CrowdStrike released the 2025 APJ eCrime Landscape Report, exposing a thriving Chinese-language underground ecosystem and the rise of AI-enhanced ransomware operations. Despite the Chinese government’s internet restrictions and eCrime crackdown, anonymised marketplaces remain central to cybercrime activity across the Asia Pacific and Japan (APJ). This ecosystem provides a haven for Chinese-speaking actors to buy and sell stolen credentials, phishing kits, malware, and money-laundering services – processing billions in illicit transactions.
At the same time, AI is transforming the ransomware economy. From AI-enhanced social engineering to automated malware development, AI is accelerating every stage of the attack chain – representing a new wave of adversaries executing Big Game Hunting campaigns against high-value organisations across APJ.
APJ eCrime Landscape Report Highlights:
Based on frontline intelligence from CrowdStrike’s elite threat hunters and intelligence analysts tracking more than 265 named adversaries, the report reveals:
- Chinese eCrime Marketplaces Evade Oversight: Amid tightened restrictions, Chinese underground markets — including Chang’an, FreeCity, and Huione Guarantee — preserve anonymity across clearnet, darknet, and Telegram channels. This decentralised ecosystem remains a hub for Chinese-speaking actors focused on operational security (OPSEC), with Huione Guarantee alone processing an estimated $27 billion USD before its 2025 disruption.
- AI Escalates Big Game Hunting Ransomware Campaigns: AI-accelerated ransomware on high-value targets surged, with India, Australia, and Japan among the most impacted countries. Emerging Ransomware-as-a-Service providers KillSec and Funklocker – leveraging AI-developed malware–accounted for more than 120 incidents. Top targeted sectors included manufacturing, technology, and financial services, with 763 victims publicly named on dedicated leak sites.
- Chinese-speaking actors exploit Japanese Trading Accounts: Coordinated account takeover (ATO) campaigns targeting Japanese securities platforms compromised users to inflate the value of thinly traded China-based stocks artificially. This pump-and-dump scheme, attributed to Chinese-speaking threat actors, utilised shared phishing infrastructure to sell victim data on underground forums, including the Chang’an Marketplace.
- eCrime Service Providers Industrialise Attacks: Providers such as CDNCLOUD (Bulletproof Hosting), Magical Cat (Phishing-as-a-Service), and Graves International SMS (Global Spam Service) enabled scalable phishing, malware distribution, and monetisation operations throughout the region.
- Remote Access Tools Target Regional Users: Likely Chinese-speaking eCrime actors deployed tools like ChangemeRAT, ElseRAT, and WhiteFoxRAT to exploit Chinese- and Japanese-speaking users through SEO poisoning, malvertising, and phishing attacks masquerading as purchase orders.
“eCrime actors are industrialising cybercrime across APJ through thriving underground markets and complex ransomware operations. Simultaneously, AI-developed malware enables adversaries to launch high-velocity, high-volume attacks,” said Adam Meyers, head of counter-adversary operations at CrowdStrike. “Defenders must meet this new pace of attack with decisive action, powered by AI, informed by human experience, and unified in response.”