Chinese underground marketplaces drive billions in illicit transactions; AI-accelerated ransomware surges: CrowdStrike

CrowdStrike released the 2025 APJ eCrime Landscape Report, exposing a thriving Chinese-language underground ecosystem and the rise of AI-enhanced ransomware operations. Despite the Chinese government’s internet restrictions and eCrime crackdown, anonymised marketplaces remain central to cybercrime activity across Asia Pacific and Japan (APJ). This ecosystem provides a safe haven for Chinese-speaking actors to buy and sell stolen credentials, phishing kits, malware, and money-laundering services – processing billions in illicit transactions.

At the same time, AI is transforming the ransomware economy. From AI-enhanced social engineering to automated malware development, AI is accelerating every stage of the attack chain – representing a new wave of adversaries executing Big Game Hunting campaigns against high-value organisations across APJ.

APJ eCrime Landscape Report highlights:

Based on frontline intelligence from CrowdStrike’s elite threat hunters and intelligence analysts tracking more than 265 named adversaries, the report reveals:

• Chinese eCrime marketplaces evade oversight: Amid tightened restrictions, Chinese underground markets — including Chang’an, FreeCity, and Huione Guarantee — preserve anonymity across clearnet, darknet, and Telegram channels. This decentralised ecosystem remains a hub for Chinese-speaking actors focused on operational security (OPSEC), with Huione Guarantee alone processing an estimated $27 billion USD before its 2025 disruption.
• AI escalates big game hunting ransomware campaigns: AI-accelerated ransomware on high-value targets surged, with India, Australia, and Japan among the most impacted countries. Emerging Ransomware-as-a-Service providers KillSec and Funklocker – leveraging AI-developed malware – accounted for more than 120 incidents. Top targeted sectors included manufacturing, technology, and financial services, with 763 victims publicly named on dedicated leak sites.
• Chinese-speaking actors exploit Japanese trading accounts: Coordinated account takeover (ATO) campaigns targeting Japanese securities platforms compromised users to artificially inflate the value of thinly traded China-based stocks. This pump-and-dump scheme, traced to Chinese-speaking threat actors, used shared phishing infrastructure to sell victim data on underground forums, including Chang’an Marketplace.
• eCrime service providers industrialise attacks: Providers such as CDNCLOUD (Bulletproof Hosting), Magical Cat (Phishing-as-a-Service), and Graves International SMS (Global Spam Service) enabled scalable phishing, malware distribution, and monetisation operations throughout the region.
• Remote access tools target regional users: Likely Chinese-speaking eCrime actors deployed tools like ChangemeRAT, ElseRAT, and WhiteFoxRAT to exploit Chinese- and Japanese-speaking users through SEO poisoning, malvertising, and phishing attacks masquerading as purchase orders.

“eCrime actors are industrialising cybercrime across APJ through thriving underground markets and complex ransomware operations. Simultaneously, AI-developed malware enables adversaries to launch high-velocity, high-volume attacks,” said Adam Meyers, head of counter adversary operations at CrowdStrike. “Defenders must meet this new pace of attack with decisive action, powered by AI, informed by human experience, and unified in response.”