Find notable cyber news and cases, enriched with sources, timelines, and signals.

Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions

Threat Actor Meta
First reported
Last updated
Happening score
H score 43
1 unique sources, 1 articles

Summary

Hide ▲

Triad Nexus expanded its fraud ecosystem after US Treasury sanctions in 2025, increasing operational scale and shifting into emerging markets. The network’s use of US blocks, cloned portals, and compromised cloud infrastructure raises the cost and difficulty of disruption while keeping scam reach high.

Related Happenings

DCloud Uni-App scam website campaign

Campaign
H score70 First: 29.06.2026 14:57 Last: 29.06.2026 14:57 Sources 1

About this happening: The **DCloud Uni-App** scam-site campaign has grown into a **236,493-domain** fraud network that steals credentials, drains crypto wallets, and impersonates major brands. The site...

Amadey and StealC MaaS ecosystem and affiliate model

Threat Actor Meta
H score73 First: 24.06.2026 18:59 Last: 24.06.2026 18:59 Sources 1

About this happening: The **Amadey** and **StealC** ecosystems now operate as **malware-as-a-service (MaaS)** offerings, widening access to loader and stealer capabilities for paying customers and affi...

Treasury sanctions Prince Group-linked entities and FinCEN designates H-Pay Service

Regulatory/Legal Action
H score17 First: 24.06.2026 11:55 Last: 24.06.2026 11:55 Sources 1

About this happening: The **U.S. Treasury** imposed fresh sanctions on **nine individuals** and **26 entities** linked to **Prince Group**, while **FinCEN** designated **H-Pay Service PLC** as a **prim...

Popa botnet forcing consumer TV boxes to relay traffic

Malware Activity
H score76 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...

Latest development: 03.07.2026 12:35

Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.

FBI takedown of Outsider Enterprise phishing service

Law Enforcement
H score63 First: 14.06.2026 17:36 Last: 14.06.2026 17:36 Sources 1

About this happening: The **FBI** and partners **dismantled** **Outsider Enterprise**, a **phishing-as-a-service** operation tied to **thousands of phishing websites** and large-scale credential theft....

Timeline

  1. 14.04.2026 15:00 2 articles · 2mo ago

    Triad Nexus expands fraud operations after US sanctions

    Campaign Scope Update

    Triad Nexus expanded its fraud ecosystem after US Treasury sanctions in 2025, continuing large-scale investment scams and brand impersonation while shifting toward emerging markets. The network used compromised AWS, Cloudflare, Google, and Microsoft accounts for infrastructure laundering, added a US block to keep out US-based investigators, deployed localized scam templates in Spanish, Vietnamese, and Indonesian, and contributed to Silent Push developing a CNAME Chain Lookup tool for tracing layered domain redirection. Reported losses exceed $200m, and average victim losses reached $150,000.

    Show sources