Early last year, Grant Smith received an alarmed message from his wife. She had gotten a text notification about a delayed package, clicked the link, and paid a fee. Then she realized that it was not, in fact, the United States Postal Service asking for her credit-card information—that she had no idea who had just collected her payment info. She quickly canceled the card.

The Smiths had been smished. Short for “SMS phishing”—cyberattacks that arrive via text message—smishing refers to a particular type of spam message that you’ve probably received once or twice, if not dozens of times. They impersonate brands or federal agencies, such as Citigroup or USPS, in the hopes of getting people to hand over their personal information.

Smith, it so happens, is a sort of hacker himself—he works in cybersecurity. He opened the fake USPS website that the scammers had sent and began rooting around in its code, ultimately landing on multiple vulnerabilities. It turns out that the criminals had pretty bad operating security, Smith told me. He was able to log in to the hackers’ system and download information for more than 400,000 different credit cards that they had collected, he told me, which he reported to USPS and several banks.

Smith had unwittingly hacked his way into a node of the “smishing triad”: an elaborate criminal enterprise built on these fraudulent texts that several cybersecurity experts told me is mainly based in China (hence the name—triads are notorious organized-crime syndicates in China). The smishing triad does not directly con everyday people.