A Deep Dive into the Triad Nexus Pig Butchering & Money Laundering Network

Good afternoon. Welcome to Bside San Francisco 2025. I'm Nicolina. I'll be your host. Um, and I'm here to introduce our next headliner. Very excited about him. Um, so Mr. Yes. Okay. I'm making sure I have the right one. Mr. Zach Edwards. And his topic is very interesting. A deep dive into the Triad Nexus pig butchering and money laundering network. I can't wait to hear this one. All right, really quick. Uh right behind me, if audio and visual can put up this huge QR code. Um you have the opportunity to ask questions uh while he's giving his presentation. At the end of the presentation, if we have time, I will voice the questions. He will answer

them. And he's so gracious enough too if we run out of time and we don't get through all the questions, he's willing to meet you at um level four at the top of the escalator and he'll make himself available after his presentation. On that note, sir, take it away. Thank you so much. It's a it's a pleasure to be with everyone today. Thank you for attending. Uh my name is Zach Edwards. I'm a senior thread analyst at Silent Push. And today I'm going to be doing a uh presentation on a deep dive into the Triad Nexus pig butchering and moneyaundering network. Now this research is um some research we put out initially in December of of last year

and we did an update two months ago and I can tell you that right now today this is still a problem. So we're going to go through a whole bunch of details but this is all still online and the way that they're keeping their infrastructure online is still occurring. So, we're going to be going over a lot of details here. What is Triad Nexus? What is Funnel? Um, and I just want everyone to sort of appreciate this is uh one small piece of the larger ecos ecosystem that is part of this quote pig butchering threat groups. And I'm not going to use that term pig butchering that much during this presentation. I just kind of want to set the stage. That

is a phrase that the threat actors use. Um, and so I prefer kind of investment schemes or job schemes. Um, and we'll kind of get into that a little bit. Um, but that, um, whole concept behind this network of threat actors that do these crimes, it's vast. And so, we're going to actually just look at one of the groups that's behind it. And so, part of this, the entity that actually is behind this, the corporate entity we we tracked down, uh, is associated with the Polyfill supply chain. So, some of you all may be familiar with that from last year. Uh the entity that actually owns this and is behind uh hosting this infrastructure is called ACB Group. They

are big online gambling ring. We're going to go over um some of the investment schemes over the years. We're going to get into some details about exactly how they're keeping this infrastructure online. And they're doing it through a technique called infrastructure laundering. And so we're going to go over exactly how they're acquiring these IP addresses and basically the scheme they're doing to um keep these sites online. Um and then further this network is also laundering money. So they not only are hosting websites for these investment and job scams, they also um have websites for moneyaundering. And so we're going to go into what these types of uh they're actually look like online casino websites. And some of folks here may be

familiar with these. Um they come up all the time in research, but a lot of times people kind of just go, "Ah, this is a benign online casino. I don't have time for this." and they and they look past it. So, I'm going to go over some details that hopefully will ring true for some folks. Um, and then we're going to get into some of their infrastructure, um, some of the retail fishing scams that they were hosting, and then, uh, just some summary details. So, infrastructure laundering is a really interesting technique. So, we like to think about it as a new form of bulletproof hosting. And just briefly describing what this means. So, a bulletproof host is essentially a host

that doesn't respond to a DMCA or an abuse complaint. They usually have an ASN range. They may be uh a small group of IP blocks. They may eventually uh have their peering removed or or the defenses against them. You could block every IP at the ASN level or every IP that they're using. And so uh when you think about a bulletproof host, there's a lot of defenses kind of classic ways to be protected by it. This network, however, they're using uh a variety of CNAMEs that they're mapping to IP addresses. And some of those IPs are on bulletproof host, some lowquality Asian hosts, but then they're also illicitly acquiring accounts from Amazon. And they've previously done this to other

cloud hosts as well. So we have a little bit of background about how they did this, but essentially they are creating fake accounts, stolen accounts, using stolen credit cards. They're just essentially, we don't have all the details about all the flavors that they're doing against Amazon, but we know that right now today there are Amazon IPs mapped into this network and they stay mapped for 24 hours, 72 hours, and then the Amazon security cuts them off and they're on to the next IP address. And they have been doing this over and over and over again um without really being um stopped. And so this whole concept of infrastructure laundering is when a threat actor wants

to get something online, what are their what are their options for this? And so this funnel, this company, this CDN company, um, essentially operates like many other CDNs, but the core difference is the IP addresses that they're mapping into this network. a chunk of them are acquired illicitly and they may only resolve for a small portion of time but that's all they need because they're constantly rebuilding this network. So funnel itself is a CDN but it's really interesting how we came upon this research. So funnel came up in the news last year because they were the parent company of an entity that acquired this domain polyfill.io. Polyfill.io was basically a developer tool. that was quite popular.

It was integrated into huge number of enterprise and government websites from the Hulu homepage to nasa.gov, just everywhere. Tons of organizations embedded a JavaScript snippet from this polyfill.io domain and it was sold, the domain was sold to this Chinese entity. So, it was basically sold in February of 2024. And then in July of 2024, we heard, "Oh my goodness, there's a supply chain attack. Whoever had this domain, they're redirecting some mobile users to lowquality online casino websites. The weirdest, murkiest supply chain you can think of. No malware on the back end, just like unexpected redirects from an enterprise service to a lowquality casino. And so a lot of people when they saw this news, they they immediately

said, "Oh, this is some weird attack. It has a really goofy ex uh monetization scheme. Um not going to classify this as an enterprise threat." and just moved on. Google blocked the any ads to any websites that had this on their page. Within a week or so, NameCheep was taking action. Um they they had basically banned the domain. And so this threat was done. And but um this company or this brand funnel, they've also acquired a variety of other similar domains. And some of those other domains have been seen with similar redirects. And so our team at at Silent Push where I work, we had actually come across um Funnel before. Um funnel had been uh

part of some uh investment scam research that we had done previously, but we hadn't looked into it. We just had kind of assumed I guess this is the brand that's hosting it. There's many hosting brands that we're not totally familiar with. Let's just put this into our research archive and move on. But then when we saw funnel showing up in the news, buying these domains, actually conducting a supply chain, we said, "Oh my goodness, funnel itself may be the malicious entity." So looking into it, we realized that funnel is actually a subsidiary of a much larger company called ACB Group. And ACB Group is a very very large online gambling organization with many relationships across Europe and the world. and they've

there's basically unlimited research if you dig into the ACB group and we're going to only really touch on funnel today, but um there's a lot of research angles for folks to dig into here. Um within the sort of marketing for funnel, we pretty quickly started to realize that they bragged they bragged about their uh infrastructure in China and we we kind of started to realize that this was not your average um sort of host. they they had some um sort of business plans that were a little different. Um and we started to say, okay, who are their clients now that we know they have infrastructure in China? We know that they're doing stuff outside of China. Um

we started to look holistically at what we'd seen in the past and what was still live. And there were a large number of these investment scam websites that were on this infrastructure and had been there for some time, essentially operating like a bulletproof host. And across these there was many different brands targeted. Australian Security Exchange, Coinbase, E Toro, NASDAQ. And this really um had the flavors that we see on other networks as well. And so when we think about this, it's not just certain investment scams were hosted on Funnel. It's the flavors of investment scams that we've seen elsewhere were also hosted on Funnel. So potentially the threat actors, these larger triad groups, the criminal threat

groups that are that are behind these um this may be one of the places that they host their infrastructure. And so part of us trying to understand how is this infrastructure online? How is it operating like a bulletproof host? We tried to find some of the quote oldest domains there. And that's one of our research tactics whenever we're investigating a network. if you can find an old domain on that host that's maybe moved um IP addresses as as the network has it can kind of give you that um background into what's going on here. So the CME group was a a brand that had been uh spoofed for quite some time. And basically because there was 2 years of

data, we were able to just pull up the CNAME records for that one domain. And we could actually see how they had changed their CNAME records, changed their deployments on these sites over that 2-year period. And part of what started to really raise alarm bells for us, I'm sure everyone here's familiar with hosts that use CNAs to keep their infrastructure online. It's relatively common for enterprises, but you don't typically change your domains because then all your clients have to change their DNS as well. And so seeing uh any type of network that is switching from afunnel.vip to funnel01.vip and then fn3.vip. That should start to raise some alarm bells. Something here is not normal. This is not how a a normal

enterprise would operate because every one of your clients would have to switch out these CNAMEs every time you do. And the whole purpose behind these is so your clients can deploy one CNAME and then you can change the IP addresses and keep their infrastructure online without them having to make a bunch of DNS changes. And so there immediately was questions about, okay, this infrastructure makes some really odd choices. What they're hosting is clearly problematic. And so we said, okay, let's get an idea of how this infrastructure works. So we're going to map those CNAME chains so we can understand what we can see what's mapped to the actual malicious hosts, but how does this infrastructure look? And so the way that

their infrastructure is set up, the hosts connect into one specific CNAME chain. Those CNAME chains revolve into more CNAMES and then those CNAMEs revolve into the A record IP addresses. So, it's not that complicated of a system, but it does have some um benefits. So, this basically is set up so that funnel can constantly rotate those IP addresses, keep the infrastructure online, and the clients aren't having to deal with any of that IP address rotation. They may not even be fully aware of how exactly funnel is keeping their sites online. And so, our team basically did this lookup. We had millions of of reverse CNAME records tracking all of these chains. Um, and we started to appreciate that this was was

definitely not normal. And so digging more into what is funnel, the whole concept behind this and funnel.io is still live and a bunch of their infrastructure is still live and today they're still mapped to Amazon IPs. Yesterday they were still mapped to Amazon IPs. This is basically a network that um all of their pricing is around bulk registration. And so they are clearly trying to to bring on clients or support their current client base that has lots of domains. And we're going to get into it here in a little bit, but they are heavy on DGA domains. They're kind of like your classic Chinese domains with mostly numbers. Um and there's a lot of reasons why that can be

done. Some of it is to uh get around the great firewall in China. But we also think that they constantly rotate domains because it makes harder for abuse complaints to actually land um entities. It takes a little bit of work to research this network. And so you'll see here a bunch of famous brands that they're impersonating. um they maybe are just moving so fast or also ignoring the abuse complaints that a CDN that offers bulk registration and most of their clients um are up to no good. And so if you're investigating this network, one, you're going to see these giant um groupings of clients where many of them have thousands of websites. The other kind of nice part about it is they

have consistent error pages. And so if you're looking at any IP address and it's resolving an error code that looks like this that mention mentions funnel, you're basically staring at an IP address that's mapped into funnel infrastructure. And this is a consistent fingerprint. So this is the type of thing that um as you're investigating what is a part of the funnel network, those types of of error codes can really provide that um context. Um, and as you're sort of starting to appreciate, funnel is a unique entity. They have structured their DNS in a way that doesn't align to other enterprise organizations. And then when you see what IP addresses they're mapping into this, excuse my language, it's a shitow.

And these folks are basically they've been targeting multiple enterprise organizations. Microsoft apparently has this under control or for whatever reason they stopped trying to get IPs from Microsoft and we've seen over the last basically 2 years of monitoring this them target specific enterprise services and for 3 or 6 months they're just running ham on it getting tons of IPs from it and then essentially what it would have seemed like is some of these major hosts realize that the CNAMEs aren't changing that much and any IP addresses that map into those Came games should be banned immediately. And for whatever reason, um, Amazon hasn't done that. Um, and so I just want to reiterate that there's been multiple

hosts that they've targeted. Um, this research was first put out in December. We put out additional research in February. Uh, and at the time Amazon released a giant statement sort of saying, "We've got this under control. This is old news. This isn't happening anymore." Well, sorry folks, it's still happening today. you didn't have it back then. It still was happening every single day, every single week. They had Amazon IPs. Um, and so it's a it's a bit of a a an an odd situation where we know exactly how they're mapping this. In theory, as soon as any IP address hits one of their CNAMES, you should have some sort of remediation process to get that taken down as fast as possible. Um,

but if you don't, they're going to keep attacking you. So anyone here that's from a cloud host that has not seen funnel sort of target your network be prepared. It's not that hard to get those CNAs sort of on your radar. But I will say um as you're appreciating this detail and the fact that we had you know seven cames there is a little bit of a challenge here. So these thread actors as I'd mentioned this is one of the groups that are doing this part of this much larger ecosystem. We're also tracking uh a very very similar part of this infrastructure that has over 1500 cames and they're dynamically spinning up CNAs and we've heard the same thing

with name servers. So they're doing a lot of creative ways to map elicit IPs into this infrastructure. Um it's not just with these sort of seven CNAME processes. It's um there are some much more robust efforts going on as well. Um and so looking at this Microsoft uh was targeted almost at the beginning that very early in the funnel sort of life cycle we were seeing uh Microsoft IPs and they actually extended for quite some time um but we haven't seen any for a while and we know from some of the conversations that they are using fake accounts or stolen credit cards to to navigate these uh cloud purchases and so Uh kudos to anyone at Microsoft. Maybe

share your best practices with everyone else in the industry because there's really something that some hosts are doing that other hosts aren't doing. Um and then across funnels infrastructure, a huge portion of it is in Asia. So they are using a variety of Asian hosts. Um some are on the lower quality side kind of bordering on bulletproof hosts. But those Amazon IPs and some of the other IP space that they're getting, it allows them to have this global coverage. And so, um, our sort of feeling on this matter is they're likely acquiring this this IP space, especially the western IP space because most of their victims are in the west and they want to have these

pages load fast, look credible, and so it basically just gives them that credibility by having that speed to load these web pages. And and your average user when they load one of these web pages, they obviously aren't going to know it's from an Amazon IP. Um, but briefly, I just want to um note for folks who are defenders, it's quite easy to block a bulletproof host IP address. It's easy. It's easy to block domains, but if you're facing a threat that is constantly spinning up domains and hosting them on IPs that are on giant Amazon cloud ranges, you either have to know those domains and block them in real time or somehow navigate um some

partial blocking on an IP range, which uh good luck with that. And so they they are doing this clearly for some reason, some purpose that they feel is working or else they wouldn't be putting all this resources into getting these IP addresses. And so here's where this story kind of takes a really interesting twist. So this has been an infrastructure um effort that they were doing really creative ways to get their sites online. They're hosting a lot of of investment scams, but our team also started finding casino websites. We're going to show a bunch of pictures of them here in a minute, but we basically started seeing these templates. The websites look very similar across them,

but they had different casino brands on them. And these are prominent casino brands. These are some of the biggest casino brands in the world um that were showing up on these sites. And so we started to say, this is a little odd. these websites have very similar bonuses, Tether lotteryies, um, and some of their language was was also identical. And so our team ended up basically figuring out that these were all created by essentially the same template. We created a fingerprint to just track only these casino websites. And what we figured out was you could actually segment all of the casino websites just by the favicon. So they would impersonate a casino brand and they would use that favocron across all

of those sites. So with just basically less than a dozen favicon queries, you could easily filter all the brands that they were uh had on these sites. And as we basically started to go these um these sites are suspicious, everything about them is odd. We worked with TechCrunch and we said, can you help reach out to some of these Asian casino brands? Um, and BWIN said, "This is a fake network. This is not our casino website. We have nothing to do with it. We're trying to get it down." And so it immediately told us, uh, so this isn't some casino network. This is something else. And so we said, okay, let's do a deep dive. Let's do a deep dive into the

code. And so a lot of the sites actually mention the brand Sun City Group. And you can see that here. So, in case folks aren't familiar, Sun City Group is the most interesting casino moneyaundering organization that's ever existed. The CEO is currently in jail, facing an 18-year sentence for laundering hundred billion dollars is what he's estimated to be laundered. And this network also laundered $20 million for North Korea's Lazarus, uh, the threat group there. So we essentially as we started to see Sun City Group on this um and I want to pause there's a United Nations um office on drugs and crime there are two reports recent reports that both are about Sun City and also both mention screenshots

that look identical to the casino websites here and the UN report basically highlights that these websites are probably owned by the Sun City Group. Now, there's still investigations that are ongoing. There's a lot of um questions that need to be answered, but we see all these weird casino brands and then we also see Sun City Group, which is heavily um involved in the laundering. So, we dug into some of their sites and we ended up finding a GitHub link because, you know, why not put your own GitHub link within a a criminal website? And this uh GitHub ended up having all of the repositories, all of the code for all of the the funnel templates. So we immediately

said, okay, it would appear there's some central developer that's helping to spin up these templates, not only investment scams, but the moneyaundering stuff. And within some of those templates, we found some Telegram accounts. And that was really what we were hunting for. We wanted to find how do we reach out to these people? How do we get a an account on these casino websites without kind of going through the front door? And what we realized was they were using language basically moneymoving language and they listed the telegram and and and locations where to interact with them. And on those telegram accounts, they basically confirmed all the details. They were openly saying that this is a a

depositing bonus situation. You deposit money with us, you can cash out elsewhere. And just to catch everyone up on how this works, you basically deposit, let's say, Tether into an online casino, and then you go over to a physical location, a junket or uh a business, and it's basically a cash for crypto scheme. They'll take their 10% cut, and they'll give you cash or whatever sort of currency that you need. And so this network, um, it also mentions the casino brands that they're impersonating. So it's like, pick your favorite casino brand that you want to imp your money through. if one of them is more appropriate than the others. Um, and I want to note that this sort of

scheme and this um, portion of this whole um, ecosystem, it really is similar to the Hyon guarantee. Um, I'm kind of butchering that name. Um, but there is essentially a much larger moneyaundering ring that that operates very similar to this. Um, and those schemes are very um, uh, wellknown. And just briefly, I'm going to run through through these details here, uh, cuz I want to make sure we have a little time for questions. But also on Funnel, they have retail fishing scams, and these could lead to investment scams, but we we do believe these are mostly for fishing. Um, and it's just countless brands. But what was interesting about this was all of these this specific part

of this campaign was on one CNAME. And we believe that funnel segments clients by CNAMES. And so if you start investigating this network, you will sort of see slightly different flavors of these sites across some of the CNAMES. And so we do believe that you can sort of track the thread actors there by that. Um and then that those retail fishing sites again Amazon hosted part of it with part of the IP addresses. CTG server you can see here is the number one source. They are actually the number one source for all IPs for funnel and CTG server is also the number one IP source for many other investment scheme networks. So if you're looking to in to investigate these types

of schemes, go to CTG server and have yourself a good time. Um this retail fishing scam was across dozens and dozens of sites. There was no indication that this was being taken down or that they would respond to abuse complaints. And a lot of this infrastructure they just kind of it indicates it's from the same person. It's the same registars, same hosting setup. And so we've learned a lot about how this network operates, but there's still a ton of questions. As I've mentioned, this is really only one portion of this much larger moneyaundering, investment scam type type of ecosystem. And it's really important that um folks communicate about what they see in these types of

situations. We wouldn't have started this if the other people hadn't talked about polyfill. If there hadn't been other researchers talking about what they found in these types of networks, this would have never come together. And I'm here giving this presentation so that other cloud hosts can see what Microsoft did, appreciate that there are potential ways to slow this down or make your network um not something that they want to play with. And so everyone needs to appreciate that these folks aren't going away. Um there's no indication that this has slowed down. There's actually a lot of indications that people are seeing what Funnel did and doubling down on it. And so this time next year, unfortunately, there's

probably going to be even more similar networks just like this who are uh staying online through novel tactics. So, Bulletproof Hosting has a a new uh family member and it's called infrastructure laundering. So, hopefully everyone here appreciates that knowledge sharing is really the key to this, but also passing what you have to law enforcement. I want everyone to appreciate that if you have thousands of domains, you could hand it to someone with a net flow, they could look into it and these networks are heavily using things um like satellite internet and there's plenty of ways to track down some of the sourcing of this. So if you have leads, please share them. That's it. Um and I'm going to take any

questions. I really appreciate everyone's time and and your interest in this topic. Thank you so much, Mr. Edwards. Audience, please give him a a big round of applause. That was amazing. You have some questions, sir. Great. All right. This is from Sid Hearthb. The Economist did a special series, Scam Inc. that covered this space more broadly. What kind of product offerings do you foresee protecting end users from becoming scam victims? It's a great question. I think that's a really important question because a lot of these networks, they aren't targeting enterprises and so there's not as much security resources to stopping the threat. And so I think that um unfortunately a lot of this comes via

text messages. And a lot of it these investment scams, they're not just being bulk sent. They're not like smooshing triad where that first text has the domain in it. A lot of these schemes, they text the how are you doing? They send the text messages so that there'll be multiple messages or they'll take a week before they send you that domain. And so there's really not a terribly easy way to to stop a lot of these investment scams because they're using really strong social engineering and making sure that they wait until they have a warm receptive audience before sharing that domain. This one's getting a lot of attention. So what is pig butchering? Thank thank you for uh asking me to

define something I should have defined on the first slide. Um, pig butchering is just the concept of taking everyone taking all the money someone has. So, the threat actors came up with that term where they're going to take from from snout to tail. They want to take all of your money. They don't want to just take a little bit. And so, a lot of these investment scams, they will have you deposit money. And then the interface will actually show you making money. And some of them even let you take out money. They really want you to get suckered in to think, "Wow, this is how I'm going to finally retire. I'm just going to put all the money I have into

this thing. And so they really are quite good at ramping up the how much money they take from you where it may start with a hundred bucks and by the end of it you've given them 25 grand and you you you didn't even realize that you were being defrauded at the time. Well, unfortunately that is our time for Mr. Edwards. Um I really want to thank you for being here from our sponsors and from Bside SF. This is a little special gift for being one of our headliners. Thank you so much. Pleasure.