{ "id": "d0a2bbf0-6299-4b72-aeec-5a4e9ca6570c", "created_at": "2026-04-06T00:14:20.481955Z", "updated_at": "2026-04-10T03:32:21.710125Z", "deleted_at": null, "sha1_hash": "6ece28984eb8d1c3495f582ed4ef50a883eeea36", "title": "New Threat Actor Group PayTool Targets Canadians with Traffic Scams", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 669654, "plain_text": "New Threat Actor Group PayTool Targets Canadians with Traffic\r\nScams\r\nBy Research Team\r\nPublished: 2026-01-09 · Archived: 2026-04-02 11:13:35 UTC\r\nBy Adrian Cheek, Senior Cybercrime Researcher\r\nReceiving a text message which informs you of a missed toll fee or parking fine seems to be a daily occurrence.\r\nThese scams, which are mostly run by Chinese speaking threat actors, are easy to ignore for Canadians when the\r\ntext references a US state, but the scams are becoming more accurate in their locations and showing provinces. \r\n“Traffic scams,” the collective name we give to toll and parking scams, are a form of “smishing” (SMS phishing)\r\nin which the threat actors send text messages impersonating legitimate government agencies or private firms, such\r\nas the 407 ETR, claiming you have an unpaid balance and trick users into providing personal and financial\r\ninformation.\r\nFlare Research recently began tracking a threat actor group, “PayTool,” that is specifically targeting Canadians.\r\nThe group operates using different tactics we often see referenced by Chinese speaking threat actors targeting the\r\nUnited States.\r\nWe suspect we may be the first cybercrime researchers to identify PayTool, and it’s more likely that we may be the\r\nfirst to identify all victims from this scam. We are closely following this group as they continue to push out new\r\nscam domains.\r\nKey Takeaways of Our Analysis of Canadian Victims of PayTool\r\nhttps://flare.io/learn/resources/blog/paytool-targets-canadians-traffic-scams\r\nPage 1 of 5\n\nThe scams have become more believable over the last few months\r\nSince we’ve been tracking websites associated with PayTool in the last 12 months, the frequency of newly\r\nregistered websites has increased since July (also tied to an increase in scam text messages publicly\r\nreported)\r\nWe have identified over 900 potential victims from this specific campaign, and additional victims from\r\nearlier campaigns believed to be run by PayTool\r\nHow Traffic Scams Work\r\nBelow are a couple of examples of how PayTool’s traffic scams operate (there may be different versions of the\r\nsame process):\r\nUnsolicited message: Users receive an unexpected text message from a Canadian phone number claiming\r\nan “unpaid parking fine” or “toll evasion notice” for a specific, small, amount (e.g., $6.97).\r\nUrgency and threatening language: The message will typically threaten late fees, license suspension, or\r\nlegal action if payment isn’t made immediately.\r\nMalicious link: A hyperlink to a fake website is included in the text. This site is meticulously designed to\r\nlook like the official parties payment portal, using similar logos and URLs (e.g., 4o7etr[.]com instead of\r\n407etr[.]com).\r\nPersonal information theft: When the link is clicked and an attempt is made to pay the fake fine, the user\r\nis prompted to enter sensitive data, such as a credit card number, bank account details, driver’s license\r\nnumber, or other personal information. \r\nThis information is then used to purchase goods and services elsewhere which the actors can then convert to a\r\ncurrency of their choice.\r\nWhat is the PayTool Group? \r\nThe scam begins with an unsolicited text. In the example below, the phone number used is an Ontario area code.\r\nHowever, the message claims to be a notice from British Columbia regarding speeding in a school zone. \r\nOpen source reporting suggests that some recipients of the messages were from provinces outside of the alleged\r\noffense, indicating that targeting in this instance was not location based. \r\nhttps://flare.io/learn/resources/blog/paytool-targets-canadians-traffic-scams\r\nPage 2 of 5\n\nText message that claims to be a notice about a speeding infraction\r\nThe message openly threatens legal action if payment is not made, which implies some form of urgency is\r\nrequired. Messages with identical wording have been collected from locations in Prince Edward Island and\r\nOntario. Unlike other scam notifications Flare tracks, this message provides a hyperlink that clearly redirects to\r\nYouTube, then a social media platform, and finally to a payment page. \r\nThe payment pages are designed to look genuine and contain the relevant provincial branding with the URL being\r\nthe only indicator that this is not a legitimate service. Each page contains a button which then allows for credit\r\ncard details to be added.\r\nhttps://flare.io/learn/resources/blog/paytool-targets-canadians-traffic-scams\r\nPage 3 of 5\n\nExample of the BC PayTool page\r\nExample of the Ontario PayTool page\r\nOur analysis of the phone numbers used in the text messages reveal area codes from Ottawa, Toronto, and\r\nNortheastern Ontario which is a strong indicator that the threat actor group behind this scam is based in Canada or\r\nhas knowledge of or access to Canadian technology, such as eSIMs or physical SIM cards. \r\nWhen we compared this information to the same type of scam conducted in the United States, Flare observed a\r\nmuch wider spread of area codes, even branching out into multiple country codes, such as the Caribbean which\r\nuses a +1 country code, but would appear to be from the US at first glance. The phone numbers and area codes\r\nhttps://flare.io/learn/resources/blog/paytool-targets-canadians-traffic-scams\r\nPage 4 of 5\n\nalso varied depending on the type of scam the group is operating and the availability of SIMs and software to\r\ncycle through cell phone numbers.\r\nWe’re currently tracking 37 websites that have been associated with this threat actor group in the previous 12\r\nmonths. Of some significance, the frequency of newly registered websites has increased since July, which ties to\r\nan increase in text messages being observed and publicly reported. The websites are registered using smaller, less\r\npopular domain registrars, often based in Europe and only remain operational during the timeframe of each\r\ncampaign. \r\nAs part of our intelligence gathering, we have identified over 900 potential victims from this specific campaign\r\nand additional victims associated with earlier campaigns believed to run by the same group.\r\nICBC, The Insurance Corporation of British Columbia, responded to a recent post in a public forum regarding a\r\ntext message a user received stating that \r\n“We never contact customers via text about driving infractions or outstanding debt and do not ask for payment via\r\nan e-transfer link in a text message. If you receive a suspicious message, please delete it—it’s a scam.”\r\nContinuing to Monitor PayTool\r\nWe’re closely monitoring PayTool at Flare Research as their traffic scams appear to be increasing and pushing out\r\nnew domains for scamming. We advise security teams to incorporate traffic scams into employee cybersecurity\r\ntraining.\r\nTracking Scams with Flare\r\nThe Flare Threat Exposure Management solution empowers organizations to proactively detect, prioritize, and\r\nmitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear \u0026\r\ndark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver\r\nactionable intelligence you can use instantly to improve security.\r\nFlare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools.\r\nSee what external threats are exposed for your organization by signing up for our free trial.\r\nSource: https://flare.io/learn/resources/blog/paytool-targets-canadians-traffic-scams\r\nhttps://flare.io/learn/resources/blog/paytool-targets-canadians-traffic-scams\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://flare.io/learn/resources/blog/paytool-targets-canadians-traffic-scams" ], "report_names": [ "paytool-targets-canadians-traffic-scams" ], "threat_actors": [ { "id": "dd58c865-4f58-4218-a38e-82f75d7c9589", "created_at": "2026-02-11T02:00:03.944309Z", "updated_at": "2026-04-10T02:00:03.969964Z", "deleted_at": null, "main_name": "PayTool", "aliases": [], "source_name": "MISPGALAXY:PayTool", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434460, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6ece28984eb8d1c3495f582ed4ef50a883eeea36.pdf", "text": "https://archive.orkl.eu/6ece28984eb8d1c3495f582ed4ef50a883eeea36.txt", "img": "https://archive.orkl.eu/6ece28984eb8d1c3495f582ed4ef50a883eeea36.jpg" } }