Disclaimer: This report has been written with a view to inform, educate and assess developments that impact public well-being. As such, it relies exclusively on open source information collected and analysed by the author while exercising the Right to Freedom of Speech as elaborated in Article 19 of the 1973 Constitution of Pakistan.
Another instant loan (shark) app has emerged on Play Store, which has the exact same User Interface (UI) and contents as that of Barwaqt and WeCash, two previously reported apps that have trapped unsuspecting users into debt traps.
HiCash's app emerged in Play Store on 11 June 2022 and has achieved installations by more than 10,000 devices to date. Details mentioned within the official description include:
An email address for correspondence: [email protected]
Physical address: 66, Y Block, Phase 3, DHA Lahore Pakistan
Coincidentally, the physical address of WeCash also mentions a location in DHA Lahore.
HiCash's 'Privacy Policy' takes us to a webpage hosted on the domain topstob.com. It was registered on 19 March 2021. The primary IP address of this website is 47.243.113.46 hosted on a server in Hong Kong SAR owned by Alibaba US Technology Co., Ltd., China.
Who registered the website?
Multiple WHOIS tools had masked the identity of the domain registrant.
However, I was able to access details using one such tool which revealed the owner/ registrant of this domain: Meet Liao X******, a resident of Nanshan District in Shenzhen city of China's Guandong province. Liao uses mobile number +8618503****70 and email address liao*******@126.com.
Some details have been intentionally withheld, as you can see, and will only be shared with representatives of law enforcement and national security agencies (you know how to contact me).
Liao is a software engineer with stated experience of 14 years in programming. He has a profile on the website of Chinese Software Developer Network (CSDN), one of the biggest networks of software engineers in China. In fact, I accessed the CSDN profile of Liao after a reverse lookup of the email address mentioned in domain WHOIS records.
Ironically, Liao's CSDN page says that he is "committed to financial risk control", apart from "machine learning" and "storage". He is a proclaimed expert in cloud computing and cloud storage solutions.
Other traces of Liao
I was able to determine some other domain names registered in Liao's name:
luckvay.com: A website that operates the CanVay loan app for citizens in Vietnam [seems HiCash is a Pakistani cousin of CanVay]
360biyibi.com: Website that is sponsored by Shaanxi Internet Content Provider (ICP) No. 17021723 which is registered in the name of Office of the Standing Committee of the People's Congress of Hanbin District, Ankang City, Shaanxi Province (China).
360biyibi.net: Apparently an alternate domain for 360biyibi.com.
360byb.com: Apparently an alternate domain for 360biyibi.com.
myconvertor.com: Details not known.
Is Liao directly involved in HiCash (and even CanVay) or was he simply hired to setup a domain name and website? Whatever the case, the attempts to mask his identity seem to have failed. What we can say with certainty, however, is that HiCash was built by one or more Chinese conmen to target citizens in Pakistan.
Pakistani links
HiCash website claims they're based in 66, Y-Block, Phase 3, DHA Lahore. I couldn't find any registered business through open sources on this address. Only a field check can confirm whether the mentioned address is real; particularly if there are one or more front-persons based there. To question my own previous speculation, the patrons of WeCash [Superbro Technology (Private) Limited] are actually registered in Building No. 6, CCA, Phase 5, DHA Lahore; so that's that.
Now we can proffer there are offices of not just one, but two, Chinese-origin instant loan (shark) apps based in DHA Lahore: WeCash and HiCash.
Similarities with Barwaqt and WeCash
If you see my thread on WeCash [this tweet onward], you can find my comparative analysis on UI, content and other similarities (data parameters etc) used by both apps. HiCash has the exact same model. Some screenshots below:
Without a registered and declared presence in Pakistan, who has authorised HiCash to collect sensitive personal information from citizens, trap them in debt and host their data on servers based in China?
Integration with EasyPaisa?
A local YouTuber's review (1:37 mark) of the app shows that possession of an account on EasyPaisa (owned by Telenor Microfinance Bank) is necessary to use the app, suggesting that back-end API integration is involved.
I've already been contacted by an industry insider who shared names of two senior managers in EasyPaisa allegedly involved in facilitating off-the-record integration of Chinese loan shark apps with EasyPaisa API. I was able to confirm the senior designations of mentioned persons but will not report on them further until and unless substantial evidence is shared with me.
Did you know a senior manager at Seedcred Financial Services Limited is a former Financial Services Sales Specialist at EasyPaisa?
Responding to my query, CEO of EasyPaisa denied any association with the app and claimed their brand name was being misused.
Keeping the above issues aside, the fact that HiCash openly mentions links with EasyPaisa indicates absence of necessary due diligence. How can an app which isn't registered in Pakistan get API access? Something is very fishy indeed and a lot needs to be answered by Telenor Microfinance Bank. It is about time the State Bank of Pakistan (SBP) wakes up and smells the coffee.
Involvement of certain insiders in EasyPaisa with unregistered loan (shark) apps must be investigated by Telenor headquarters.
Assessment
Based on the detailed findings shared above, my personal assessment is as follows:
HiCash is a Chinese-origin app which is operating through one or more front-persons in Pakistan.
HiCash is soliciting sensitive personal information of Pakistani citizens without authorisation and hosting them in servers based in China.
Liao's involvement in two instant loan (shark) apps indicates he is their patron and/ or directly knows them.
Common interface of HiCash, Barwaqt and WeCash suggests there may be a common nexus involved through various front-ends.
Chinese scammers and fraudsters claim integration with EasyPaisa API for processing. It could be that front companies in Pakistan are being used to achieve this.
What can be done?
The SBP can initiate an inquiry on whether HiCash has a front company in Pakistan taking payments via API integration on its behalf.
Concerned departments handling economic crimes investigations can conduct a field visit to the proclaimed physical address of HiCash.
The Securities & Exchange Commission of Pakistan (SECP) can coordinate and check whether HiCash was being patronised by an unknown registered company in Pakistan.
The Pakistan Telecommunication Authority (PTA) can write to Google Play Store and request a take-down of HiCash.
The National Telecommunications Information Security Board (NTISB) within Cabinet Division, Prime Minister's Office, can issue a warning about HiCash via notification, as done for Barwaqt and other malicious apps.
Law enforcement action can be initiated against YouTubers etc who are involved in promoting HiCash, such as imposition of penalties etc.
Ideally, as a long-term measure, the Government of Pakistan can write to Google and request that stringent evaluation protocols be followed before allowing dubious apps to flourish on Play Store in the future.
If you appreciate the effort I put into this report, you can support me by buying me a cup of coffee. Supporters will get early (and in some cases permanently exclusive) access to future reports.
Note: This story was updated to include CEO EasyPaisa's response.