An onslaught of unsolicited texts to Americans’ phones in recent months claiming they owe unpaid tolls and E-ZPass bills is more than an annoyance. It’s the end result of an elaborate online syndicate of Chinese-speaking scammers selling ready-made cybercrime kits on Telegram for stealing credit cards and personal information, experts tell NBC News.

The exact wording varies, but the scam texts generally tell the recipient that they’ve missed a toll payment and owe a small fee that may grow if it goes unpaid, and include a link to a bogus payment website.

Authorities across the U.S., including New York, Virginia, Maryland and Indiana have warned of the scam.

The FBI’s Internet Crime Complaint Center has received more than 60,000 reports of the scam, an agency spokesperson told NBC News.

No U.S. authorities have made public statements about where the scam comes from, and at least some have said they’re in the dark about their origin.

“We have no idea who’s behind this. We just know it keeps coming and it keeps changing every few days,” Jennifer Givner, a spokesperson for the New York State Thruway Authority, told NBC News.

“We’re handling a couple dozen calls on a daily basis, people calling just to make sure,” she said.

But cybersecurity researchers have found a thriving, loose network devoted to the scam on the Dubai-based social media and messaging platform Telegram. Cybercriminals boast in Chinese about their tools to send the scam texts and steal victims’ credit cards, and even offer to license out programs, called phish kits, that streamline the process for other people to conduct the scams. Phish kits let scammers operate authentic-looking payment pages in order to steal victims’ private information.

“There’s a lot of people using the kits. There’s no one person,” Genina Po, a threat researcher who tracks the scammers at the cybersecurity company Proofpoint, told NBC News.

“A lot of them are Chinese users. The Chinese language is a big part of this scene,” she said. 

The cybercriminal underground routinely buys, repackages and sells large datasets of hacked phone numbers, making it easy for aspiring scammers to acquire numbers in bulk and execute it themselves.

Companies that keep customers’ phone numbers sent out more than 100 million notices last year to victims telling them that their phone number may have been included in a hacked database, according to the Identity Theft Research Center, a California nonprofit.  

Ford Merrill, a researcher at SecAlliance, a subsidiary of the cybersecurity company CSIS Security Group, has tracked the scam in Telegram channels since 2023, and told NBC News he has seen it rapidly escalate in recent months.

Telegram, which has long marketed itself as an unmoderated bastion of free speech, is a hub for cybercriminal activity. After Telegram’s CEO, Pavel Durov, was detained and charged by French authorities, he said he was taking steps to better moderate the platform. The company did not respond to a request for comment for this story.

The same phishing kits that now tell victims they have unpaid tolls previously told them they had missing U.S. Postal Service packages, he said. The USPS warned in July of that scam.

The toll road scam appears to work in part because it often asks for a small fine, making it seem a reasonable request, Merrill said. That scheme has escalated because scammers saw it working and have “no qualms about copying each other’s work,” he said.

“When one of them finds out something’s effective instantly, the others basically hop on it and copy it right away. So for instance, early February, you started to see the first toll road scams in the U.S. Within days, three of the other operators all supported toll roads as well.”

The scam can be used to steal both the victim’s personal information and their payment details, and allows cybercriminals to add victims’ credit cards to an Apple or Google wallet.

Videos posted to Telegram and viewed by NBC News show how, as a victim starts to enter their personal and payment information into the fake payment page, the scammer can see that information in real time.

As the person enters their credit card number, their phishing kit will create a fake, scannable credit card that the scammer can scan and put into their Apple or Google wallet. Doing so can prompt Apple or Google to send the victim a text message code to verify their identity. But, if the victim doesn’t read the text carefully, they may copy and paste it into the fake payment page, thinking that’s part of a legitimate payment process.

Phishing kits advertised on Telegram offer a wide variety of tolls to imitate, both across the U.S. and around the world.

One Telegram channel viewed by NBC News advertises that their kit can imitate themes from across the United States, including the Bay Area FasTrak, E-ZPass, Georgia’s Peach Pass, Oklahoma’s Pike Pass and Louisiana’s GeauxPass.

It’s unclear what, if anything, can stop the scammers. A spokesperson for the CTIA, a trade group that represents the major American telecommunications companies like AT&T, T-Mobile and Verizon, said in an emailed statement that the industry “is dedicated to protecting consumers from illegal and un-consented-to text messages,” but said bad actors are increasingly targeting Americans with encrypted messaging, which phone carriers cannot read or stop.

Apple declined to comment. Google and Samsung didn’t respond to a request for comment. 

Unlike Russia, where cybercriminals who target victims abroad are constitutionally safe from being extradited, China does have extradition treaties with some countries, though it doesn’t have one with the U.S. The Justice Department does periodically charge accused hackers of breaking the law while working for Chinese intelligence, though there’s little hope of them being arrested.

The FBI did not respond to questions about whether it knows the identity of the scammers or has plans to take action against them.

A spokesperson for China’s embassy in Washington, D.C., told NBC News in an emailed statement that the country’s government “stands firm in combating crimes of telecom and online fraud, fighting cross-border illegal and criminal activities and protecting the lawful rights and interests of Chinese citizens.”

“At the same time, we also ask Chinese citizens overseas to strictly abide by local laws and regulations and refrain from engaging in any illegal and criminal activities,” it said.