A notorious cybercriminal group linked to the FUNNULL Content Delivery Network, known as Triad Nexus, has resurfaced with a more sophisticated and elusive operation. This group has established a vast network of scam portals using a rotating system of over 175 CNAME domains, targeting victims worldwide.
Triad Nexus’s Criminal Background
Triad Nexus is deeply entrenched in organized crime across Asia, engaging in investment scams, money laundering, and illegal gambling since at least 2022. The group initially used the FUNNULL CDN to efficiently deliver fraudulent websites mimicking reputable global brands. However, U.S. Treasury sanctions in May 2024 forced them to alter their methods.
In response to these sanctions, Triad Nexus adopted a tactic researchers call “infrastructure laundering.” They shifted from relying on low-reputation servers to hijacking legitimate cloud accounts from providers like Amazon, Cloudflare, Google, and Microsoft. This strategy allowed them to disguise malicious traffic through trusted platforms, enhancing the credibility of their fraudulent portals.
Innovative Infrastructure Tactics
Silent Push analysts noted a significant shift in Triad Nexus’s operations. The group abandoned static CNAME domains, opting instead for a rotating pool that connects clusters of fraudulent websites to stolen IP addresses. This method contributes to their estimated one billion dollars in victim losses, with individual losses averaging $47,000.
Triad Nexus primarily conducts “pig butchering” scams, manipulating victims into investing in fake cryptocurrency platforms over extended periods. Their fraudulent portals include clones of luxury brands like Tiffany and Cartier, as well as financial platforms like Western Union and MoneyGram, deceiving users into thinking they are interacting with legitimate services.
Geographic Evasion and Defensive Measures
The group employs multi-layered CNAME chains to obscure the true destination of their traffic. These chains redirect traffic through several intermediate domains before reaching the final IP address hosted on reputable cloud platforms. This complex redirection makes it challenging for security tools to trace the traffic back to its origin.
To further evade detection, Triad Nexus blocks U.S. visitors with a specific error message, while expanding its operations into Spanish, Vietnamese, and Indonesian markets. Organizations are advised to enhance their security measures, including CNAME chain analysis and strict DNS resolution policies, to detect and disrupt these threats effectively.
Stay updated on the latest developments by following us on Google News, LinkedIn, and X. Set CSN as your preferred source in Google for instant updates.
