Chinese-language money alliance reshapes ransomware ecosystem operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
Trafficking-linked crypto payments are increasingly routed through Telegram-based CMLN services, scam compounds, and online casinos, expanding the scale and resilience of organized criminal monetization. The activity reached hundreds of millions of dollars last year and crypto inflows rose 85% annually. The ecosystem now spans escort services, labor placement agents, prostitution networks, and CSAM vendors, showing how multiple illicit lines of business can share payment infrastructure. One dark web site alone used 5,800 cryptocurrency addresses and generated more than $530,000 since July 2022.
Related Happenings
Anonymous Fénix DDoS and volunteer-recruitment campaign
Campaign
First: 23.02.2026 23:59
Last: 23.02.2026 23:59
Sources 1
About this happening:
**Anonymous Fénix** escalated its **DDoS** campaign by recruiting volunteers, increasing disruption risk for **government and public-institution domains** across **Spain** and par...
Anonymous Fénix DDoS and volunteer-recruitment campaign
CampaignAbout this happening: **Anonymous Fénix** escalated its **DDoS** campaign by recruiting volunteers, increasing disruption risk for **government and public-institution domains** across **Spain** and par...
ZeroDayRAT Telegram spyware seller ecosystem with direct developer support
Threat Actor Meta
First: 10.02.2026 23:37
Last: 10.02.2026 23:37
Sources 1
About this happening:
**ZeroDayRAT** is being sold as a **Telegram-based spyware service** with direct access to the developer through dedicated channels for **sales**, **customer support**, and **regu...
ZeroDayRAT Telegram spyware seller ecosystem with direct developer support
Threat Actor MetaAbout this happening: **ZeroDayRAT** is being sold as a **Telegram-based spyware service** with direct access to the developer through dedicated channels for **sales**, **customer support**, and **regu...
Global HYIP scam campaign using fake investment sites and social media
Campaign
First: 02.02.2026 17:34
Last: 02.02.2026 17:34
Sources 1
About this happening:
A **global HYIP scam campaign** is using **4,200+ fake investment websites** and **social-media promotion** to solicit deposits, creating sustained fraud risk for investors and ma...
Global HYIP scam campaign using fake investment sites and social media
CampaignAbout this happening: A **global HYIP scam campaign** is using **4,200+ fake investment websites** and **social-media promotion** to solicit deposits, creating sustained fraud risk for investors and ma...
Hecker-Sakuya-LiveGamer101 alliance reshapes ransomware ecosystem operations
Threat Actor Meta
First: 28.01.2026 15:15
Last: 28.01.2026 15:15
Sources 1
About this happening:
**SilverInc** is operating a commercial **access-resale ecosystem** for exposed or weakly authenticated **LLM endpoints**, turning unauthorized access into a monetized supply chai...
Hecker-Sakuya-LiveGamer101 alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: **SilverInc** is operating a commercial **access-resale ecosystem** for exposed or weakly authenticated **LLM endpoints**, turning unauthorized access into a monetized supply chai...
Bizarre Bazaar campaign targeting exposed LLM and MCP endpoints
Campaign
First: 28.01.2026 15:15
Last: 28.01.2026 15:15
Sources 1
About this happening:
**Bizarre Bazaar** is an active **LLMjacking** campaign targeting **exposed LLM and MCP endpoints** to monetize unauthorized access to AI infrastructure. Researchers say the opera...
Bizarre Bazaar campaign targeting exposed LLM and MCP endpoints
CampaignAbout this happening: **Bizarre Bazaar** is an active **LLMjacking** campaign targeting **exposed LLM and MCP endpoints** to monetize unauthorized access to AI infrastructure. Researchers say the opera...
Latest development: 29.01.2026 20:37
Researchers said Operation Bizarre Bazaar, an LLMjacking marketplace that scans for exposed Ollama, vLLM, and OpenAI-compatible APIs without authentication and resells access through silver[.]inc, has been traced to Hecker (aka Sakuya and LiveGamer101).
Timeline
-
16.02.2026 12:30 2 articles · 3mo ago
Chainalysis reports Telegram-linked trafficking finance expansion
Initial DisclosureChainalysis said human trafficking operations made hundreds of millions of dollars last year as cryptocurrency inflows surged 85% annually, and linked the activity to South East Asia scam compounds, online casinos, and Chinese-language money laundering (CMLN) networks operating on Telegram. The analysis also described Telegram-based international escort services, labor placement agents supporting kidnapping and forced labor in scam compounds, prostitution networks, and CSAM vendors, and said one dark web site used 5,800 cryptocurrency addresses and generated more than $530,000 since July 2022.
Show sources
- Crypto Payments to Human Traffickers Surges 85% — www.infosecurity-magazine.com — 16.02.2026 12:30
- Crypto Payments to Human Traffickers Surges 85% — www.infosecurity-magazine.com — 16.02.2026 12:30