A sophisticated cybercriminal operation, known as Triad Nexus and linked to the FUNNULL Content Delivery Network, has resurfaced with a significantly evolved and evasive infrastructure. Following U.S. Treasury sanctions, the group has deployed over 175 randomly rotating CNAME domains to power a vast network of global scam portals, demonstrating a new strategy of “infrastructure laundering” to conceal its illicit activities.
Triad Nexus has a well-established history of involvement in organized crime networks across Asia, engaging in investment scams, money laundering, and illegal gambling since at least 2022. Previously, the group heavily relied on the FUNNULL CDN for delivering fraudulent websites designed to mimic legitimate global brands. However, its recent resurgence marks a departure from its prior methods. Post-sanctions, the group has shifted its focus to hijacking legitimate enterprise cloud accounts from major providers like Amazon Web Services, Cloudflare, Google, and Microsoft, creating a veneer of trustworthiness for its malicious operations.
Triad Nexus Resurfaces With Rotating CNAME Domains and Global Scam Portals
Researchers speaking with Silent Push have identified this tactical shift as a significant evolution in the group’s operational security. Instead of employing stable CNAME domains, Triad Nexus is now utilizing a pool of over 175 randomly generated CNAME domains. These domains connect clusters of fraudulent websites to either stolen or illicitly acquired IP addresses, making detection and disruption considerably more challenging.
The financial impact of Triad Nexus’s operations is substantial, with reported victim losses exceeding one billion dollars. The average individual loss reported is approximately $47,000. The group’s primary modus operandi is the “pig butchering” scam, a long-con approach where victims are groomed over extended periods to invest heavily in fake cryptocurrency platforms. Their repertoire of deceptive portals includes meticulously crafted replicas of luxury brands such as Tiffany, Cartier, and Chanel, financial services like Western Union and MoneyGram, and banking interfaces falsely associated with major institutions like Wells Fargo, Goldman Sachs, and Bank of America.
To evade law enforcement and regulatory scrutiny post-sanctions, Triad Nexus has also launched a series of seemingly legitimate front companies. These entities are characterized by professional branding and fabricated operational histories, designed to instill confidence in unsuspecting users. An illustrative example cited by researchers is a fake CDN provider operating under the domain cdnbl.com. This provider falsely claims to have been serving clients since 2007, yet domain registration records indicate it was established in March 2024, exposing the inherent deception.
Geographic Evasion and the Exploitation of CNAME Chains
A particularly concerning technical aspect of Triad Nexus’s revamped operations is its systematic use of multi-layered CNAME chains to obscure the true destination of its malicious traffic. A CNAME record, or Canonical Name record, is a type of DNS entry that redirects one domain name to another. Standard security tools often only analyze a single step in these redirection chains, leaving the ultimate endpoint of the traffic hidden from detection.
Triad Nexus actively leverages this vulnerability. Its infrastructure routes traffic through multiple intermediate CNAME domains—sometimes as many as three or four layers deep—before finally resolving to an IP address hosted on a reputable enterprise cloud platform. This multi-layered redirection strategy significantly impedes automated detection systems in tracing traffic back to its origin.
To further circumvent oversight, the group has implemented geo-blocking measures for U.S. visitors across many of its scam portals, displaying an error message indicating that “The region has been denied.” Concurrently, Triad Nexus has expanded its scam activities into Spanish, Vietnamese, and Indonesian markets, continuing to generate illicit profits by targeting new victim demographics.
Organizations are advised to proactively enhance their security postures by adopting capabilities for CNAME chain analysis. Monitoring for newly registered lookalike domains, enforcing stringent DNS resolution policies, and maintaining comprehensive visibility across all network layers are crucial steps. These measures are essential for detecting and disrupting threats of this nature before they can impact end-users.