Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor Meta
Summary
Hide ▲
Show ▼
Triad Nexus expanded its fraud ecosystem after US Treasury sanctions in 2025, increasing operational scale and shifting into emerging markets. The network’s use of US blocks, cloned portals, and compromised cloud infrastructure raises the cost and difficulty of disruption while keeping scam reach high.
Related Happenings
DCloud Uni-App scam website campaign
Campaign
H score70
First: 29.06.2026 14:57
Last: 29.06.2026 14:57
Sources 1
About this happening:
The **DCloud Uni-App** scam-site campaign has grown into a **236,493-domain** fraud network that steals credentials, drains crypto wallets, and impersonates major brands. The site...
DCloud Uni-App scam website campaign
CampaignAbout this happening: The **DCloud Uni-App** scam-site campaign has grown into a **236,493-domain** fraud network that steals credentials, drains crypto wallets, and impersonates major brands. The site...
Amadey and StealC MaaS ecosystem and affiliate model
Threat Actor Meta
H score73
First: 24.06.2026 18:59
Last: 24.06.2026 18:59
Sources 1
About this happening:
The **Amadey** and **StealC** ecosystems now operate as **malware-as-a-service (MaaS)** offerings, widening access to loader and stealer capabilities for paying customers and affi...
Amadey and StealC MaaS ecosystem and affiliate model
Threat Actor MetaAbout this happening: The **Amadey** and **StealC** ecosystems now operate as **malware-as-a-service (MaaS)** offerings, widening access to loader and stealer capabilities for paying customers and affi...
Treasury sanctions Prince Group-linked entities and FinCEN designates H-Pay Service
Regulatory/Legal Action
H score17
First: 24.06.2026 11:55
Last: 24.06.2026 11:55
Sources 1
About this happening:
The **U.S. Treasury** imposed fresh sanctions on **nine individuals** and **26 entities** linked to **Prince Group**, while **FinCEN** designated **H-Pay Service PLC** as a **prim...
Treasury sanctions Prince Group-linked entities and FinCEN designates H-Pay Service
Regulatory/Legal ActionAbout this happening: The **U.S. Treasury** imposed fresh sanctions on **nine individuals** and **26 entities** linked to **Prince Group**, while **FinCEN** designated **H-Pay Service PLC** as a **prim...
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
FBI takedown of Outsider Enterprise phishing service
Law Enforcement
H score63
First: 14.06.2026 17:36
Last: 14.06.2026 17:36
Sources 1
About this happening:
The **FBI** and partners **dismantled** **Outsider Enterprise**, a **phishing-as-a-service** operation tied to **thousands of phishing websites** and large-scale credential theft....
FBI takedown of Outsider Enterprise phishing service
Law EnforcementAbout this happening: The **FBI** and partners **dismantled** **Outsider Enterprise**, a **phishing-as-a-service** operation tied to **thousands of phishing websites** and large-scale credential theft....
Timeline
-
14.04.2026 15:00 2 articles · 2mo ago
Triad Nexus expands fraud operations after US sanctions
Campaign Scope UpdateTriad Nexus expanded its fraud ecosystem after US Treasury sanctions in 2025, continuing large-scale investment scams and brand impersonation while shifting toward emerging markets. The network used compromised AWS, Cloudflare, Google, and Microsoft accounts for infrastructure laundering, added a US block to keep out US-based investigators, deployed localized scam templates in Spanish, Vietnamese, and Indonesian, and contributed to Silent Push developing a CNAME Chain Lookup tool for tracing layered domain redirection. Reported losses exceed $200m, and average victim losses reached $150,000.
Show sources
- Triad Nexus Expands Global Fraud Operations Despite US Sanctions — www.infosecurity-magazine.com — 14.04.2026 15:00
- Triad Nexus Expands Global Fraud Operations Despite US Sanctions — www.infosecurity-magazine.com — 14.04.2026 15:00