Cybersecurity Reach Foundation
Back to Investigations

The Fake Parking Ticket Scam Hitting NYC Phones — and the AI-Powered Machine Behind It

Thousands of New Yorkers are receiving texts with an official-looking court notice and a QR code. We scanned it. What we found is a same-day-deployed, Chinese-linked smishing operation that reveals how AI is rapidly accelerating the scale and polish of fraud.

The Fake Parking Ticket Scam Hitting NYC Phones — and the AI-Powered Machine Behind It

If you have a New York City phone number, there is a good chance you received it: a text message with no body copy, just a QR code image. The image looks like an official government document — heavy serif fonts, a state seal, bold red warning text, a case number, a judge's name. It says you owe an outstanding parking or toll violation. It says enforcement has been initiated. It says immediate action is required.

We scanned the code. Here is what we found.

The Lure: A Near-Perfect Fake

The document circulating in the scam texts comes in two versions, both designed to trigger panic.

The first is a "Notice of Default" stamped with the seal of the State of New York, attributed to the Criminal Court of the City of New York, Traffic Division. It lists a case number (NY-26-TR-273196), a presiding judge (Michael Rodriguez), and a Clerk of the Court (Paul Lopez). It warns of driver's license suspension, referral to collections, and court contempt proceedings. At the bottom: a QR code with the instruction to "scan to settle your unpaid balance."

The second document — apparently sent in a follow-up wave — is a "Final Court-Ordered Mandatory Collection Notice" attributed to a fictional agency called the "New York State Department of Safety & Homeland Security." It escalates the language dramatically: penalties are "FINAL, NON-APPEALABLE," enforcement is "PERMANENT AND IRREVOCABLE," and it warns the fine "will adversely affect your credit associated with your Social Security Number (SSN)."

Neither of these agencies or documents is real. The New York DMV does not send enforcement notices by text. The state has no "Department of Safety & Homeland Security." Actual court matters are initiated by physical mail.

But that is the point. These documents are not designed to survive legal scrutiny. They are designed to survive a 30-second glance on a phone screen.

The Infrastructure: Built This Morning

When we scanned the QR code, it resolved to ny.ghyml.life.

Domain registration records show ghyml.life was registered on March 26, 2026 — the same day this investigation began, and almost certainly the same day the texts started going out. The SSL certificate was issued at 9:07 AM UTC. By the time recipients were scanning QR codes, the site had been live for hours.

The domain is registered through Dynadot and sits behind Cloudflare's proxy, which hides the origin server's true IP address. The web server is OpenResty — a high-performance Nginx variant with embedded Lua scripting.

When we hit the URL from a desktop browser, we got the OpenResty default welcome page. A blank green page. Nothing.

That is intentional.

This is called cloaking. The server inspects incoming requests — your browser's User-Agent string, your IP address, whether you arrived via a QR code scanner on a mobile device. Automated scanners and security researchers get the harmless decoy. Real victims clicking from their phones get the phishing payload. It is a technique borrowed from black-hat SEO and increasingly standard in Chinese-linked smishing kits.

The ny. subdomain is not accidental either. The wildcard SSL certificate covers *.ghyml.life, meaning the operator can spin up ca.ghyml.life, tx.ghyml.life, fl.ghyml.life — one subdomain per state — in seconds, targeting different regions with different cover stories, all from the same infrastructure.

The Verification Layer: A Commercial Fraud Tool

The QR code on the second document resolves to a different domain: ik.djjonathan.com. This is where the operation's sophistication becomes clear.

This subdomain hosts a human verification page — a glassmorphism-styled card asking "Are you a real person?" with a single button: "I'm a real person." Clicking it sends a POST request to the server, which decrypts a stored redirect URL and sends the victim to the actual phishing payment page.

This is not a one-off page someone threw together. We found an exposed API schema (/openapi.json) that reveals a full commercial link management panel built in Python (FastAPI). It supports:

  • Creating and managing multiple encrypted phishing links, each with a unique code
  • Enabling and disabling links on demand
  • Tracking visit counts per link
  • Generating QR codes for any link
  • Admin authentication via a code-gated login panel

In other words: this is a fraud-as-a-service platform. One operator runs the panel. Clients purchase access, create links, generate QR codes, and blast them via SMS — without ever touching the underlying infrastructure.

Hidden in the page's HTML source, we found a comment written in Chinese:

"This page is for real person identity verification. When the user confirms their identity, the system verifies legitimacy, and if passed, decrypts and redirects to the target address."

The domain djjonathan.com is registered through Chengdu Fly-Digital Technology Co., Ltd., a Chinese registrar frequently appearing in abuse reports. It was last updated on March 25, 2026 — the day before the campaign launched. Its registration expires in April 2026, suggesting the operator has no intention of holding it long-term. This is a burn-and-run domain.

The Destination: A $6.99 Trap

Victims who pass the verification step are presented with what appears to be a New York DMV page. It shows a parking citation for $6.99 — a number chosen carefully. Small enough not to trigger immediate suspicion. Small enough that someone who genuinely worries they forgot a toll might just pay it.

The page asks for a name, email address, phone number, and full credit card details — number, expiration, CVV. It is a credential harvesting form. The card data goes directly to the scammer.

The fake citation number (NY-XY859A1B-CD823F4G) follows no real DMV format. The badge number listed is #4921. The page mimics the design language of New York State's actual DMV website closely enough to fool someone who has never had reason to study it carefully.

The AI Angle: Why This Looks So Good Now

A few years ago, phishing documents had tells. Blurry seals. Comic Sans. Grammar errors. Wrong logos. You could spot them if you knew what to look for.

That era is ending.

The documents in this campaign are typographically sophisticated. The seals are rendered cleanly. The language mimics legal boilerplate convincingly. The fake DMV portal matches the design system of its target well enough that a first-time viewer would have no obvious reason for suspicion.

This is what AI acceleration looks like in practice — not dramatic robot uprisings, but a quiet, rapid compression of the skill gap between amateur fraud and professional-grade deception. Generative AI tools make it trivial to:

  • Draft legally-convincing threatening copy in any language
  • Generate official-looking seals, letterheads, and document layouts
  • Translate a scam template into a new state's specific government aesthetic in minutes
  • Spin up new variants faster than platforms can blacklist them

The operational speed of this campaign reflects the same shift. The domain was registered, the SSL certificate was provisioned, and the infrastructure was live within what appears to be a single morning. That kind of rapid deployment is characteristic of organized, tooled operations — not lone actors.

The FBI's Internet Crime Complaint Center (IC3) received over 298,000 phishing complaints in 2023 alone, with losses exceeding $18.7 billion. Smishing — SMS phishing — is one of the fastest-growing vectors. Chinese-nexus smishing platforms, often referred to under the umbrella term "Darcula" (after one documented kit), have been linked to campaigns across the US, UK, Australia, and Canada, specifically targeting toll and parking payment impersonation.

This looks like one of them.

What To Do

If you received the text:

  • Do not scan the QR code
  • Do not call any number listed in the document
  • Delete the message
  • Report it to the FTC at reportfraud.ftc.gov and to the FBI's IC3 at ic3.gov
  • Forward the text to 7726 (SPAM) — your carrier uses this to block the sending number

If you scanned and visited the site but did not enter information:

  • You are likely fine. The site serves different content to mobile visitors, but visiting alone does not compromise you.

If you entered payment information:

  • Contact your bank or card issuer immediately to dispute any charges and freeze the card
  • Monitor your credit for new accounts or hard inquiries
  • Consider placing a credit freeze with the three major bureaus

If you are a New York resident who is unsure whether you have a real outstanding violation:

  • Go directly to the NYC Department of Finance's official site (nyc.gov/finance) or the NY DMV's official site (dmv.ny.gov) — never through a link or QR code in a text
  • Real violations will be visible through those official portals

Technical Indicators of Compromise

Report infrastructure to: Cloudflare abuse (abuse@cloudflare.com), Dynadot abuse, FBI IC3.

Investigation conducted March 26, 2026. Infrastructure was active and newly deployed at time of publication. The Cybersecurity Reach Foundation does not link to phishing domains directly.

Stay Protected

Use our free tools to protect yourself from the threats discussed in this investigation.

Explore Our ToolsSupport Our Work
← Back to All Investigations