A Sanctioned Network That Refuses to Stay Down
Triad Nexus, a criminal network that serves as the operational backbone for scams, money laundering, and illicit gambling, has managed to keep its fraud engine running despite coming under US sanctions in 2025. According to a new report from cyber defense firm Silent Push, the group has employed infrastructure laundering, front companies, and geo-fencing to distance itself from its sanctioned infrastructure and continue targeting victims worldwide.
Active since at least 2020, Triad Nexus has been responsible for more than $200 million in losses, the bulk of which stems from sophisticated cryptocurrency investment fraud (CIF) schemes — commonly known as pig butchering scams. The operation is linked to Asian organized crime and has historically depended on the Funnull content delivery network (CDN), a Philippines-based company, as its primary infrastructure provider.
The Funnull Connection and Initial Exposure
Silent Push first brought Triad Nexus into the spotlight in 2024, when it analyzed 200,000 unique hostnames being proxied through Funnull. That investigation also tied the group to the Polyfill supply chain attack and to retail phishing campaigns impersonating major consumer brands.
After the United States imposed sanctions on Funnull, Triad Nexus set about methodically severing its visible ties to the company. Rather than dissolving, the network adapted — a pattern that Silent Push says has become a defining characteristic of the group.
"Despite federal sanctions in 2025, the group has reinstated its global fraud engine, shifting its focus toward emerging markets while maintaining a persistent threat to Western enterprise assets." — Silent Push
Infrastructure Laundering Through Big Tech Cloud Services
One of the most notable tactics now being used by Triad Nexus is the deliberate abuse of legitimate enterprise cloud platforms. The group has been routing fraudulent operations through services operated by Amazon, Cloudflare, Google, and Microsoft, acquiring accounts through so-called account mules who illicitly obtain cloud credentials on the group's behalf.
Silent Push notes that this approach gives the group's scam sites the appearance of legitimacy, along with the high-speed performance and reliability that even technically sophisticated Western targets may not immediately question. By piggybacking on trusted cloud infrastructure, the group effectively launders the credibility of its operations.
Alongside this cloud-based laundering, Triad Nexus continues to rely on AS152194 (CTG Server Limited) as the bulletproof backbone of its network — an autonomous system that has remained a persistent fixture throughout the group's evolution.
Brand Impersonation at Scale
A significant portion of the group's fraud activity involves creating pixel-perfect clones of well-known brand websites. Among the organizations whose identities Triad Nexus has impersonated are:
- Luxury retailers: Cartier, Chanel, Coach, Kering, and Tiffany
- E-commerce platforms: eBay, Macy's, Rakuten, and TripAdvisor
- Postal services: Vietnam Post
- Financial institutions: Bank of America, Goldman Sachs, Etsy, iTrustCapital, MoneyGram, Royal Bank of Canada, Wells Fargo, and Western Union
These cloned sites are used to harvest credentials, payment data, and personal information from unsuspecting users who believe they are interacting with legitimate services.
Geo-Fencing and a Pivot to Emerging Markets
To evade post-sanctions monitoring by US authorities, Triad Nexus implemented a US IP block, preventing visitors from American IP addresses from accessing the illicit domains. This geographic firewall effectively shields the most sensitive parts of its operation from scrutiny by US-based researchers and law enforcement.
At the same time, the group has been aggressively expanding into new regions. Silent Push reports that Triad Nexus is now targeting Spanish-, Vietnamese-, and Indonesian-speaking markets, deploying localized templates tailored to each region.
"As the network continues to withdraw from direct U.S. exposure to avoid detection, it has been pivotally expanding into the Spanish, Vietnamese, and Indonesian markets. Using localized templates to target these regions, its goal is to ensure its illicit profits continue to flow." — Silent Push
Front Companies and CNAME Obfuscation
Triad Nexus began establishing clean front companies even before the US sanctions took effect, giving it a ready-made infrastructure to pivot to when Funnull was targeted. Identified front companies include:
- Bole CDN
- CDN1[.]ai
- Yunray[.]ai
- CDN5[.]com
- CTGCDN
Beyond these named entities, the group has begun routing traffic through more than 175 randomly generated CNAME domains. Each of these domains is configured differently, segmenting client infrastructure and mapping individual domains to multiple enterprise services. This fragmentation makes attribution and takedown efforts significantly more difficult for defenders.
An Evolving and Persistent Threat
The trajectory of Triad Nexus illustrates a growing challenge for law enforcement and cybersecurity professionals alike: sanctions and takedowns, while disruptive, rarely eliminate sophisticated criminal networks. Instead, they force adaptation — and in Triad Nexus' case, that adaptation has resulted in a more geographically dispersed, technically obfuscated, and resilient operation than existed before.
With the group now firmly focused on markets in Southeast Asia and Latin America, and continuing to exploit the trusted reputations of major cloud providers, Silent Push warns that Triad Nexus remains a persistent threat not only to consumers in emerging markets but also to Western enterprise assets that the group has not fully abandoned.
Source: SecurityWeek