Normal view

Received — 18 June 2026 Threat Intelligence Blog | Flashpoint

Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure

Blogs

Blog

Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure

As part of our ongoing series, we focus on the shared infrastructure that fuels threat actors; the intersection of mainstream social media, open-source messaging platforms, and gaming communities.

SHARE THIS:

Threat actors and their illicit communities do not exist in a vacuum. To scale their operations, coordinate financial fraud, deploy malware, and recruit new talent, threat actors must interface with the broader digital world. This means leveraging everyday, public digital spaces to facilitate illicit activity, effectively hiding in plain sight.

The Clearnet Threat Landscape: Hiding in Plain Sight

When conceptualizing the cybercriminal underground, it is easy to focus exclusively on Tor-based onion sites or restricted-access dark web forums and marketplaces. However, a massive portion of modern illicit activity thrives on the clearnet. Threat actors heavily utilize commercial social media and public messaging networks to coordinate fraud, deploy malware, and run public relations campaigns for their operations.

At first glance, conducting illicit operations on highly monitored, mainstream platforms seems counterintuitive. However, the massive, continuous volume of legitimate traffic on the clearnet provides a form of operational security. By blending into the noise, threat actors can maintain a highly accessible digital presence. This visibility is crucial for their business models: it allows them to maintain a low barrier to entry for potential recruits and targets who know exactly what markers to look for, or who are systematically funneled into these spaces.

How Threat Actors Weaponize Consumer Platforms

The misuse of mainstream communication tools has changed how threat actors interact. Rather than waiting for users to seek out the dark web, cybercriminals are actively meeting their targets or co-conspirators on platforms designed for daily socialization.

Discord

Originally built to connect gaming communities, Discord’s rapid growth and robust infrastructure have inadvertently made it a target for malicious activity. Cybercriminals treat the platform as a multi-functional tool for both technical infrastructure, social engineering, and radicalization.

On a technical level, advanced persistent threats (APTs) and other threat actors exploit Discord’s content delivery network (CDN) to host and distribute malware. Because traffic to Discord domains is generally trusted by corporate networks, threat actors can potentially use it to deliver payloads—such as infostealers and remote access trojans (RATs)—bypassing standard security perimeters.

Beyond hosting malware, extremist groups across various ideological spectrums often target the platform’s demographic, which skews heavily towards younger tech-savvy users. This group provides an impressionable pool of adolescents who may be susceptible to grooming, indoctrination, and recruitment into illicit operations.

Case Study: The Targeting and Recruitment Mechanics of “The Com”

While monitoring The Com, Flashpoint analysts have observed the systematic use of platforms like Discord, Roblox, and Minecraft to run predatory extortion pipelines. The mechanics of this ecosystem takes place through a multi-phase methodology:

  1. Platform Scouting: Recruiters patrol servers on popular youth-centric gaming platforms, such as Discord, Roblox, and Minecraft. They look for minors showing signs of social isolation, depression, disordered eating, or a desire to belong.
  2. Building Trust and “Love Bombing”: Initial engagements are seemingly harmless. However, trust is built quickly to establish a sense of indebtedness. Recruiters offer gifts such as in-game perks/currency, premium subscriptions, or other digital items. In some cases, a romantic facade is used to establish a connection. In either scenario, “love bombing” creates an immediate feeling of psychological obligation in the target.
  3. Platform Migration: Once rapport is established, the recruiter moves the target away from the game and into an encrypted app or private Discord server, following a public-to-private strategy. By moving the interaction away from the original platform’s safety controls, the recruiter can isolate the target in a more controlled environment.

Once isolated, perpetrators coerce victims into sending sensitive imagery or CSAM. This material is immediately compiled and weaponized as leverage for blackmail via doxxing. This creates a severe psychological trap in which the victim feels compelled to partake in escalating illegal activity to keep their previous actions hidden. This drives the victim to transition from a victim into an aggressor to escape their own abuse.

Telegram

While many social media and messaging platforms can serve as an initial funnel for engagement, Telegram has been known to be used from time to time as an operational hub for the broader illicit ecosystem. Since the arrest of Pavel Durov, Telegram has begun working more closely with law enforcement, leading to several key arrests and major disruptions due to their cooperation. 

The platform occupies a unique space in threat intelligence and open source intelligence (OSINT). While the vast majority of its user base is entirely benign, its minimal moderation policy and robust channel architecture have made it vital to public and private intelligence gathering.

Telegram functions as an open marketplace and real-time coordination center for a vast spectrum of threat actors. Flashpoint has observed it being used by:

  1. State-sponsored APT groups and hacktivists
  2. Geopolitical actors and mercenary groups distributing battlefield intelligence and propaganda
  3. Cybercriminal syndicates coordinating financial fraud schemes, check fraud, and the sale of compromised data.

Furthermore, threat actors routinely use other public-facing platforms like X (formerly Twitter) alongside Telegram to amplify their impact. They leverage the broad reach of social media to broadcast proof of their compromises, hype up ransomware leaks, and exert public pressure on corporate victims during extortion cycles. Concurrently, Telegram often acts as the backend repository where the stolen data is hosted, discussed, and monetized.

Monitor the Clearnet Using Flashpoint

The evolution of illicit ecosystems demonstrates that the lines between the dark web and the clearnet have intersected. Whether analyzing the activities of extremist and threat actor groups or tracking the predatory pipelines of The Com, defenders must look beyond traditional intelligence sources.

Because malicious actors rely heavily on consumer messaging apps and social platforms to coordinate attacks, leak data, and target people, monitoring these public-to-private pipelines is an essential component of threat intelligence. Uncovering these physical and cyber threats requires best-in-class threat intelligence and OSINT investigations capable of parsing the massive noise of the clearnet to find the signals of illicit coordination.

Request a demo to see how Flashpoint empowers security teams to monitor these decentralized threat landscapes to proactively protect their critical assets.

Check out the rest of our “Understanding Illicit Ecosystems” series:
Understanding Illicit Ecosystems: The Hybrid Threat of “The Com”
Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

See Flashpoint in Action

The post Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure appeared first on Flashpoint.

Received — 8 June 2026 Threat Intelligence Blog | Flashpoint

Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

Blogs

Blog

Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

In this post, we explore XSS’ shift from a unified forum to a scattered community spread across several competing factions.

SHARE THIS:

What is XSS?

For more than two decades, XSS was the gathering ground for the Russian-speaking cybercriminal underground. Evolving from its former name, DaMaGeLaB, XSS evolved from a mid-tier message board into a top-tier hacking forum.

XSS is home to vendors of various crime types, including loaders, phishing, scamming, carding, malware development, distributed denial-of-service (DDoS) bots, and related services. It also facilitates the trade of illicit goods and services, while simultaneously serving as a networking and recruitment hub for threat actors.

XSS forum content falls within the following main sections:

  • “Underground”: Includes most noncommercial content, such as sharing information on malware, vulnerabilities, and exploits, phishing, fraud, open source intelligence, artificial intelligence, and machine learning.
  • “Programming, Development”: Includes posts and articles about programming languages and administration.
  • “Library”: Includes news articles, databases, and discussions around software and tools. Users also post about vulnerabilities and exploits.
  • “Business Decisions”: Users discuss different investments, the sale of digital goods, trading, start-ups of fraudulent businesses, and news about cryptocurrencies.
  • “Lounge Zone, Resting”: Content involves lifestyle discussions, hobbies, and cybercriminal community rumors and scandals.
  • “Trading Platform”: Users sell and look to buy network access, malware, counterfeit documents, and advertise their services. This is where users hire and look for work or partners.
  • “People’s Court”: Used for complaints and arbitration and contains lists of phishing forums and scammers.
  • “Ours”: Contains information about the XSS project, discussions on issues, suggestions, and initiatives for forum improvement.
  • “Private: Underground”: Closed section for only forum members.
XSS forum main sections (Source: XSS)

XSS Disruption: July 2025 Takedown

On July 23, 2025, law enforcement organizations reportedly seized XSS as part of a multinational operation with Ukrainian authorities, French police, and Europol. Alongside the domain seizure, French authorities reported the arrest of XSS’s longtime administrator in Ukraine.

This arrest triggered an immediate chain reaction that has had lasting effects on the Russian-speaking underground—with the XSS ecosystem splintering into several competing factions.

The Current State of the Russian-Speaking Underground

While the original XSS architecture was severely disrupted, the surrounding Russian-speaking cybercriminal ecosystem remains intensely active. However, instead of a centralized hub, the XSS ecosystem is spread out through competing environments that emerged directly from the fallout of the takedown.

DamageLib

Launched by the legacy moderators of XSS, DamageLib represents a structural pivot away from standard illicit forums. Concluding that the old XSS site was compromised by law enforcement, the moderators launched a new model that completely abandons commerce—shutting down all buying, selling, and auctions entirely—-to eliminate user tracking and surveillance. Instead, it focuses strictly on technical materials and tutorials.

Rehub

Recognizing that displaced cybercriminals still required a commercial venue to trade, a former XSS moderator launched Rehub quickly after the emergence of DamageLib. Rehub immediately integrated a commercial platform, successfully recruiting prominent threat actors into its moderation team to establish underground credibility.

The forum is still in its development stage, with its content being populated, and an active member base being built.

XSS[.pro]

In early August 2025, an unknown entity launched an alleged resurrection of the forum on a new domain [.pro], utilizing old backups that preserved legacy user data, threads, and forum deposits. However, this new version has been met with significant distrust from Exploit and DamageLib, believing the [.pro] domain to be a honeypot controlled by law enforcement.

XSSF Forum

Started by a pro-Russian Telegram hacking group, this community actively targets EU and Ukrainian digital infrastructure. According to user discussions on DamageLib, this forum is not related to XSS. In addition, Flashpoint analysts note that targeting Ukrainian infrastructure directly contradicts its original community rules. The authenticity of this forum and its ownership has not been verified.

Monitor a Fractured Underground Using Flashpoint

While law enforcement achieved a significant victory over XSS, they did not eliminate the Russian-speaking cybercriminal underground. Instead, they broke the foundational trust mechanics that had kept it centralized for twenty years.

This has left the Russian-speaking underground in a deeply fractured state that is still intensely active and highly adaptive. For defenders and analysts, this threat has not diminished—it has diversified. Tracking this ecosystem no longer means watching a single centralized community, but rather actively mapping out the live migrations, shifting rules, and behavioral patterns across these splintered groups.

Request a demo to learn how Flashpoint helps security teams aggregate intelligence from these scattered factions into a single source of truth, empowering your organization to proactively monitor and intercept emerging threats.

Request a demo today.

The post Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground appeared first on Flashpoint.

Received — 23 April 2026 Threat Intelligence Blog | Flashpoint

The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online

Blogs

Blog

The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online

In this post, we examine how threat actors use emojis across illicit communities, how these symbols function as a form of coded language, and why understanding this form of communication is increasingly critical for threat intelligence teams.

SHARE THIS:
Default Author Image
April 6, 2026

As threat actor activity continues to shift toward informal, fast-moving communication platforms such as Telegram and Discord, the way adversaries communicate is evolving. Emojis, often dismissed as casual or nontechnical, have become a meaningful part of that evolution.

Across illicit forums, messaging apps, and closed communities, emojis are used not just for expression, but for signaling intent, categorizing activity, and, in some cases, obscuring meaning from outsiders. For analysts, this introduces an additional layer of context that can influence how communications are interpreted, prioritized, and actioned.

Emojis as a Functional Layer of Communication

Within threat actor communities, emoji usage is often structured and repeatable.

Rather than replacing language entirely, emojis act as a functional overlay — reinforcing key concepts, highlighting important information, and accelerating communication in high-volume environments.

This is especially common in:

  • Telegram fraud channels
  • Phishing and carding communities
  • Service marketplaces and access broker groups

In these environments, speed and clarity matter. Emojis allow actors to quickly scan messages, identify relevant content, and engage without parsing long text-based posts.

Common Emoji Categories and What They Signal

Flashpoint analysis of illicit communities shows that emoji usage tends to cluster around a set of recurring categories. While meanings can vary slightly by group, several patterns appear consistently.

Financial Activity and Monetization

Emojis related to money are among the most frequently used.

Common examples include:

  • 💰 / 💸 — Profit, successful fraud, or payouts
  • 💳 — Credit cards, carding activity, or stolen payment data
  • 🏦 — Banks or financial institutions
  • 🪙 — Cryptocurrency-related activity

These symbols often appear in sales posts, fraud logs, or success claims, helping actors quickly identify opportunities tied to financial gain.

Access, Credentials, and Compromise

Another cluster of emoji usage centers on access and account compromise, where symbols are used to signal the availability of credentials, successful intrusions, or control over compromised systems.

Examples include:

  • 🔑 — Credentials or account access
  • 🔓 — Successful breach or unlocked account
  • 📥 / 📤 — Data exfiltration or transfer
  • 🗂 — Databases or collections of stolen data

In many cases, these emojis are used in combination with minimal text, allowing actors to advertise access or share results without detailed descriptions.

Tools, Automation, and Services

Emojis are also used to signal tooling and service offerings.

Examples include:

  • 🤖 — Bots, automation tools, or malware
  • ⚙ — Configuration, setup, or infrastructure
  • 🧰 — Toolkits or bundled services
  • 📡 — Infrastructure, communication channels, or delivery mechanisms

These are commonly seen in phishing-as-a-service, SMS gateway services, and malware distribution communities.

Targets and Geography

Threat actors frequently use emojis to represent targets or regions.

Examples include:

  • 🏢 — Corporate or enterprise targets
  • 🎯 — Targeting or “hits”
  • 📍 — Specific targets, drop locations, or points of interest
  • 🌐 — Global campaigns
  • Country flags — Specific geographic targeting

This allows actors to signal targeting scope quickly, particularly in multilingual or international groups.

Urgency, Success, and Status

Some emojis are used to communicate momentum or importance.

Examples include:

  • 🔥 — High-value or trending activity
  • ✅ — Verified success or working method
  • 🚨 — Urgent update or active campaign
  • 📈 — Growth or increased results

These signals are particularly important in fast-moving channels where actors compete for attention.

Emojis as a Tool for Obfuscation

Beyond signaling, emojis are also used to evade detection.

Threat actors may substitute emojis for keywords associated with:

  • Fraud techniques
  • Financial activity
  • Specific platforms or services

For example, replacing “credit card” with 💳 or “bank” with 🏦 can help bypass basic keyword filters or reduce visibility in automated moderation systems.

When combined with slang, abbreviations, and multilingual phrasing, this creates a layered form of obfuscation that complicates large-scale monitoring efforts.

Building Identity and Reputation Through Emoji Patterns

Emoji usage is not just functional. It can also be behavioral.

Over time, actors often develop recognizable patterns in how they use emojis:

  • Consistent combinations in sales posts
  • Repeated formatting styles
  • Unique ways of structuring messages

These patterns can serve as lightweight identifiers, helping analysts:

  • Track the same actor across different channels
  • Identify reposted or syndicated content
  • Link activity between platforms

In ecosystems where aliases frequently change, these subtle patterns can provide additional attribution signals.

Cross-Language Communication in Global Threat Ecosystems

Illicit communities are inherently global, spanning multiple languages and regions.

Emojis provide a shared visual layer that allows actors to communicate core concepts without relying entirely on text. This is particularly valuable in:

  • Large Telegram channels with international membership
  • Cross-border fraud operations
  • Decentralized marketplaces

For example, a combination of 💳 + 💰 + 🌍 can communicate “global carding opportunity” without requiring a shared language.

This ability to compress meaning into visual shorthand helps scale operations and coordination across diverse actor networks.

Context Still Determines Meaning

Despite these patterns, emoji usage is not universal or fixed.

The same emoji can carry different meanings depending on:

  • The platform (Telegram vs. Discord vs. forums)
  • The specific community
  • The surrounding text and context

For example, 🔥 may indicate “high value” in one group, but simply “active discussion” in another.

For analysts, this reinforces the need to treat emojis as contextual signals, not standalone indicators. Accurate interpretation depends on understanding the broader communication environment.

What This Means for Threat Intelligence Teams

Emoji usage reflects a broader shift in how threat actors communicate toward faster, more visual, and more adaptive forms of interaction.

Flashpoint assesses that incorporating emoji analysis into intelligence workflows can enhance:

  • Detection of emerging campaigns
  • Identification of high-value activity
  • Attribution and actor tracking
  • Interpretation of intent and sentiment

While emojis alone are not decisive indicators, they provide an additional layer of signal that can strengthen overall analysis.

Supporting Security Teams with Threat Intelligence

Understanding how threat actors communicate down to the symbols they use provides critical context for identifying and interpreting emerging threats.

Flashpoint delivers intelligence that helps organizations monitor illicit communities, track evolving communication patterns, and translate raw data into actionable insights. Within the Flashpoint platform, analysts can search across environments like Flashpoint Ignite and Echosec using emojis alongside keywords—enabling more precise discovery of relevant conversations, signals, and emerging activity that might otherwise be missed.

This approach allows teams to capture nuance in how threat actors communicate, improving detection, attribution, and overall situational awareness.

To learn how Flashpoint can support your team with real-time intelligence and analysis, request a demo.

Begin your free trial today.

The post The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online appeared first on Flashpoint.

Received — 17 February 2026 Threat Intelligence Blog | Flashpoint

The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs

13 February 2026 at 20:09

Blogs

Blog

The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs

In this post, we explore how the psychological traps of operational security can unmask even the most sophisticated actors.

SHARE THIS:
Default Author Image
February 13, 2026
Table Of Contents

The threat intelligence landscape is often dominated with talks of sophisticated TTPs (tactics, tools, and procedures), zero-day vulnerabilities, and ransomware. While these technical threats are formidable, they are still managed by human beings, and it is the human element that often provides the most critical breakthroughs in attributing these attacks and de-anonymizing the threat actors behind them.

In our latest webinar, “OPSEC Fails: The Secret Weapon for People-Centric OSINT”,  Flashpoint was joined by Joshua Richards, founder of OSINT Praxis. Josh shared an intriguing case study where an attacker’s digital breadcrumbs led to a life-saving intervention. 

Here is how OSINT techniques, leveraged by Flashpoint’s expansive data capabilities, can dismantle illegal threat actor campaigns by turning a technical investigation into a human one.

Leveraging OPSEC as a Mindset

In a technical context, OPSEC is a risk management process that identifies seemingly innocuous pieces of information that, when gathered by an adversary, could be pieced together to reveal a larger, sensitive picture.

In the webinar, we break down the OPSEC mindset into three core pillars that every practitioner, and threat actor, must navigate. When these pillars fail, the investigation begins.

  • Analyzing the Signature: Every human has a digital signature, such as the way they type (stylometry), the times they are active, and the tools they prefer.
  • Identity Masking & Persona Management: This involves ensuring that your investigative identity has zero overlap with your real life. A common failure includes using the same browser for personal use and investigative research, which allows cookies to bridge the two identities.
  • Traffic Obfuscation: Even with a VPN, certain behaviors such as posting on a dark web forum and then using that same connection to check personal banking can expose an IP address, linking it to a practitioner or threat actor.

“Effective OPSEC isn’t about the tools you use; it’s about what breadcrumbs you are leaving behind that hackers, investigation subjects, or literally anyone could find about you.”

Joshua Richards, founder of Osint Praxis

Leveraging the Mindset for CTI

Understanding the OPSEC mindset allows security teams to think like the target. When we know the psychological traps attackers fall in, we know exactly where to look for their mistakes.

AssumptionThe Mindset TrapThe Investigative Reality
Insignificant“I’m not a high-value target; no one is looking for me.”Automated Aggression: Hackers use scripts to scan millions of accounts. You aren’t “chosen”; you are “discovered” via automation.
Invisible“I don’t have a LinkedIn or X account, so I don’t have a footprint.”Shadow Data: Public birth records, property taxes, and historical data breaches create a footprint you didn’t even build yourself.
Invincible“I have 2FA and complex passwords; I’m unhackable.”Session Hijacking: Infostealer malware steals “session tokens” (cookies). This allows an actor to be you in a browser without ever needing your 2FA code.

During the webinar, Joshua shares a masterclass in how leveraging these concepts can turn a vague dark web threat into a real-world arrest. Check out the on-demand webinar to see exactly how the investigation started on Torum, a dark web forum, and ended with an arrest that saved the lives of two individuals.

Turn the Tables Using Flashpoint

The insights shared in this session powerfully illustrate that even the most dangerous threat actors are rarely as anonymous as they believe. Their downfall isn’t usually a failure of their technical prowess, but a failure of their mindset. By understanding these OSINT techniques, intelligence practitioners can transform a sea of digital noise into a clear path toward attribution.

The most effective way to dismantle threats is to bridge the gap between technical indicators and human behavior. Whether your teams are conducting high-stakes OSINT or protecting your own organization’s digital footprint, every breadcrumb counts. By leveraging Flashpoint’s expansive threat intelligence collections and real-time data, you can stay one step ahead of adversaries. Request a demo to learn more.

Request a demo today.

The post The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs appeared first on Flashpoint.

Received — 1 February 2026 Threat Intelligence Blog | Flashpoint

How China’s “Walled Garden” is Redefining the Cyber Threat Landscape

Blogs

Blog

How China’s “Walled Garden” is Redefining the Cyber Threat Landscape

In our latest webinar, Flashpoint unpacks the architecture of the Chinese threat actor cyber ecosystem—a parallel offensive stack fueled by government mandates and commercialized hacker-for-hire industry.

SHARE THIS:
Default Author Image
January 30, 2026

For years, the global cybersecurity community has operated under the assumption that technical information was a matter of public record. Security research has always been openly discussed and shared through a culture of global transparency. Today, that reality has fundamentally shifted. Flashpoint is witnessing a growing opacity—a “Walled Garden”—around Chinese data. As a result, the competence of Chinese threat actors and APTs has reached an industrialized scale.

In Flashpoint’s recent on-demand webinar, “Mapping the Adversary: Inside the Chinese Pentesting Ecosystem,” our analysts explain how China’s state policies surrounding zero-day vulnerability research have effectively shut out the cyber communities that once provided a window into Chinese tradecraft. However, they haven’t disappeared. Rather, they have been absorbed by the state to develop a mature, self-sustaining offensive stack capable of targeting global infrastructure.

Understanding the Walled Garden: The Shift from Disclosure to Nationalization

The “Walled Garden” is a direct result of a Chinese regulatory turning point in 2021: the Regulations on the Management of Security Vulnerabilities (RMSV). While the gradual walling off of China’s data is the cumulative result of years of implementing regulatory and policy strategies, the 2021 RMSV marks a critical turning point that effectively nationalized China’s vulnerability research capabilities. Under the RMSV, any individual or organization in China that discovers a new flaw must report it to the Ministry of Industry and Information Technology (MIIT) within 48 hours. Crucially, researchers are prohibited from sharing technical details with third parties—especially foreign entities—or selling them before a patch is issued.

It is important to note that this mandate is not limited to Chinese-based software or hardware; it applies to any vulnerability discovered, as long as the discoverer is a Chinese-based organization or national. This effectively treats software vulnerabilities as a national strategic resource for China. By centralizing this data, the Chinese government ensures it has an early window into zero-day exploits before the global defensive community. 

For defenders, this means that by the time a vulnerability is public, there is a high probability it has already been analyzed and potentially weaponized within China’s state-aligned apparatus.

The Indigenous Kill Chain: Reconnaissance Beyond Shodan

Flashpoint analysts have observed that within this Walled Garden, traditional Western reconnaissance tools are losing their effectiveness. Chinese threat actors are utilizing an indigenous suite of cyberspace search engines that create a dangerous information asymmetry, allowing them to peer at defender infrastructure while shielding their own domestic base from Western scrutiny.

While Shodan remains the go-to resource for security teams, Flashpoint has seen Chinese threat actors favor three IoT search engines that offer them a massive home-field advantage:

  • FOFA: Specializes in deep fingerprinting for middleware and Chinese-specific signatures, often indexing dorks for new vulnerabilities weeks before they appear in the West.
  • Zoomai: Built for high-speed automation, offering APIs that integrate with AI systems to move from discovery to verified target in minutes.
  • 360 Quake: Provides granular, real-time mapping through a CLI with an AI engine for complex asset portraits.

In the full session, we demonstrate exactly how Chinese operators use these tools to fuse reconnaissance and exploitation into a single, automated step—a capability most Western EDRs aren’t yet tuned to detect.

Building a State-Aligned Offensive Stack

Leveraging their knowledge of vulnerabilities and zero-day exploits, the illicit Chinese ecosystem is building tools designed to dismantle the specific technologies that power global corporate data centers and business hubs.

In the webinar, our analysts explain purpose-built cyber weapons designed to hunt VMware vCenter servers that support one-click shell uploads via vulnerabilities like Log4Shell. Beyond the initial exploit, Flashpoint highlights the rising use of Behinder (Ice Scorpion)—a sophisticated web shell management tool. Behinder has become a staple for Chinese operators because it encrypts command-and-control (C2) traffic, allowing attackers to evade conventional inspection and deep packet analytics.

Strengthen Your Defenses Against the Chinese Offensive Stack with Flashpoint

By understanding this “Walled Garden” architecture, defenders can move beyond generic signatures and begin to hunt for the specific TTPs—such as high-entropy C2 traffic and proprietary Chinese scanning patterns—that define the modern Chinese threat actor.

How can Flashpoint help? Flashpoint’s cyber threat intelligence platform cuts through the generic feed overload and delivers unrivaled primary-source data, AI-powered analysis, and expert human context.

Watch the on-demand webinar to learn more, or request a demo today.

Request a demo today.

The post How China’s “Walled Garden” is Redefining the Cyber Threat Landscape appeared first on Flashpoint.

Received — 24 January 2026 Threat Intelligence Blog | Flashpoint

The Top Threat Actor Groups Targeting the Financial Sector

Blogs

Blog

The Top Threat Actor Groups Targeting the Financial Sector

In this post, we identify and analyze the top threat actors that have been actively targeting the financial sector between 2024 and 2026.

SHARE THIS:
Default Author Image
January 6, 2026

Between 2024 and 2026, Flashpoint analysts have observed the financial sector as a top target of threat actors, with 406 publicly disclosed victims falling prey to ransomware attacks alone—representing seven percent of all ransomware victim listings during that period.

However, ransomware is just one piece of the complex threat actor puzzle. The financial sector is also grappling with threats stemming from sophisticated Advanced Persistent Threat (APT) groups, the risks associated with third-party compromises, the illicit trade in initial access credentials, the ever-present danger of insider threats, and the emerging challenge of deepfake and impersonation fraud.

Why Finance?

The financial sector has long been one of the most attractive targets for threat actors, consistently ranking among the most targeted industries globally.

These institutions manage massive volumes of sensitive data—from high-value financial transactions and confidential customer information to vast sums of capital, making them especially lucrative for threat actors seeking financial gain. Additionally, the urgency and criticality of financial operations increases the chances that victim organizations will succumb to extortion and ransom demands.

Even beyond direct financial incentives, the financial sector remains an attractive target due to its deep interconnectivity with other industries.This means that malicious actors may simply target financial institutions to gain information about another target organization, as a single data breach can have far-reaching and cascading consequences for involved partners and third parties.

The Threat Actors Targeting the Financial Sector

To understand the complexities of the financial threat landscape, organizations need a comprehensive understanding of the key players involved. The following threat actors represent some of the most prominent and active groups targeting the financial sector between April 2024 and April 2025:

RansomHub

Despite being a relatively new Ransomware-as-a-Service (RaaS) group that emerged in February 2024, RansomHub quickly rose to prominence, becoming the second-most active ransomware group in 2024. Notably, they claimed 38 victims in the financial sector between April 2024 and April 2025. Their known TTPs include phishing and exploiting vulnerabilities. RansomHub is also known to heavily target the healthcare sector.

Akira

Active since March 2023, Akira has demonstrated increasingly sophisticated tactics and has targeted a significant number of victims across various sectors. Between April 2024 and April 2025, they targeted 34 organizations within the financial sector. Evidence suggests a potential link to the defunct Conti ransomware group. Akira commonly gains initial access through compromised credentials, Virtual Private Network (VPN) vulnerabilities, and Remote Desktop Protocol (RDP). They employ a double extortion model, exfiltrating data before encryption.

LockBit Ransomware

A long-standing and highly prolific RaaS group operating since at least September 2019, LockBit continued to be a major threat to the financial sector, claiming 29 publicly disclosed victims between April 2024 and April 2025. LockBit utilizes various initial access methods, including phishing, exploitation of known vulnerabilities, and compromised remote services.

Most notably, in June 2024, LockBit claimed it gained access to the US Federal Reserve, stating that they exfiltrated 33 TB of data. However, Flashpoint analysts found that the data posted on the Federal Reserve listing appears to belong to another victim, Evolve Bank & Trust.

FIN7

This financially motivated threat actor group, originating from Eastern Europe and active since at least 2015, focuses on stealing payment card data. They employ social engineering tactics and create elaborate infrastructure to achieve their goals, reportedly generating over $1 billion USD in revenue between 2015 and 2021. Their targets within the financial sector include interbank transfer systems (SWIFT, SAP), ATM infrastructure, and point-of-sale (POS) terminals. Initial access is often gained through phishing and exploiting public-facing applications.

Scattering Spider

Emerging in 2022, Scattered Spider has quickly become known for its rapid exploitation of compromised environments, particularly targeting financial services, cryptocurrency services, and more. They are notorious for using SMS phishing and fake Okta single sign-on pages to steal credentials and move laterally within networks. Their primary motivation is financial gain.

Lazarus Group

This advanced persistent threat (APT) group, backed by the North Korean government, has demonstrated a broad range of targets, including cryptocurrency exchanges and financial institutions. Their campaigns are driven by financial profit, cyberespionage, and sabotage. Lazarus Group employs sophisticated spear-phishing emails, malware disguised in image files, and watering-hole attacks to gain initial access.

Top Attack Vectors Facing the Financial Sector

Between April 2024 and April 2025, our analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections. How are these prolific threat actor groups gaining a foothold into financial data and systems? Examining Flashpoint intelligence, malicious actors are capitalizing on third-party compromises, initial access brokers, insider threats, amongst other attack vectors:

Third-Party Compromise

Ransomware attacks targeting third-party vendors can have a direct and significant impact on financial institutions through data exposure and compromised credentials. The Clop ransomware gang’s exploitation of the MOVEit vulnerability in December 2024 serves as a stark reminder of this risk.

Initial Access Brokers (IABs)

Initial Access Brokers specialize in gaining initial access to networks and selling these access credentials to other threat groups, including ransomware operators. Their tactics include phishing, the use of information-stealing malware, and exploiting RDP credentials, posing a significant risk to financial entities. Between April 2024 and April 2025, analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections.

Insider Threat

Malicious insiders, whether recruited or acting independently, can provide direct access to sensitive data and systems within financial institutions. Telegram has emerged as a prominent platform for advertising and recruiting insider services targeting the financial sector.

Deepfake and Impersonation

The increasing sophistication and accessibility of AI tools are enabling new forms of fraud. Deepfakes can bypass traditional security measures by creating convincing audio and video impersonations. While still evolving, this threat vector, along with other impersonation tactics like BEC and vishing, presents a growing concern for the financial sector. Within the past year, analysts observed 1,238 posts across fraud-related Telegram channels discussing impersonation of individuals working for financial institutions.

Defend Against Financial Threats Using Flashpoint

The financial sector remains a high-value target, facing a persistent and evolving array of threats. Understanding the tactics, techniques, and procedures (TTPs) of these top threat actors, as well as the broader threat landscape, is crucial for financial institutions to develop and implement effective security strategies.

Flashpoint is proud to offer a dedicated threat intelligence solution for banks and financial institutions. Our platform combines comprehensive data collection, AI-powered analysis, and expert human insight to deliver actionable intelligence, safeguarding your critical assets and operations. Request a demo today to see how our intelligence can empower your security team.

Request a demo today.

Received — 11 January 2026 Threat Intelligence Blog | Flashpoint

Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor

Blogs

Blog

Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor

In this post Flashpoint reveals how an infostealer infection on a North Korean threat actor’s machine exposed their digital operational security failures and reliance on AI. Leveraging Flashpoint intelligence, we pivot from a single persona to a network of fake identities and companies targeting the Web3 and crypto industry.

SHARE THIS:
Default Author Image
December 10, 2025

Last week, Hudson Rock published a blog on “Trevor Greer,” a persona tied to a North Korean IT Worker. Flashpoint shared additional insights with our clients back in July, and we’re now making those findings public.

Trevor Greer, a North Korean operative, was identified via an infostealer infection on their own machine. Information-stealing malware, also known as Infostealers or stealers, are malware designed to scrape passwords and cookies from unsuspecting victims. Stealers (like LummaC2 or RedLine) are typically used by cybercriminals to steal login credentials from everyday users to sell on the Dark Web. It is rare to see them infect the machines of a state-sponsored advanced persistent threat group (APT).

However, when adversaries unknowingly infect themselves, they can expose valuable insights into the inner workings of their campaigns. Leveraging Flashpoint intelligence sourced from the leaked logs of “Trevor Greer,” our analysts uncovered a myriad of fake identities and companies used by DPRK APTs.

Finding Trevor Greer

Flashpoint analysts have been tracking the Trevor Greer email address since December 2024 in relation to the “Contagious Interview” campaign, in which threat actors operated as LinkedIn recruiters to target Web3 developers, resulting in the deployment of multiple stealers compromising developer Web3 wallets. Flashpoint also identified the specific persona’s involvement in a campaign in which North Korean threat actors posed as IT freelance workers and applied for jobs at legitimate companies before compromising the organizations internally.

ByBit Compromise

The ByBit compromise in late February 2025 further fueled Flashpoint’s investigations into the Trevor Greer email address. Bybit, a cryptocurrency exchange, suffered a critical incident resulting in North Korean actors extorting US $1.5 billion worth of cryptocurrency. In the aftermath, Silent Push researchers identified the persona “Trevor Greer” associated with the email address trevorgreer9312@gmail[.]com, which registered the domain “Bybit-assessment[.]com” prior to the Bybit compromise.

A later report claimed that the domain “getstockprice[.]com” was involved in the compromise. Despite these domain discrepancies, both investigations attributed the attack to North Korean advanced persistent threat (APT) nexus groups.

Tracing the Infection

Using Flashpoint’s vast intelligence collections, we performed a full investigation of compromised virtual private servers (VPS), revealing the actor’s potential involvement in several other operations, including remote IT work, several self-made blockchain and cryptocurrency exchange companies, and a potential crypto scam dating back to 2022.

Flashpoint analysts also discovered that the Trevor Greer email address was linked to domains infected with information-stealing malware.

What the Logs Revealed

Analysts extracted information about the associated infected host from Trevor Greer, revealing possible tradecraft and tools used. Analysts further identified specific indicators of compromise (IOCs) used in the campaigns mentioned above, as well as email addresses used by the actor for remote work.

The data painted a vivid picture of how these threat actors operate:

Preparation for “Contagious Interviews”

The browser history revealed the actor logging into Willo, a legitimate video interview platform. This suggests the actor was conducting reconnaissance to clone the site for the “Contagious Interview” campaign, where they lured Web3 developers into fake job interviews to deploy malware.

Reliance on AI Tools

The logs exposed the actor’s reliance on AI to bridge the language gap. The operator frequently accessed ChatGPT and Quillbot, likely using them to write convincing emails, build resumes, and generate code for their malware.

Pivoting: One Node to a Network

By analyzing the “Trevor Greer” logs, we were able to pivot to other personas and campaigns involved in the operation.

  • Fake Employment: The logs contained credentials for freelance platforms, such as Upwork and Freelancer, associated with other aliases, including “Kenneth Debolt” and “Fabian Klein.” This confirmed the actor was part of a broader scheme to infiltrate Western companies as remote IT workers.
  • Fake Companies: The data linked the actor to fake corporate entities, such as Block Bounce (blockbounce[.]xyz), a sham crypto trading firm set up to appear legitimate to potential victims. 
  • Developer Personas: The infection data linked the actor to the GitHub account svillalobosdev, which had been active in open source projects to build credibility before the attack.
  • Legitimate Platforms & Tools: Analysts observed the actor using job boards such as Dice and HRapply[.]com, freelance platforms such as Upwork and Freelancer, and direct applications through company Workday sites. To improve their resume, the actor used resumeworded[.]com or cakeresume[.]com. For conversing, the threat actor likely relies on a mix of both GPT and Quilbot, as found in infected host logins, to ensure they sound human. During interviews, analysts determined that they potentially used Speechify. 
  • Deep & Dark Web Resources: The actor also likely purchased Social Security numbers (SSNs) from SSNDOB24[.]com, a site for acquiring Social Security data.

Disrupt Threat Actors Using Flashpoint

The “Trevor Greer” case study illustrates a critical shift in modern threat intelligence. We are no longer limited to analyzing the malware adversaries deploy; sometimes, we can analyze the adversaries themselves.

Using their own tools against them, Flashpoint transformed a faceless state-sponsored entity into a tangible user with bad habits, sloppy OPSEC, and a trail of digital breadcrumbs. Behind every sophisticated APT campaign is a human operator, and sometimes, they click the wrong link too. 

Request a demo today to delve deeper into the tactics, techniques, and procedures of advanced persistent threats and learn how Flashpoint’s intelligence strengthens your defenses.

Request a demo today.

The post Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor appeared first on Flashpoint.

❌