Press ReleaseCyber Crime & ForensicCyber Safety

APJ eCrime Landscape Report: Chinese Underground Marketplaces Drive Billions in Illicit Transactions, AI-Accelerated Ransomware  

Chinese-Speaking Actors Evade Government Restrictions and Solicit Criminal Services Through Anonymised Marketplaces

CrowdStrike recently released the 2025 APJ eCrime Landscape Report, exposing a thriving Chinese-language underground ecosystem and the rise of Artificial Intelligence (AI)-enhanced ransomware operations. Despite the Chinese government’s internet restrictions and eCrime crackdown, anonymised marketplaces remain central to cybercrime activity across Asia Pacific and Japan (APJ). This ecosystem, according to the APJ eCrime Landscape Report provides a safe haven for Chinese-speaking actors to buy and sell stolen credentials, phishing kits, malware, and money-laundering services—processing billions in illicit transactions.

At the same time, AI is transforming the ransomware economy. From AI-enhanced social engineering to automated malware development, AI is accelerating every stage of the attack chain—representing a new wave of adversaries executing Big Game Hunting campaigns against high-value organisations across APJ.

APJ eCrime Landscape Report Highlights

Based on frontline intelligence from CrowdStrike’s elite threat hunters and intelligence analysts tracking more than 265 named adversaries, the APJ eCrime Landscape report reveals:

  • Chinese eCrime Marketplaces Evade Oversight: Amid tightened restrictions, Chinese underground markets—including Chang’an, FreeCity, and Huione Guarantee—preserve anonymity across clearnet, darknet, and Telegram channels. This decentralised ecosystem remains a hub for Chinese-speaking actors focused on operational security (OPSEC), with Huione Guarantee alone processing an estimated USD $27 billion before its 2025 disruption.
  • AI Escalates Big Game Hunting Ransomware Campaigns: AI-accelerated ransomware on high-value targets surged, with India, Australia, and Japan among the most impacted countries. Emerging Ransomware-as-a-Service providers KillSec and Funklocker—leveraging AI-developed malware—accounted for more than 120 incidents. Top targeted sectors included manufacturing, technology, and financial services, with 763 victims publicly named on dedicated leak sites.
  • Chinese-Speaking Actors Exploit Japanese Trading Accounts: Coordinated account takeover (ATO) campaigns targeting Japanese securities platforms compromised users to artificially inflate the value of thinly traded China-based stocks. This pump-and-dump scheme, traced to Chinese-speaking threat actors, used shared phishing infrastructure to sell victim data on underground forums, including Chang’an Marketplace.
  • eCrime Service Providers Industrialize Attacks: Providers such as CDNCLOUD (Bulletproof Hosting), Magical Cat (Phishing-as-a-Service), and Graves International SMS (Global Spam Service) enabled scalable phishing, malware distribution, and monetisation operations throughout the region.
  • Remote Access Tools Target Regional Users: Likely Chinese-speaking eCrime actors deployed tools like ChangemeRATElseRAT, and WhiteFoxRAT to exploit Chinese- and Japanese-speaking users through SEO poisoning, malvertising, and phishing attacks masquerading as purchase orders.

“eCrime actors are industrialising cybercrime across APJ through thriving underground markets and complex ransomware operations. Simultaneously, AI-developed malware enables adversaries to launch high-velocity, high-volume attacks,” said Adam Meyers, Head of Counter Adversary Operations at CrowdStrike. “Defenders must meet this new pace of attack with decisive action, powered by AI, informed by human experience, and unified in response.”

Download the 2025 APJ eCrime Landscape Report to explore in-depth insights, adversary profiles, and expert strategies for defending against APJ’s evolving cyber threats.

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *