Triad Nexus Phishing Group Uses 175+ Rotating CNAME Domains in Global Scam
Key Takeaways The Triad Nexus cybercrime organization has relaunched its global fraud operations with significantly enhanced stealth and evasion tactics. The group now leverages over 175 rotating...
Key Takeaways
- The Triad Nexus cybercrime organization has relaunched its global fraud operations with significantly enhanced stealth and evasion tactics.
- The group now leverages over 175 rotating CNAME domains and hijacked legitimate cloud infrastructure from providers like AWS, Google, and Microsoft.
- Triad Nexus primarily conducts “pig butchering” scams, creating sophisticated fake investment and luxury brand portals, and has been linked to over $1 billion in victim losses.
- Following U.S. sanctions, the group implemented “infrastructure laundering” and is now actively targeting victims in Spanish, Vietnamese, and Indonesian-speaking markets while blocking U.S. access to many fraudulent sites.
A sophisticated cybercriminal enterprise, identified as Triad Nexus and previously associated with the FUNNULL Content Delivery Network, has re-emerged with a significantly more advanced and elusive operational framework.
Table Of Content
Following recent U.S. Treasury sanctions, Triad Nexus has meticulously rebuilt its extensive global fraud network. This revamped infrastructure now employs a dynamic pool of over 175 randomly generated CNAME domains to power numerous scam portals, targeting individuals across multiple international territories.
Triad Nexus is not a newcomer to the realm of cybercrime. The group possesses deep ties to organized criminal syndicates throughout Asia and has been actively involved in investment scams, money laundering, and illicit gambling operations since at least 2022.
In its earlier campaigns, the FUNNULL CDN served as the primary technological backbone, facilitating the rapid deployment of fraudulent websites meticulously designed to mimic trusted global brands.
The U.S. sanctions, imposed in May 2024, did not deter the group’s criminal ambitions but fundamentally altered its methods of concealment and operation.
Infrastructure Laundering and Cloud Hijacking
Subsequent to the federal sanctions, Triad Nexus quickly adopted what cybersecurity researchers have termed “infrastructure laundering.”
Instead of relying solely on low-reputation servers, the group began compromising legitimate enterprise cloud accounts hosted by major providers such as Amazon Web Services (AWS), Cloudflare, Google, and Microsoft.
By routing malicious traffic through these reputable platforms, Triad Nexus effectively created a facade of legitimacy, making its deceptive portals substantially more challenging to detect and block. Analysts at Silent Push were instrumental in identifying this pivotal tactical shift. They observed that the group had abandoned static CNAME domains in favor of a rotating pool of over 175 randomly generated CNAME domains, each linking clusters of fraudulent websites to stolen or illicitly acquired IP addresses.
The financial impact of this fraud is substantial. Triad Nexus has been implicated in over one billion dollars in reported victim losses, with individual victims typically losing around $47,000.
The group predominantly executes “pig butchering” scams, a long-con scheme where victims are groomed over weeks or months into investing significant sums into fraudulent cryptocurrency platforms.
Their array of deceptive portals includes perfect replicas of luxury brands like Tiffany, Cartier, and Chanel, financial services such as Western Union and MoneyGram, and banking portals falsely associated with institutions like Wells Fargo, Goldman Sachs, and Bank of America.
To further evade law enforcement scrutiny following the sanctions, the group also established a series of “clean” front companies. These entities feature professional branding and fabricated operational histories, engineered to cultivate trust among unsuspecting users.
A notable instance is a fictitious CDN provider operating under the domain cdnbl.com, which falsely claims to have been in service since 2007. However, domain registration records unequivocally show its creation date as March 2024, revealing the inherent deception.
Geographic Evasion and the Rotating CNAME Infrastructure
A particularly concerning technical aspect of Triad Nexus’s re-engineered operation is its deliberate implementation of multi-layered CNAME chains to obscure the true destination of its traffic.
A CNAME (Canonical Name) record is a type of DNS entry that redirects one domain name to another. Standard security tools typically only resolve a single step in this redirection chain, often failing to identify the actual final endpoint.
Triad Nexus actively exploits this blind spot. Its infrastructure routes malicious traffic through multiple intermediate CNAME domains—sometimes three or four layers deep—before ultimately reaching a final IP address hosted on a reputable enterprise cloud platform.
This multi-layered redirection significantly impedes automated detection tools from tracing the traffic back to its genuine origin.
To further avoid scrutiny, the group has implemented a deliberate U.S. block across many of its portals, displaying an error message stating “The region has been denied” to American visitors. Concurrently, Triad Nexus has expanded its scam operations into Spanish, Vietnamese, and Indonesian markets, ensuring its fraudulent profits continue to flow.
What You Should Do
- Implement advanced CNAME chain analysis capabilities to uncover hidden redirection layers.
- Actively monitor for newly registered lookalike domains that mimic legitimate brands or services.
- Enforce strict DNS resolution policies and scrutinize unexpected DNS queries.
- Maintain deep visibility across all network layers to detect and disrupt sophisticated threats before they impact end-users.
- Educate users about the dangers of “pig butchering” scams and the importance of verifying investment opportunities independently.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.