NEW: Real-Time Usage Tracking for AI Agents — track Claude Code, Kimi, Codex & more. Try it free →

CostGoat Logo

CostGoat

API · Twilio · December 22, 2025

$10,000 — a brute-forced SMS verification endpoint billed $10K in a day

Vendor

Twilio

Service

Twilio SMS / Verify

Amount

$10,000 (reported)

Timeframe

$10K in one day

Cause

SMS pumping fraud

Outcome

No vendor reply

Who's exposed: Any app with a public SMS send or verification endpoint that is not rate-limited or geo-restricted. Attackers pump traffic toward premium routes and you pay per message.

Resolution: As of posting, three weeks after the ticket, Twilio had not responded. The founder said they expected to eat the charge and only wanted a conversation.

Self-reported; several others in the thread describe the same Twilio toll-fraud pattern. r/twilio (by u/ben_aj_84)

What happened

A startup ran phone verification through Twilio with Twilio's fraud protection turned on. An attacker brute-forced the verification endpoint anyway, triggering a flood of SMS sends that reached $10,000 in fees in a single day. The founder filed a support ticket the moment it happened. Three weeks later there was still no reply, despite the company spending thousands of dollars a month on the platform. They were not counting on a refund; they wanted someone to answer.

Root cause

A public endpoint that sends an SMS on each request is a direct line to money. This is SMS pumping, also called toll fraud: attackers drive verification or send requests toward premium destinations, often taking a cut of the termination fees, while the app owner pays per message. Provider-side fraud protection helps but does not replace rate limiting, and here it did not stop a determined brute force. The cost accrues in real time, so a day is enough to reach five figures.

How to avoid it

Rate-limit and CAPTCHA the verification endpoint per IP, per number, and per session. Pumping depends on firing thousands of requests fast, so a limit strangles it at the source.

Restrict SMS to the country codes you actually serve. Most pumping routes traffic to premium destinations you have no reason to message.

Set a low daily spend alert on the messaging account, separate from the monthly bill. A one-day surge only reaches you in time if something is watching the day, not the invoice.

CostGoat watches your Twilio bills, so a surprise like this reaches you as an alert, not an invoice.

More Bill Shock stories

May 18, 2026

$1,300,000 — a swarm of 100 coding agents burned 603 billion tokens in a single month

April 25, 2026

$200 — a string in a git commit silently routed Claude Code billing to extra usage

February 25, 2026

$82,314.44 — a stolen Gemini key turned a small monthly bill into a bankruptcy threat in 48 hours

April 30, 2025

$9,700 — a chatty microservice through one NAT gateway cost $9.7K in a month

← All Bill Shock stories

AI Pricing

Gemini API PricingClaude API PricingGoogle Veo PricingAI Cost CalculatorsReplicate API PricingOpenRouter API PricingOpenRouter Free Models
DownloadsPricingDashboardContactIssuesAffiliatesTermsPrivacy

© 2026 CostGoat. All rights reserved.

Made by Functioncraft: Redis GUI Client · SSH GUI Client

Affiliate disclosure: Some links earn CostGoat a commission or credit when you sign up — no extra cost to you.