Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
Campaign
Summary
Hide ▲
Show ▼
The Triad Nexus campaign is continuing to run large-scale investment scams and brand impersonation, expanding into emerging markets and driving higher fraud losses. Its operators are using cloned brand sites and cloud-hosted infrastructure to harvest credentials and divert payments. The operation matters because it remains active, repeatable, and designed to scale across multiple sectors and regions.
Related Happenings
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor Meta
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
How related:
A cybercrime network responsible for more than $200m in reported losses has expanded its operations and refined its tactics following US Treasury sanctions in 2025.
About this happening:
**Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor MetaHow related: A cybercrime network responsible for more than $200m in reported losses has expanded its operations and refined its tactics following US Treasury sanctions in 2025.
About this happening: **Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
VENOM closed-access PhaaS operating model limits researcher visibility
Threat Actor Meta
First: 10.04.2026 00:37
Last: 10.04.2026 00:37
Sources 1
About this happening:
**VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...
VENOM closed-access PhaaS operating model limits researcher visibility
Threat Actor MetaAbout this happening: **VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...
EvilTokens PhaaS scales device code phishing for low-skilled cybercriminals
Threat Actor Meta
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
**EvilTokens** is turning **device code phishing** into a **phishing-as-a-service** market, expanding access for **low-skilled cybercriminals** and accelerating competition among...
EvilTokens PhaaS scales device code phishing for low-skilled cybercriminals
Threat Actor MetaAbout this happening: **EvilTokens** is turning **device code phishing** into a **phishing-as-a-service** market, expanding access for **low-skilled cybercriminals** and accelerating competition among...
CrowdStrike Microsoft Marketplace listing
Commercial Activity
First: 03.04.2026 14:53
Last: 03.04.2026 14:53
Sources 1
About this happening:
CrowdStrike made **its offerings** available in the **Microsoft Marketplace**, expanding how enterprise buyers can procure **cybersecurity products**. Eligible customers with **Mi...
CrowdStrike Microsoft Marketplace listing
Commercial ActivityAbout this happening: CrowdStrike made **its offerings** available in the **Microsoft Marketplace**, expanding how enterprise buyers can procure **cybersecurity products**. Eligible customers with **Mi...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor Meta
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
**Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor MetaAbout this happening: **Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Timeline
-
14.04.2026 15:00 2 articles · 1mo ago
Triad Nexus expands fraud operations after US Treasury sanctions
Initial DisclosureTriad Nexus continues large-scale investment scams and brand impersonation campaigns after US Treasury sanctions in 2025, shifting into emerging markets and using compromised AWS, Cloudflare, Google and Microsoft accounts for infrastructure laundering, a US block, localized scam templates, and cloned banking, luxury retail, and public-service portals to harvest credentials and divert payments; the network is linked to more than $200m in reported losses and average victim losses of $150,000.
Show sources
- Triad Nexus Expands Global Fraud Operations Despite US Sanctions — www.infosecurity-magazine.com — 14.04.2026 15:00
- Triad Nexus Expands Global Fraud Operations Despite US Sanctions — www.infosecurity-magazine.com — 14.04.2026 15:00