The eCrime threat landscape in the Asia Pacific and Japan (APJ) region is quickly evolving, driven by a mix of regional and global adversaries. From Chinese-language underground marketplaces facilitating the sale of stolen data and illicit services, to a rise in AI-developed ransomware campaigns, threat actors across the region are seeking new ways to scale and accelerate their operations.Organizations in the region should prioritize defending against these adversaries by focusing on their tactics, techniques, and procedures (TTPs), while strengthening identity protections, securing cloud and SaaS environments, and preparing for ransomware and social engineering threats. Read the full CrowdStrike 2025 APJ eCrime Landscape Report to gain a full picture of the eCrime threats to this region and learn how to strengthen defenses against them.
eCrime adversaries operated with a strong focus on high-value targets. India, Australia, Japan, Taiwan, and Singapore were the most affected countries; manufacturing, technology, industrials and engineering, financial services, and professional services were the most affected sectors. Between January 2024 and April 2025, 763 APJ-based victims were named on ransomware and data theft and extortion dedicated leak sites (DLSs).
CrowdStrike tracks several eCrime adversaries targeting the region and four active eCrime adversaries based in the region, all tracked under the SPIDER moniker. These include:
Tools and Techniques Fueling eCrime Operations
eCrime service providers support APJ activity by supplying the tools, infrastructure, and support cybercriminals need to scale phishing, malware distribution, and monetization operations. The report examines CDNCLOUD (bulletproof hosting), Graves International SMS (global SMS spam service), and Magical Cat (phishing-as-a-service).
The CrowdStrike 2025 APJ eCrime Landscape Report provides a definitive view of these threats, based on frontline intelligence from CrowdStrike’s elite threat hunters and intelligence analysts. The report combines analysis of adversary tradecraft, underground economies, and monetization trends with observations from CrowdStrike analysts who track malicious activity.
Highly active Chinese-language underground marketplaces are core to eCrime operations across the APJ region, despite the Chinese government’s internet restrictions and eCrime crackdown. This ecosystem provides Chinese-speaking threat actors — many of whom have prioritized operational security in light of government control — with an anonymous place to buy and sell stolen data, phishing kits, malware, and money laundering services.
The most prominent Chinese-language marketplaces, which include Chang’an, FreeCity, and Huione Guarantee, enable cybercriminals to operate anonymously through clearnet, darknet, and Telegram channels. Huione Guarantee, which built a reputation for transparency and trustworthiness among eCrime actors, facilitated an estimated billion USD in transactions over its lifespan.
CrowdStrike Intelligence observed the rise of AI-developed ransomware across the region. KillSec and FunkLocker, both ransomware-as-a-service providers, named a disproportionate number of APJ-based victims on their DLSs, comprising 35% and 32% of their total victims, respectively. Of these victims, most were based in India (21% for FunkLocker; 33% for KillSec).
Learn more: Download the CrowdStrike 2025 APJ eCrime Landscape Report
Meet the SPIDERs Operating in APJ
In terms of tools used, CrowdStrike Intelligence has identified likely Chinese-speaking eCrime actors using remote access tools (RATs) to target Chinese and Japanese speakers. ChangemeRAT, ElseRAT, and WhiteFoxRAT were among the tools deployed through SEO poisoning, malvertising, and phishing attacks disguised as purchase orders.
- CHARIOT SPIDER: Vietnam-based adversary that has compromised Microsoft IIS and Adobe ColdFusion web servers
- RADIANT SPIDER: Chinese adversary that uses formjacking to harvest payment card data
- SINFUL SPIDER: Chinese adversary that uses password spraying and vulnerability exploitation in internet-facing applications
- SOLAR SPIDER: Targets banking and foreign exchanges using finance-themed phishing
Apart from SOLAR SPIDER, these adversaries are primarily opportunistic and have not been observed concertedly targeting the region. While CrowdStrike Intelligence has not seen APJ eCrime actors explicitly prohibit regional targeting, Chinese-speaking marketplaces’ rules and emphasis on anonymity indicate they hope to avoid law enforcement attention.
In a rapidly changing threat landscape, the CrowdStrike 2025 APJ eCrime Landscape Report provides the clarity and context organizations need to anticipate attacks, strengthen their defenses, and outpace the eCrime adversaries targeting their operations.
Additional Resources
- Learn how CrowdStrike’s Threat Intelligence and Hunting solutions are transforming security operations to better protect your business.
- Download the CrowdStrike 2025 APJ Threat Landscape Report (English, Japanese, Korean)
- Tune into the Adversary Universe podcast, where CrowdStrike experts discuss today’s threat actors — who they are, what they’re after, and how you can defend against them.
