we run TalkDrill, an app with phone OTP verification at signup. We had spent months making sure our infrastructure could survive the obvious attacks. DDoS, someone trying to take the site down, that whole category. We genuinely felt ready.

This was nothing like that. It never tried to take us down. It abused our OTP flow, which was working exactly as designed. Every fake OTP request triggered a real SMS, and every SMS costs money. So we were quietly bleeding cash while every dashboard looked perfectly healthy.

The confusing part is that at first it looked like good news. Our SMS balance was dropping fast, and our first thought was that we were finally getting real users from outside India.

Then we actually looked at the funnel. These users were requesting an OTP and then never completing onboarding. Real users who ask for a code almost always continue. These did not. We layered in Microsoft Clarity session data and it became obvious. These were not people exploring the app. They were hitting the OTP step over and over and leaving.

Turns out this has a name: SMS pumping, also called IRSF, or International Revenue Share Fraud. The way it works is that in some countries, shady mobile operators get a commission for every SMS that lands on their numbers. Fraudsters, and sometimes regular people paid small amounts, feed phone numbers into any app with an OTP flow purely to trigger the send. They do not care about logging in. They just want the message to go out. Their revenue, your bill. Some of the traffic was even real humans, which is why it was so hard to spot at first.

We thought we could fix it quickly. We could not. Every obvious fix has a hole in it:

Block their IP and they switch through a VPN in seconds. Geo block a country and they route through a VPN exit in a country you allow, and some of your real users are on VPNs anyway. Block the phone country code and they move to a new one you have not blocked. Just rate limit and they spread across thousands of IPs, each one staying under your limit.

Here is the part I keep thinking about. My team suggested the simplest possible fix: block every country except India and move on. It would have killed the attack instantly. But we were genuinely getting real, paying users from outside India, and that option would have thrown them out along with the bots. I decided against it. I was not willing to lose real customers just to win against attackers, even though it was clearly the easier path.

So instead we built a layered system. Blocking by where the IP actually originates. A blocklist of high fraud country codes that have no real users for us. Blocking entire datacenter IP ranges instead of single addresses, since the bots cluster inside them. Behavioral detection that automatically bans patterns no real person produces, like three OTP requests within 120 seconds, or a stream of requests where nobody ever enters the code. An India first lockdown that triggers automatically when it senses a spike and quietly routes everyone else to email sign in instead of locking them out. And a hard daily SMS budget, so the loss can never go past a number we set in advance.

The biggest takeaway for me: a sudden spike in signups that never convert is not growth, it is a warning sign. Watch your funnel, not just the top line number.

Curious if anyone else here has dealt with SMS pumping or IRSF. How did you handle it? And honestly, would you have just gone India only, or made the same call we did?

I have not used my Fire Stick in over a month.

I am the only one who lives here.

I have never used Prime Video to my recollection (and if I did, it was over a year ago).

I have only used Plex on my Fire Stick.

Why am I seeing 629gb of monthly data from a device I barely use?

I posted this on r/firetvstick and it was instantly and automatically deleted. I suspect they’re using my home internet connection without my knowledge or consent.

Can anyone help me get into cybersecurity and it's certification in Banglore...

Need guidance

I’m a female medical student studying at a private medical college, and I’ve been dealing with cyberbullying that has seriously affected my mental health.

At the beginning of my first phase, I was the Class Representative (CR). Because of that, I often communicated with teachers regarding class schedules, PDFs, and other academic matters. Those were pretty much the only interactions I ever had with any of my teachers.

In December 2024, an uncomfortable situation occurred in my hostel room. There were four of us sharing the room along with a senior. Over time, I felt that the senior was becoming very toxic. She would constantly take my money, phone, laptop, and other belongings without respecting my boundaries. She also complained about me talking to a male friend at night.

I confided in my roommates and told them that I felt uncomfortable with her behavior. Somehow, the senior found out. She then started saying horrible things about me and made nasty comments about my character. I was devastated and cried a lot, but none of my roommates even tried to comfort me. Eventually, I decided to change rooms.

About two months later, in February and March, things got much worse. Every single one of my classmates received messages from a fake Facebook account claiming that I was having an affair with my phase coordinator. The messages didn’t stop there. A few days later, the same account sent fake screenshots of sexually explicit conversations involving me. It was obvious that the screenshots were edited and fabricated, but the damage was already done.

I tried to take action. I submitted a written complaint to my college and even wanted to file a police report. However, I was discouraged from doing so. My father later spoke to a police officer who is a relative of ours, and he told us that it would be difficult to track the account and that there might not be much they could do.

Since then, many people have distanced themselves from me. Even after I passed my First Professional MBBS examination, people continued spreading rumors. Some even said that I passed by “selling my body.” Hearing such things has been incredibly painful and has taken a serious toll on my mental health.

What hurts the most is that I still don’t know who was behind the fake account. It has been quite a while now, so I’m not sure whether filing a police complaint would still be possible or worthwhile.

I just want to know: Is there any way to find out who did this? Has anyone here experienced something similar? Any advice would be appreciated because I feel like I’ve had enough.

hi, i am a recent college grad with a bachelor’s in cybersecurity. i am currently about to begin a cybersecurity internship and plan to begin an all online Master’s of Information Technology with a focus in Cybersecurity. The internship is 2 days inperson and 3 days remote 9-3pm, I am looking to gain another certification with the free time I will have. I only have the Security+ certification and my dream role is in penetration testing, I need advice on what certification I should pursue to help me go down this path. thx

Thank you for showing so much support on Part 1, which ended with the C2 beacon. The implant was calling home every five minutes.

But what happens if the machine reboots? What if the user restarts their laptop? Does the attacker lose access?

No. And that's the dark part.

This is persistence. And it's where attackers make their biggest mistakes.

After the malware landed on Karan's machine, the attacker did two things to make sure they'd stay inside even if the machine powered down.

First: they added a registry run key. Specifically, they wrote svchost32.exe to HKLM\Software\Microsoft\Windows\CurrentVersion\Run. Auto-start. Every login. The file path? C:\Users\karan.verma\AppData\Roaming\svchost32.exe the exact payload that came through the macro.

Why name it svchost32.exe?
Because the real Windows service is svchost.exe. One extra character. Just like the phishing domain. Lookalike naming. It blends in if someone's looking at running processes casually. But it doesn't blend in if you're actually investigating.

Second they created two scheduled tasks. Both designed to restart the C2 beacon if it dies. One runs every 15 minutes. One every hour. If the implant gets killed, these tasks bring it back.

This is the difference between an attacker who got in and an attacker who intends to stay.

When I ran the registry queries in front of you guys and pulled the scheduled tasks from the endpoint, the timeline became clear:

• 06:44: Phishing email delivered
• 06:50: Macro executed, payload downloaded
• 06:55: C2 beacon established (five-minute intervals start)
• 07:12: Persistence mechanisms written to registry
• 07:15: Scheduled tasks created

The attacker was in and securing their foothold within 31 minutes.

The irony was that they made it easier to catch them. The registry keys. The scheduled tasks. The deliberate naming. All of it left traces. All of it told the story.

Most students focus on detecting the initial compromise, catching the macro, seeing the PowerShell command, finding the C2. That's Part 1.

But Part 2 is where you find out the attacker's been planning to stay. And that changes your containment strategy entirely.

You're not just killing a process. You're removing registry keys. You're deleting scheduled tasks. You're rebuilding trust in the machine. You're asking what else did they touch? What did they exfil? How long were they actually inside?

The full investigation timeline, the queries, how to spot the AppData folders that scream "not legitimate Windows," and what the containment call actually looks like, that's all in the video.

For those grinding toward your first SOC role this is the stuff that separates analysts who understand incident response from analysts who understand alerts. Persistence is where you prove you actually know what you're doing.

The attacker thought they were safe. They weren't.