge channels for phone or electricity bills through advertisements, unaware of any connection to illicit activities, and proceeds to recharge, awaiting the funds to arrive.

During the waiting period, the money passes through many intermediaries before finally reaching a criminal account. The chain often includes multiple layers: the merchant, its upstream supplier (often called a “platform”), which packages the service and hands it to a channel provider that cracks the recharge interface and supplies the cracked recharge link to illicit projects.

User B downloads the suspicious app via an advertisement link, is guided to purchase a membership or virtual items, and often encounters gambling pages where the purchased items can be used directly.

After being guided, User B pays through phone‑bill, electricity‑bill, or transfer interfaces, effectively sending the membership or item fees to a legitimate‑looking User A. Once the recharge succeeds, the money is recorded under a matching A‑user account.

Types of Money Laundering

Electricity Recharge : Typically involves larger amounts (200 CNY and above). The recharge requires only the electricity account number and user name, and the funds are eventually transferred to a criminal account.

Phone Recharge : The most common method, with flexible limits ranging from small amounts (30‑50 CNY) to large sums (400‑500 CNY). Due to its ease of success, it handles the largest volume of laundered money.

Alipay QR Code Transfer

Alipay transfers involve personal collection codes and merchant product codes. Victims simply scan the QR code and enter the recipient’s name, often resulting in “run‑off” (money‑laundering) QR codes.

WeChat Red Packet Transfer

After adding a contact via QR code, users are prompted to send a red packet corresponding to an order verification code. These transactions often involve unverified corporate users, making it hard to determine whether the recipient is a criminal group or another interested party.

The author also notes that many victims receive multiple Alipay collection codes (both merchant and personal), increasing the number of money‑hand‑offs and further obscuring the laundering trail.

Is It a Real Discount or Money Laundering?

Various online posts have exposed this laundering method, where gambling sites offer “phone‑bill top‑up” to convert money into game chips. This is similar to “run‑off” (money‑laundering) where funds are transferred through numerous small shop or personal QR codes.

The author’s analysis shows that the recharge process matches amounts and types to pending user accounts, then credits the money to a legitimate‑looking user, effectively cleaning the illicit proceeds.

Simple Server Tracing

Sample API endpoints from the malicious video platform and third‑party live‑stream platform are listed, illustrating how the backend can be examined for further forensic work.

Conclusion

Illicit “gray‑market” operations remain a persistent threat to cyber security. Money‑laundering techniques have evolved from manual cash withdrawals to sophisticated recharge and QR‑code schemes, making detection and attribution increasingly difficult. While it is hard to force criminals to change, raising awareness of these hidden mechanisms can help potential victims avoid becoming unwitting participants.

Readers are encouraged to install the national anti‑fraud app for protection.