CrowdStrike’s 2025 APJ eCrime Landscape Report indicates a significant expansion of a Chinese-language underground cybercrime ecosystem and an increase in AI-enhanced ransomware operations across the Asia Pacific and Japan (APJ) region.

The report details how, despite Chinese government internet restrictions and eCrime crackdowns, anonymized marketplaces persist as central hubs for cybercrime activity in APJ. These ecosystems offer a secure environment for Chinese-speaking actors to exchange stolen credentials, phishing kits, malware, and money-laundering services, facilitating billions in illicit transactions. Concurrently, artificial intelligence (AI) is transforming the ransomware economy by accelerating every stage of the attack chain, from social engineering to automated malware development, enabling a new wave of adversaries to execute “Big Game Hunting” campaigns against high-value organizations.

Based on frontline intelligence from CrowdStrike’s threat hunters and intelligence analysts, who track over 265 named adversaries, the report reveals that Chinese underground markets such as Chang’an, FreeCity, and Huione Guarantee maintain anonymity across clearnet, darknet, and Telegram channels. This decentralized infrastructure prioritizes operational security (OPSEC) for Chinese-speaking actors, with Huione Guarantee alone estimated to have processed $27 billion USD before its disruption in 2025.

AI-accelerated ransomware campaigns targeting high-value entities have surged, with India, Australia, and Japan identified as among the most affected countries. Emerging Ransomware-as-a-Service (RaaS) providers like KillSec and Funklocker, leveraging AI-developed malware, were responsible for over 120 reported incidents. Manufacturing, technology, and financial services were the top targeted sectors, accounting for 763 victims publicly named on dedicated leak sites.

Coordinated account takeover (ATO) campaigns, traced to Chinese-speaking threat actors, targeted Japanese securities platforms. These schemes involved compromising users to artificially inflate the value of thinly traded China-based stocks in “pump-and-dump” operations. The actors utilized shared phishing infrastructure and sold victim data on underground forums, including Chang’an Marketplace.

eCrime service providers are further industrializing attacks across the region. Services like CDNCLOUD for bulletproof hosting, Magical Cat for Phishing-as-a-Service, and Graves International SMS for global spam enabled scalable phishing, malware distribution, and monetization operations.

Remote Access Tools (RATs) such as ChangemeRAT, ElseRAT, and WhiteFoxRAT have been deployed by likely Chinese-speaking eCrime actors. These tools exploit Chinese and Japanese-speaking users through methods including SEO poisoning, malvertising, and phishing attacks disguised as purchase orders.

Adam Meyers, head of counter adversary operations at CrowdStrike, commented on the findings, stating, ‘eCrime actors are industrializing cybercrime across APJ through thriving underground markets and complex ransomware operations. Simultaneously, AI-developed malware enables adversaries to launch high-velocity, high-volume attacks.’ He added that ‘Defenders must meet this new pace of attack with decisive action, powered by AI, informed by human experience, and unified in response.’