The New E-Crime: AI-Driven Ransomware and Billion-Dollar Asian Underworlds

by ddos · October 23, 2025

Across the Asia-Pacific region and Japan, a new breed of cybercrime is taking shape—one where attackers operate as structured business entities, guided by clear strategies and profit-driven motives. According to the CrowdStrike 2025 APJ eCrime Landscape Report, between January 2024 and April 2025, 763 victim organizations across the region were identified on ransomware leak sites. The highest concentration of attacks targeted India, Australia, Japan, Taiwan, and Singapore, with adversaries most frequently focusing on the manufacturing, technology, financial, and engineering sectors.

Leading the charge are threat groups such as OCULAR SPIDER, BITWISE SPIDER, BRAIN SPIDER, TRAVELING SPIDER, and PUNK SPIDER, all of which employ Ransomware-as-a-Service (RaaS) models and operate primarily from East Asia. Notably, several operators deliberately exclude China, CIS nations, and North Korea from their target lists, indicating territorial and political boundaries within their operations.

Particular attention is drawn to FunkLocker and KillSec—new AI-driven ransomware services that have been especially aggressive toward Indian organizations. The developer of FunkLocker, known under the alias Scorpion, was previously involved in hacktivist campaigns and now merges political and financial motives in his operations.

The region’s underground economy revolves around Chinese-language platforms such as Chang’an, FreeCity, and Huione Guarantee (recently rebranded as Haowang Guarantee). These networks facilitate the sale of stolen data, cryptocurrency laundering, and “pig butchering” crypto-investment scams. Through Huione alone, more than $27 billion in Tether tokens reportedly flowed before the U.S. Treasury Department sanctioned the service.

With major marketplaces being dismantled, smaller players have risen to fill the void—among them CDNCLOUD, offering bulletproof hosting, and Luck, the developer of the Magical Cat phishing kit. The latter has been used in campaigns against banks and courier companies, as well as in account-takeover operations targeting Japanese investors, enabling stock price manipulation.

CrowdStrike also highlights the growing activity of four regional threat groups: SINFUL SPIDER and RADIANT SPIDER from China, CHARIOT SPIDER from Vietnam, and SOLAR SPIDER from South Asia. The first two focus on injecting malicious scripts to steal payment data and redirect victims to gambling sites, while CHARIOT SPIDER exploits Microsoft IIS and Adobe ColdFusion web servers, inserting JavaScript to harvest credit card details. SOLAR SPIDER, on the other hand, targets banks and currency exchange platforms, spreading banking trojans via phishing emails disguised as Swift or Western Union notifications.

In China and Japan, new remote access trojans—ChangemeRAT, ElseRAT, and WhiteFoxRAT—are spreading under the guise of legitimate applications, distributed through SEO poisoning and malvertising. Their authors focus primarily on Chinese-speaking users, including expatriates, making these campaigns inherently transnational.

The report devotes special attention to Vietnam’s cybercrime ecosystem, where criminals have shifted toward hijacking business social media accounts with large advertising budgets. The spread of Ailurophile Stealer and FatStealer malware has compromised more than 20,000 pages, illustrating the fusion of cybercrime and the shadow digital marketing economy.

CrowdStrike warns that although Asia-Pacific currently accounts for less than 10% of global cyber incidents, the region is becoming increasingly attractive due to rapid digital expansion and weak regulatory enforcement. The dominant threats remain ransomware operations and fraud schemes fueled by Chinese-language underground services and crypto-based finance networks.

The company urges regional organizations to deploy autonomous AI-driven security agents for scalable incident response, fortify cloud environments as critical infrastructure, strengthen multi-factor authentication, and bridge monitoring gaps across domains. Without proactive threat hunting and intelligence-led defense, businesses will find it ever more difficult to withstand “entrepreneurial” adversaries—actors who follow the laws of the market, but not the laws of the state.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal