An international university student says he didn’t really understand what he had gotten himself into last July when a stranger on WeChat offered him several thousand dollars to drive around Auckland 10 hours a day with a mysterious electronic device hooked up to his car battery.
It turned out that Chenwei Zhang, 20, was unwittingly earning himself the dubious distinction of being responsible for New Zealand’s first-ever “SMS blaster” smishing attack.
The scam - already a problem in other parts of the world, including Asia, the United States and Australia - relies on technology that mimics cell towers, allowing for a more sophisticated ruse while sending out fake bank texts.
In this case, the texts claimed to be from ANZ and ASB banks, telling recipients that their accounts had been compromised and providing a link to illegal data collection websites closely mimicking the banks.
The device was able to “effectively hijack” nearby phones for just long enough to send the texts, via the same numbers normally used by the banks.
“It is insidious offending,” Judge Kirsten Lummis told Zhang last week as he appeared in Auckland District Court for sentencing, explaining that the scam “has the potential to impact large numbers of people”.
In a statement after the then-teenager’s arrest one year ago, Detective Superintendent Greg Williams - the director of the Police National Organised Crime Group - said if not for the quick response and co-operation of multiple agencies, the financial losses could have been large-scale.
“The device in question is believed to have sent thousands of scam text messages, including around 700 in one night,” he explained.
Zhang was initially charged with recklessly interfering with the NZ telecommunications network, an offence that carries a maximum sentence of seven years’ imprisonment.
However, he pleaded guilty earlier this year when the charge was reduced to illegally accessing a computer system, punishable by up to two years.
The defendant said he was befriended on WeChat in April last year by a stranger, believed to be from China, who offered to pay him US$400 ($665) per day to drive around for 10 hours at a time with a machine that would be sent to him.
“The defendant asked where he would be driving,” authorities explained in the agreed summary of facts for Zhang’s case.
“The UKP [unknown person] said anywhere with crowds of people. The UKP warned the defendant what he was requesting may be in breach of the local law.
“Regardless, the defendant provided his phone number for further contact.”
About two months later, he received a courier parcel with the device and was instructed on how to activate and install it in the boot of his 2006 Toyota Auris.
Authorities first caught on to the unusual activity on July 27 last year, detecting the signal in Wellsford, North Auckland, before travelling into Auckland’s city centre and on to Hamilton before turning back.
It then went inactive, starting back up the following weekend on a route from Albany to Manukau, and a final time in Albany on August 6.
Police executed a search warrant at Zhang’s home two-and-a-half weeks later, after tracking the signal to his vehicle. He admitted his involvement, explaining he had been paid in cryptocurrency worth roughly $3300 in NZ dollars.
During last week’s sentencing, Judge Lummis pointed out there were no other NZ cases to compare Zhang’s crime to, although she did find a case out of the United Kingdom in which a Chinese student was sentenced to over a year in prison for driving around London with such a device for five days.
“I see your actions as something akin to a drug courier, knowing you are doing something illegal but not really understanding the full extent of it - being a small cog in part of a much bigger wheel,” she said.
“The aspect of deterrence is in the forefront of my mind during this sentencing exercise. I am told these machines can be easily purchased off the internet, and nearly everyone carries a mobile phone which links to considerable amounts of personal data. However, I am also mindful that the reality of this situation is that there was no actual loss.”
While there were attempts to access accounts with the stolen data, none of the attempts were able to outwit the two-factor authentication process.
The judge also noted “considerable mitigating factors” including his guilty plea, his youth and an assessment suggesting his risk of reoffending is low.
“I understand you were driven to this offending because you were struggling financially and did not want to be reliant on your parents,” she said.
The judge settled on a sentence of 100 hours’ community work, noting that Zhang’s compromised immigration status as a result of the conviction will serve as a penalty in itself.
Court documents show Zhang moved to NZ six years ago on a student visa. That visa was set to expire in January.
Craig Kapitan is an Auckland-based journalist covering courts and justice. He joined the Herald in 2021 and has reported on courts since 2002 in three newsrooms in the US and New Zealand.
Sign up to The Daily H, a free newsletter curated by our editors and delivered straight to your inbox every weekday.