Chinese-language money alliance reshapes ransomware ecosystem operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
Trafficking-linked crypto payments are increasingly routed through Telegram-based CMLN services, scam compounds, and online casinos, expanding the scale and resilience of organized criminal monetization. The activity reached hundreds of millions of dollars last year and crypto inflows rose 85% annually. The ecosystem now spans escort services, labor placement agents, prostitution networks, and CSAM vendors, showing how multiple illicit lines of business can share payment infrastructure. One dark web site alone used 5,800 cryptocurrency addresses and generated more than $530,000 since July 2022.
Related Happenings
Treasury sanctions Prince Group-linked entities and FinCEN designates H-Pay Service
Regulatory/Legal Action
H score17
First: 24.06.2026 11:55
Last: 24.06.2026 11:55
Sources 1
About this happening:
The **U.S. Treasury** imposed fresh sanctions on **nine individuals** and **26 entities** linked to **Prince Group**, while **FinCEN** designated **H-Pay Service PLC** as a **prim...
Treasury sanctions Prince Group-linked entities and FinCEN designates H-Pay Service
Regulatory/Legal ActionAbout this happening: The **U.S. Treasury** imposed fresh sanctions on **nine individuals** and **26 entities** linked to **Prince Group**, while **FinCEN** designated **H-Pay Service PLC** as a **prim...
AudiA6 laundering ecosystem and Dark2Web forum
Threat Actor Meta
H score31
First: 11.06.2026 18:55
Last: 11.06.2026 18:55
Sources 1
About this happening:
**AudiA6** was disrupted as an **industrial-scale cryptocurrency laundering service** used by **ransomware gangs** and other cybercriminal networks. Europol said the ecosystem lau...
AudiA6 laundering ecosystem and Dark2Web forum
Threat Actor MetaAbout this happening: **AudiA6** was disrupted as an **industrial-scale cryptocurrency laundering service** used by **ransomware gangs** and other cybercriminal networks. Europol said the ecosystem lau...
Anonymous Fénix DDoS and volunteer-recruitment campaign
Campaign
H score29
First: 23.02.2026 23:59
Last: 23.02.2026 23:59
Sources 1
About this happening:
**Anonymous Fénix** escalated its **DDoS** campaign by recruiting volunteers, increasing disruption risk for **government and public-institution domains** across **Spain** and par...
Anonymous Fénix DDoS and volunteer-recruitment campaign
CampaignAbout this happening: **Anonymous Fénix** escalated its **DDoS** campaign by recruiting volunteers, increasing disruption risk for **government and public-institution domains** across **Spain** and par...
ZeroDayRAT Telegram spyware seller ecosystem with direct developer support
Threat Actor Meta
H score31
First: 10.02.2026 23:37
Last: 10.02.2026 23:37
Sources 1
About this happening:
**ZeroDayRAT** is being sold as a **Telegram-based spyware service** with direct access to the developer through dedicated channels for **sales**, **customer support**, and **regu...
ZeroDayRAT Telegram spyware seller ecosystem with direct developer support
Threat Actor MetaAbout this happening: **ZeroDayRAT** is being sold as a **Telegram-based spyware service** with direct access to the developer through dedicated channels for **sales**, **customer support**, and **regu...
Global HYIP scam campaign using fake investment sites and social media
Campaign
H score47
First: 02.02.2026 17:34
Last: 02.02.2026 17:34
Sources 1
About this happening:
A **global HYIP scam campaign** is using **4,200+ fake investment websites** and **social-media promotion** to solicit deposits, creating sustained fraud risk for investors and ma...
Global HYIP scam campaign using fake investment sites and social media
CampaignAbout this happening: A **global HYIP scam campaign** is using **4,200+ fake investment websites** and **social-media promotion** to solicit deposits, creating sustained fraud risk for investors and ma...
Timeline
-
16.02.2026 12:30 2 articles · 4mo ago
Chainalysis reports Telegram-linked trafficking finance expansion
Initial DisclosureChainalysis said human trafficking operations made hundreds of millions of dollars last year as cryptocurrency inflows surged 85% annually, and linked the activity to South East Asia scam compounds, online casinos, and Chinese-language money laundering (CMLN) networks operating on Telegram. The analysis also described Telegram-based international escort services, labor placement agents supporting kidnapping and forced labor in scam compounds, prostitution networks, and CSAM vendors, and said one dark web site used 5,800 cryptocurrency addresses and generated more than $530,000 since July 2022.
Show sources
- Crypto Payments to Human Traffickers Surges 85% — www.infosecurity-magazine.com — 16.02.2026 12:30
- Crypto Payments to Human Traffickers Surges 85% — www.infosecurity-magazine.com — 16.02.2026 12:30