Triad Nexus, the sprawling cybercriminal network that for more than five years has been responsible for a wide range of global investment scams and illicit gambling operations, has adapted its operations in the year since the U.S. government sanctioned the content delivery network (CDN) it relied on.

In order to keep off the radar of U.S. law enforcement and avoid further sanctions, Triad Nexus has turned to front companies, major legitimate cloud providers, and new targets, according to threat intelligence researchers with security firm Silent Push.

The network, linked to organized crime gangs in Asia, had relied heavily on the Funnull CDN to run their “pig-butchering” and other virtual currency scam operations, which since at least 2020 are responsible for $200 million in reported financial losses and average individual victim losses of $150,000.

However, the U.S. Treasury in May 2025 sanctioned Philippines-based Funnull Technology and its administration, Liu Lizhi. Investigators said Funnull was providing the compute infrastructure for hundreds of thousands of websites used to run virtual currency investment scams. At the same time, the FBI issued an alert detailing the indicators of compromise (IoCs) for the malicious activity running on the Funnull CDN.

Rather than crippling Triad Nexus’ operations, the network has shifted how it operates, according to Silent Push researchers.

Changing Things Up

“Despite federal sanctions in 2025, the group has reinstated its global fraud engine, shifting its focus toward emerging markets while maintaining a persistent threat to Western enterprise assets,” they wrote in a report this week.

One technique the group is now using is “infrastructure laundering, reducing its reliance on low-reputation servers like those available from Funnell. Instead, the network used “account mules” to steal or acquire accounts at top enterprise cloud providers like Amazon, Microsoft, Google, and Cloudflare, and uses the accounts in its scams.

“This provides its scams with the ‘appearance of legitimacy,’ high speed, and professional performance that even tech-savvy Western audiences can’t resist,” the researchers wrote.

That said, Triad Nexus still relies on AS152194 (CTG Server Limited) as the “bulletproof” backbone to its operations. However, the scatters different parts of its infrastructure to myriad autonomous system number (ASN) pools to keep investigators from being able to see its entire network.

Industrialized Brand Theft

In addition, “the network has industrialized brand theft on a global scale,” they wrote. “Its catalog includes ‘pixel-perfect’ clones of everything from high-end luxury brands to public services.”

The impersonation campaigns include such high-profile luxury and retail brands like Tiffany, Cartier, Chanel, Coach, Macy’s, eBay, Rakuten, and Kering and financial and investment companies, such as iTrustCapital, Western Union, MoneyGram, and Etsy. Public services targeted include TripAdvisor and the Vietnam Post, that country’s government-run national postal service.

“To facilitate its rapid fund siphoning, Triad Nexus sites offer payment portals linked to over 25 global financial giants, including Goldman Sachs, Royal Bank of Canada, Bank of America, and Wells Fargo,” the researchers wrote, adding that Triad Nexus also will accept a range of crypto beyond high-profile ones like Bitcoin and Ethereum.

Keeping Away from U.S. Law Enforcement

The network also is shifting its focus away from the United States to avoid catching the attention of U.S. regulators and law enforcement. If a person tries to access many of Triad Nexus’ sites through U.S. IP address, they’re blocked and shown an error message saying that “the region has been denied.”

“As the network continues to withdraw from direct U.S. exposure to avoid detection, it has been pivotally expanding into the Spanish, Vietnamese, and Indonesian markets,” Silent Push researchers wrote. “Using localized templates to target these regions, its goal is to ensure its illicit profits continue to flow even as it hides from the U.S. Treasury’s primary gaze.”

They noted that even before the U.S. imposed its sanctions, Triad Nexus already was mapping out ways to reduce its reliance on Funnull, including by launching a number of front companies that came with professional branding and “egregious lies” to create trust among its targets.

Front Companies

Those fronts included Bole CDN, a company that was registered in March 2025 but claimed online that its had served 10,000 clients since 2015. Another, CDN1, claimed falsely that it worked with global brands like Nestlé, while other front companies include Yunray, CDN5, and CTGCDN. These companies use humans to recruit victims, usually communicating through a Telegram account with possible buyers. These fronts don’t include the Funnull branding, so it’s difficult for users to identify them as malicious.

Another adaptation was shifting from using nine primary CNAME (Canonical Name) domains for routing traffic to more than 175 randomly generated CNAME domains. Each one connects clusters of malicious client websites to various acquired IP addresses.

Silent Push has been tracking Triad Nexus and the use of Funnell for illicit activities for several years. In 2024, the security firm wrote about 200,000 unique host names being proxied through Funnull as well as thousands of suspected gambling website. The researchers also linked Triad Nexus to the Polyfill supply chain attack that affected more than 110,000 websites.