Find notable cyber news and cases, enriched with sources, timelines, and signals.

Triad Nexus investment scam and brand impersonation campaign targeting emerging markets

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

The Triad Nexus campaign is continuing to run large-scale investment scams and brand impersonation, expanding into emerging markets and driving higher fraud losses. Its operators are using cloned brand sites and cloud-hosted infrastructure to harvest credentials and divert payments. The operation matters because it remains active, repeatable, and designed to scale across multiple sectors and regions.

Related Happenings

Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations

Threat Actor Meta
H score69 First: 12.06.2026 21:59 Last: 12.06.2026 21:59 Sources 1

About this happening: The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...

FIFA-themed phishing-as-a-service market selling scam kits and ticket-buying bots

Threat Actor Meta
H score42 First: 05.06.2026 10:01 Last: 05.06.2026 10:01 Sources 1

About this happening: A **FIFA-themed phishing-as-a-service market** is selling **ready-made scam kits** and **ticket-buying bots**, lowering the barrier for fraud operators and making takedowns less e...

Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions

Threat Actor Meta
H score43 First: 14.04.2026 15:00 Last: 14.04.2026 15:00 Sources 1

How related: A cybercrime network responsible for more than $200m in reported losses has expanded its operations and refined its tactics following US Treasury sanctions in 2025.

About this happening: **Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...

VENOM closed-access PhaaS operating model limits researcher visibility

Threat Actor Meta
H score18 First: 10.04.2026 00:37 Last: 10.04.2026 00:37 Sources 1

About this happening: **VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...

EvilTokens PhaaS scales device code phishing for low-skilled cybercriminals

Threat Actor Meta
H score32 First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: **EvilTokens** is turning **device code phishing** into a **phishing-as-a-service** market, expanding access for **low-skilled cybercriminals** and accelerating competition among...

Timeline

  1. 14.04.2026 15:00 2 articles · 2mo ago

    Triad Nexus expands fraud operations after US Treasury sanctions

    Initial Disclosure

    Triad Nexus continues large-scale investment scams and brand impersonation campaigns after US Treasury sanctions in 2025, shifting into emerging markets and using compromised AWS, Cloudflare, Google and Microsoft accounts for infrastructure laundering, a US block, localized scam templates, and cloned banking, luxury retail, and public-service portals to harvest credentials and divert payments; the network is linked to more than $200m in reported losses and average victim losses of $150,000.

    Show sources