Down but not out, cybercrime syndicate Triad Nexus is back in business targeting victims with its signature “pig-butchering” virtual currency scams.
The threat group, which has pilfered over $200 million from past victims, has shifted focus to toward emerging markets and continuing to target “Western enterprise assets,” according to research published Tuesday by Silent Push.
Following U.S. Treasury sanctions in 2025 against tech enabler Funnull Technology, Triad Nexus “has just become less direct, less visible and in some cases more polished.”
Silent Push describes Triad Nexus as the broader cybercrime operation and Funnull as a key infrastructure layer, service brand or operational banner connected to that network. Researchers say the group is now using a new set of cleaner-looking fronts to replace Funnull, including Bole CDN, CDN1.ai, Yunray.ai, CDN5.com and CTGCDN.
Threat Group Revamps Crime Playbook
Researchers say recent Triad Nexus activity shows its hallmark infrastructure reappearing in new forms. That includes new front companies, broader brand impersonation, expanded CNAME rotation and continued use of cloud-hosted assets paired with geographic blocking, all meant to keep U.S. investigators out while operations continue elsewhere.
CNAME rotation is the frequent, sometimes automated, changing of domains so the path to malicious infrastructure keeps shifting.
Based in Asia, Triad Nexus operates through a sprawling network of domains running on Amazon, Cloudflare, Google and Microsoft cloud services, according to Silent Push. The companies were not aware of the malicious activity, the researchers said.
Researchers describe that abuse of legitimate services for criminal activity as infrastructure laundering. Silent Push said Triad Nexus routes malicious operations through “compromised or fraudulently obtained accounts” on trusted cloud platforms to make them appear legitimate and harder to detect.
“This provides its scams with the ‘appearance of legitimacy,’ high speed, and professional performance that even tech-savvy Western audiences can’t resist,” researchers said.
Triad Nexus operated domains hosting “pixel-perfect” clones luxury brand websites, financial, and commercial sites ranging from Tiffany, Cartier, Western Union, MoneyGram, TripAdvisor, and Etsy.
Another aspect of the group’s infrastructure laundering includes using transactional payment portals “linked to” over two dozen financial firms including Goldman Sachs, Royal Bank of Canada, Bank of America, and Wells Fargo.
Distancing Itself from Criminal Buddies
Part of Triad Nexus’ return includes distancing itself from Funnull Technology, “a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams,” according to an FBI (PDF) and Treasury Department’s Office of Foreign Assets Control.
OFAC’s 2025 estimated Funnull was behind $200 million in losses through various scams that impacted U.S. victims.
According to Silent Push, Funnull Technology acted as the primary content delivery network (CDN) and infrastructure provider for Triad Nexus and other criminal groups, according to Silent Push. It provided the technical backbone for over 200,000 unique hostnames involved in “pig-butchering” scams, money laundering, and illegal gambling.
A “pig-butchering” scam is a type of long-con fraud where the victim is slowly manipulated—often over weeks or months—before being convinced to send large amounts of money, usually into fake investment platforms. The name comes from the idea of “fattening the pig before slaughter.”
Defend Against the Pattern, Not the Bad Domain
Because the system appears to have survived the sanctions, Silent Push recommends defenders focus defenses not on blocking bad domains as they appear but understanding how the infrastructure is being rotated.
This kind of operation is easier to miss when defenders treat brand abuse, cloud abuse and redirection tricks as separate issues. They are connected. Following those connections through CNAME chains, front companies and cloud-hosted assets is what gives you a chance of finding the network before the next fraud campaign is already in motion, Silent Push said.
Photo by Sergey Zolkin on Unsplash
