BEIJING– A troubling form of hardware-based financial fraud is spreading in Mainland China with cell phone charging banks. When a recipient plugs one into a phone, the device can push malware onto the handset and quickly steal banking details.
With those credentials, thieves can move money without permission and empty accounts.
Chinese social media and news reports often call them “ poison power banks ” or “virus power banks.” The issue drew wide attention in early March 2026, after several residents reported strange deliveries with no clear explanation.
The rise of “poison power banks” in China
In March 2026, reports from local authorities and media described a jump in cases tied to surprise shipments sent through express services. Many parcels included unbranded power banks, sometimes described as “three-no” products, meaning no clear sender, no brand, and no certification. Some boxes also came with vague instructions, small gifts, or promo items such as handbags.
Because the package looks like a freebie, some people plug the power bank into a smartphone out of curiosity or convenience. That single step can start the attack. Inside, a tiny chip, sometimes described as about the size of a fingernail, uses the USB connection to trigger a silent malware install.
The risk increases if the user taps “Trust this device” on an Android prompt. After that, the malware can work fast. Reports say it can pull sensitive data in seconds, sometimes in as little as 10 seconds, including:
- Contacts and photos
- Banking app usernames and passwords
- Payment passwords
- SMS verification codes
With that information, scammers can start transfers or purchases remotely, often before the victim sees any warning signs.
Even worse, disconnecting the power bank may not stop the damage. Some versions of the malware can stay on the phone and keep collecting data in the background.
Real cases show how serious it is
Several incidents from March 2026 show how organized these shipments can be.
In Shandong Province, a woman reportedly received three identical parcels in one day. Each box included the same power bank model, along with a handbag and a user manual.
The sender appeared as a “Mr. Huang” from Chaoshan. Her address and phone number were accurate, which raised concerns about leaked or stolen personal data.
She looked up the items online, found warnings about “virus power banks,” and chose not to use them. Instead, she turned them over to local police. Officers reportedly confirmed that similar scams exist, although they said they would need to open and inspect the devices to prove tampering.
In Jiangxi Province, another resident received several unexpected power banks and reported them after seeing online alerts.
This “blind delivery” method, where items get mailed to random people to trigger curiosity or greed, resembles earlier mail scams such as unsolicited seed packages. However, these power banks aim straight at financial accounts.
Around the same time, police and security agencies in multiple regions issued coordinated notices. They urged the public to refuse unknown deliveries and avoid using any surprise electronics.
How the scam works, step by step
Reports describe a layered process designed to improve the chances of success:
- Getting personal data: Addresses and phone numbers may come from illegal data sales, prior leaks, or phishing.
- Modifying the devices: Underground workshops add custom chips loaded with trojans or backdoors.
- Mailing at scale: Parcels often ship with little or no return information, blending into normal delivery volume.
- Pushing extra hooks: Some packages include fake prize cards or notes that urge QR scans or app downloads.
- Triggering infection: When plugged in, the device uses USB data lines, not just power, to steal credentials fast and enable remote control.
Similar variations also show up offline. For example, strangers may ask someone to “test” a power bank and pressure them to approve trust prompts. There are also concerns about shared charging stations, which are common in China, being modified for data theft.
Authorities stress that hardware-based attacks can slip past many software defenses, so prevention matters most.
Risks for victims and what can happen next
The first harm is often immediate money loss. Some reports describe thousands of yuan disappearing within minutes. Yet the fallout can spread beyond one transfer.
Stolen data can also support:
- Identity theft used for loans or new fraud
- Resale of personal and financial details on underground markets
- Follow-on scams, including telecom fraud and impersonation
Some Chinese media outlets, including Sina Finance and Qianlong, described these devices as “silent thieves” because they can operate without obvious signs and may remain active after the cable is unplugged.
Police warnings and official safety tips
Police and cybersecurity teams increased public alerts in March 2026. Their advice focused on simple steps that reduce risk:
- Refuse unsolicited express parcels, especially ones with unknown electronics.
- Never plug an unknown power bank into a phone.
- If someone has already connected to one, disconnect right away, then change banking and payment passwords as soon as possible.
- Turn on two-factor authentication where available and watch accounts for unusual activity.
- Run a scan with reputable mobile security software and report the incident to the police.
- Don’t approve “Trust” prompts for unknown devices.
- Buy certified, branded power banks from trusted sellers.
Experts also link this wave to earlier warnings about shared power banks and charging devices. China’s Ministry of State Security raised concerns about charging-related espionage risks in 2025, and this scam fits the same pattern.
Because global e-commerce and repeated data breaches make cross-border fraud easier, observers warn that the same trick could appear in other countries. International shipping already supports low-cost, high-volume scams, so sending “blind delivery” parcels overseas would be a natural next step.
Travelers, frequent online shoppers, and anyone receiving mystery packages should treat surprise charging devices as risky. Cybersecurity groups continue to track hardware threats, although public reports have not confirmed the wide export of these “poison power banks” yet. As mobile banking keeps growing worldwide, scams that mix physical devices with malware are likely to keep evolving.
