SMS verification abuse at scale: releasing our open source disposable phone number list
The post SMS verification abuse at scale: releasing our open source disposable phone number list appeared first on The Castle blog.
A few weeks ago, we released an open source list of disposable email domains observed in real abuse activity: https://github.com/castle/disposable-email-domains
The goal was simple: make it easier for defenders to identify and operationalize one of the key pieces of infrastructure behind large-scale fake account creation and signup abuse.
Disposable email providers help attackers rotate identities cheaply, similarly to how proxies help them distribute traffic and evade IP-based defenses.
Today, we are releasing a second repository focused on another major abuse primitive: disposable phone numbers
https://github.com/castle/disposable-phone-numbers
The repository contains a curated list of the 1,000 most active disposable phone numbers observed in real abuse activity, updated daily.
Just like disposable email providers, disposable phone number services help attackers scale abuse operations by giving them access to large pools of temporary identities capable of receiving SMS verification codes.
Without access to disposable inboxes, temporary phone numbers, and proxy infrastructure, many fake signup campaigns, referral abuse schemes, and bot-driven growth attacks would become significantly harder to automate at scale.
Why disposable phone numbers matter
SMS verification is often treated as a strong friction mechanism against fake account creation.
In practice, attackers adapted years ago.
Today, there is an entire ecosystem of disposable phone number providers exposing temporary phone numbers specifically designed to bypass SMS verification systems.
Many of these providers offer:
- Public SMS inboxes
- API-based SMS retrieval
- Country selection
- Carrier selection
- Rotating number pools
- Bulk number provisioning
effectively turning SMS verification bypass into programmable infrastructure for automation systems.
These services are heavily used in:
- Fake account creation
- Multi-accounting
- Referral abuse
- Promo abuse
- Spam operations
- Bot-driven growth abuse
The underlying pattern is very similar to what we observed with disposable email providers and proxy networks:
- Proxies reduce the cost of IP rotation
- Disposable emails reduce the cost of inbox rotation
- Disposable phone numbers reduce the cost of phone verification bypass
Together, these systems form part of the operational infrastructure behind scalable signup abuse.
Why we built this repository
There are already many public disposable phone number lists available online. Most are community-maintained, infrequently updated, and built by aggregating data from multiple public sources.
Over time, these lists tend to accumulate:
- Inactive phone numbers
- Duplicate entries
- Low-signal numbers
- Numbers with unclear ownership
- Large amounts of noisy data
This creates two operational problems:
- Increased false positives
- Datasets that are difficult to operationalize safely in production systems
We built this repository with a different philosophy.
The goal is not to create the largest disposable phone number list on the internet. The goal is to provide a smaller, higher-signal list that is operationally useful for fraud detection and abuse prevention teams.
What makes this list different
Curated, not aggregated
We do not import phone numbers from public disposable phone number repositories.
Every phone number included in this list is independently verified and tied to an actual disposable phone number provider or SMS verification service.
Based on real abuse telemetry
The phone numbers in this repository have been actively observed in:
- Fake signup campaigns
- Multi-accounting
- Referral abuse
- Promo abuse
- SMS verification abuse
across Castle’s network.
The list is ranked by observed abuse prevalence, which means the highest-signal phone numbers appear first.
Small and operationally usable
We intentionally limit the public repository to 1,000 phone numbers.
Bigger is not always better for detection datasets. Extremely large disposable phone number lists tend to become noisy and harder to maintain safely.
Updated continuously
The repository is regenerated automatically every day through an automated collection pipeline.
This is important because disposable phone number providers rotate:
- Numbers
- Countries
- Carriers
- Virtual telecom infrastructure
very frequently.
How we collect phone numbers
We continuously scrape disposable phone number provider websites to extract publicly exposed phone numbers.
Many providers openly expose:
- Temporary phone numbers
- Public SMS inboxes
- Verification APIs
- Rotating pools of virtual numbers
We continuously monitor these ecosystems and correlate them with abuse activity observed across Castle’s network.
The result is a continuously updated list reflecting current abuse patterns rather than historical artifacts.
Building operational abuse intelligence feeds
Disposable email domains and disposable phone numbers are closely related problems.
In many large-scale signup abuse operations, attackers combine:
- Disposable email addresses
- Temporary phone numbers
- Residential proxies
- Automated browsers
to continuously create and rotate fake identities.
Our goal with these repositories is to make some of these infrastructure-level signals easier to operationalize for defenders.
Related repositories:
- Disposable email domains: https://github.com/castle/disposable-email-domains
- Disposable phone numbers: https://github.com/castle/disposable-phone-numbers
Repository format
The repository is intentionally simple:
disposable-phone-numbers.txt
One phone number per line, sorted by observed abuse prevalence.
Phone numbers are normalized using the E.164 format.
Example:
curl -sL https://raw.githubusercontent.com/castle/disposable-phone-numbers/main/disposable-phone-numbers.txt
Disposable phone numbers are only one signal
It is important to emphasize that disposable phone number usage alone is not enough to identify malicious activity.
Sophisticated attackers increasingly rely on:
- SIM farms
- Compromised real accounts
- Residential mobile proxies
- Freshly registered phone numbers
- Aged verified accounts
This is why disposable phone number detection works best when combined with other signals, including:
- Device fingerprinting
- Behavioral analysis
- Proxy detection
- Velocity analysis
- Account graph analysis
Effective detection comes from correlating multiple weak signals together rather than relying exclusively on the phone number itself.
The repository is public, updated daily, and available here:
https://github.com/castle/disposable-phone-numbers
*** This is a Security Bloggers Network syndicated blog from The Castle blog authored by Antoine Vastel. Read the original post at: https://blog.castle.io/sms-verification-abuse-at-scale-releasing-our-open-source-disposable-phone-number-list/
