Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
Campaign
Summary
Hide ▲
Show ▼
The Triad Nexus campaign is continuing to run large-scale investment scams and brand impersonation, expanding into emerging markets and driving higher fraud losses. Its operators are using cloned brand sites and cloud-hosted infrastructure to harvest credentials and divert payments. The operation matters because it remains active, repeatable, and designed to scale across multiple sectors and regions.
Related Happenings
Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score69
First: 12.06.2026 21:59
Last: 12.06.2026 21:59
Sources 1
About this happening:
The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...
Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...
FIFA-themed phishing-as-a-service market selling scam kits and ticket-buying bots
Threat Actor Meta
H score42
First: 05.06.2026 10:01
Last: 05.06.2026 10:01
Sources 1
About this happening:
A **FIFA-themed phishing-as-a-service market** is selling **ready-made scam kits** and **ticket-buying bots**, lowering the barrier for fraud operators and making takedowns less e...
FIFA-themed phishing-as-a-service market selling scam kits and ticket-buying bots
Threat Actor MetaAbout this happening: A **FIFA-themed phishing-as-a-service market** is selling **ready-made scam kits** and **ticket-buying bots**, lowering the barrier for fraud operators and making takedowns less e...
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor Meta
H score43
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
How related:
A cybercrime network responsible for more than $200m in reported losses has expanded its operations and refined its tactics following US Treasury sanctions in 2025.
About this happening:
**Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor MetaHow related: A cybercrime network responsible for more than $200m in reported losses has expanded its operations and refined its tactics following US Treasury sanctions in 2025.
About this happening: **Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
VENOM closed-access PhaaS operating model limits researcher visibility
Threat Actor Meta
H score18
First: 10.04.2026 00:37
Last: 10.04.2026 00:37
Sources 1
About this happening:
**VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...
VENOM closed-access PhaaS operating model limits researcher visibility
Threat Actor MetaAbout this happening: **VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...
EvilTokens PhaaS scales device code phishing for low-skilled cybercriminals
Threat Actor Meta
H score32
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
**EvilTokens** is turning **device code phishing** into a **phishing-as-a-service** market, expanding access for **low-skilled cybercriminals** and accelerating competition among...
EvilTokens PhaaS scales device code phishing for low-skilled cybercriminals
Threat Actor MetaAbout this happening: **EvilTokens** is turning **device code phishing** into a **phishing-as-a-service** market, expanding access for **low-skilled cybercriminals** and accelerating competition among...
Timeline
-
14.04.2026 15:00 2 articles · 2mo ago
Triad Nexus expands fraud operations after US Treasury sanctions
Initial DisclosureTriad Nexus continues large-scale investment scams and brand impersonation campaigns after US Treasury sanctions in 2025, shifting into emerging markets and using compromised AWS, Cloudflare, Google and Microsoft accounts for infrastructure laundering, a US block, localized scam templates, and cloned banking, luxury retail, and public-service portals to harvest credentials and divert payments; the network is linked to more than $200m in reported losses and average victim losses of $150,000.
Show sources
- Triad Nexus Expands Global Fraud Operations Despite US Sanctions — www.infosecurity-magazine.com — 14.04.2026 15:00
- Triad Nexus Expands Global Fraud Operations Despite US Sanctions — www.infosecurity-magazine.com — 14.04.2026 15:00