Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor Meta
Summary
Hide ▲
Show ▼
Triad Nexus expanded its fraud ecosystem after US Treasury sanctions in 2025, increasing operational scale and shifting into emerging markets. The network’s use of US blocks, cloned portals, and compromised cloud infrastructure raises the cost and difficulty of disruption while keeping scam reach high.
Related Happenings
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor Meta
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
**Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor MetaAbout this happening: **Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
U.S. Treasury sanctions Kok An scam network
Regulatory/Legal Action
First: 04.05.2026 08:59
Last: 04.05.2026 08:59
Sources 1
About this happening:
The **U.S. Treasury Department** sanctioned **Cambodian Senator Kok An** and affiliates tied to **cyber scam compounds**, escalating financial and legal pressure on a network accu...
U.S. Treasury sanctions Kok An scam network
Regulatory/Legal ActionAbout this happening: The **U.S. Treasury Department** sanctioned **Cambodian Senator Kok An** and affiliates tied to **cyber scam compounds**, escalating financial and legal pressure on a network accu...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
Campaign
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
How related:
Known as Triad Nexus, the group reportedly continues to run large-scale investment scams and brand impersonation campaigns, while it has also shifted focus towards emerging markets.
About this happening:
The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
CampaignHow related: Known as Triad Nexus, the group reportedly continues to run large-scale investment scams and brand impersonation campaigns, while it has also shifted focus towards emerging markets.
About this happening: The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor Meta
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
**Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor MetaAbout this happening: **Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal Action
First: 18.03.2026 19:26
Last: 18.03.2026 19:26
Sources 1
About this happening:
**OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal ActionAbout this happening: **OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
Timeline
-
14.04.2026 15:00 2 articles · 1mo ago
Triad Nexus expands fraud operations after US sanctions
Campaign Scope UpdateTriad Nexus expanded its fraud ecosystem after US Treasury sanctions in 2025, continuing large-scale investment scams and brand impersonation while shifting toward emerging markets. The network used compromised AWS, Cloudflare, Google, and Microsoft accounts for infrastructure laundering, added a US block to keep out US-based investigators, deployed localized scam templates in Spanish, Vietnamese, and Indonesian, and contributed to Silent Push developing a CNAME Chain Lookup tool for tracing layered domain redirection. Reported losses exceed $200m, and average victim losses reached $150,000.
Show sources
- Triad Nexus Expands Global Fraud Operations Despite US Sanctions — www.infosecurity-magazine.com — 14.04.2026 15:00
- Triad Nexus Expands Global Fraud Operations Despite US Sanctions — www.infosecurity-magazine.com — 14.04.2026 15:00