A cybercrime network responsible for more than $200m in reported losses has expanded its operations and refined its tactics following US Treasury sanctions in 2025.
Known as Triad Nexus, the group reportedly continues to run large-scale investment scams and brand impersonation campaigns, while it has also shifted focus towards emerging markets.
According to new research from Silent Push, the network has strengthened its operational security, introducing geographic restrictions that block US-based investigators and has adopted increasingly complex infrastructure to mask its activities.
At the same time, it has scaled its fraud ecosystem, with average victim losses reaching $150,000.
Infrastructure Laundering and Brand Impersonation
A key development is the group's use of "infrastructure laundering," relying on compromised cloud accounts from AWS, Cloudflare, Google and Microsoft to host malicious services. This blends scam platforms with legitimate traffic while enabling high-performance sites that most users can't tell apart.
Alongside this, the network has industrialized digital brand theft. Its operations include highly accurate replicas of banking portals, luxury retail websites and public services, designed to harvest credentials and redirect payments. Silent Push said the scale and consistency of these cloned platforms highlight a highly organized and repeatable model.
The research identified several sectors most frequently targeted:
-
Banking and fintech platforms used for credential harvesting
-
Luxury retail brands exploited for high-value transactions
-
Public services leveraged for regional data theft
Evasion Tactics and Defensive Response
To avoid detection, Triad Nexus has also implemented a "US block," preventing access from US IP addresses and displaying legal restriction messages instead. This move appears designed to reduce scrutiny following sanctions while enabling continued operations in less-regulated markets.
At the same time, the group has expanded into Spanish, Vietnamese and Indonesian markets using localized scam templates. It has also introduced "clean" front companies posing as legitimate service providers, further complicating attribution efforts.
In response to these evolving tactics, Silent Push developed a CNAME Chain Lookup tool to map complex domain redirection paths. By exposing the underlying infrastructure behind layered CNAME chains, the tool provides defenders with greater visibility into how large-scale fraud networks operate.
The researchers said the increasing automation and scale of Triad Nexus operations require a shift away from reactive security. Instead, organizations are urged to adopt proactive monitoring strategies capable of identifying threats before they reach end users.