AI-enhanced ransomware and underground economies reshape APJ threat landscape

CrowdStrike has released its 2025 APJ eCrime Landscape Report, unveiling how artificial intelligence and underground economies are redefining cybercrime across the Asia Pacific and Japan (APJ) region. The report exposes a flourishing Chinese-language eCrime ecosystem and the rapid evolution of AI-enhanced ransomware operations, underscoring the urgency for organizations to rethink their defense strategies.

Despite Beijing’s crackdown on cybercrime and strict internet controls, anonymised marketplaces remain central to digital threat activity across the region, processing billions of dollars in illicit transactions while empowering new-age threat actors with scalable attack tools and AI automation.

Chinese-Language Underground Markets Thrive Despite Crackdown

CrowdStrike’s intelligence team found that Chinese-speaking eCrime actors continue to operate through decentralized networks spanning the clearnet, darknet, and encrypted channels like Telegram.

Underground markets such as Chang’an, FreeCity, and Huione Guarantee remain the backbone of this ecosystem, enabling trade in stolen credentials, phishing kits, and money-laundering services. Notably, Huione Guarantee alone processed an estimated USD 27 billion in illicit transactions before its disruption earlier this year, highlighting the industrial scale of organized eCrime in the region.

These marketplaces prioritize operational security (OPSEC) and anonymity, creating a resilient hub that connects threat actors, brokers, and service providers across national borders.

AI Supercharges Ransomware-as-a-Service and Big Game Hunting

A central finding of the report is how AI has transformed the ransomware economy.
AI is now embedded across every phase of the attack chain, from automated malware creation to social engineering at scale, dramatically accelerating how ransomware operators execute Big Game Hunting campaigns targeting enterprises.

Emerging Ransomware-as-a-Service (RaaS) groups like KillSec and Funklocker leveraged AI-developed malware to carry out over 120 high-impact incidents in the past year.

India, Japan, and Australia ranked among the most affected nations, with manufacturing, technology, and financial services sectors being the primary targets. CrowdStrike identified 763 victims publicly listed on ransomware leak sites, signaling the persistence of data extortion tactics even amid global law enforcement crackdowns.

Sophisticated Financial Exploitation in Japan

The report also uncovered a wave of account takeover (ATO) campaigns targeting Japanese securities platforms.
These operations compromised user accounts to inflate thinly traded Chinese stocks, executing a pump-and-dump scheme linked to Chinese-speaking actors.

Attackers used shared phishing infrastructure to harvest login credentials, which were later traded on platforms like Chang’an Marketplace, blurring the line between cybercrime and market manipulation.

eCrime as a Service: The Rise of Specialised Providers

Supporting the regional cybercrime boom is an industrial network of eCrime Service Providers (eCSPs) offering turnkey attack tools and infrastructure.

Prominent providers include:

• CDNCLOUD – Bulletproof hosting for malware campaigns

• Magical Cat – Phishing-as-a-Service kits for rapid deployment

• Graves International SMS – Global spam and monetization solutions

These services have made sophisticated cyberattacks more accessible, allowing lower-skilled actors to execute campaigns at scale — a phenomenon CrowdStrike warns is “industrializing eCrime across APJ.”

Remote Access Tools Target Regional Users

CrowdStrike also tracked the deployment of ChangemeRAT, ElseRAT, and WhiteFoxRAT, advanced remote access tools (RATs) weaponized to exploit Chinese- and Japanese-speaking users.

These RATs spread through SEO poisoning, phishing emails, and malvertising disguised as purchase orders, enabling attackers to steal credentials, deploy payloads, or move laterally within enterprise networks.

Expert Insight: AI Is Accelerating the Attack Chain

“eCrime actors are industrializing cybercrime across APJ through thriving underground markets and complex ransomware operations,” said Adam Meyers, Head of Counter Adversary Operations at CrowdStrike. “Simultaneously, AI-developed malware enables adversaries to launch high-velocity, high-volume attacks. Defenders must meet this new pace of attack with decisive action, powered by AI, informed by human experience, and unified in response.”

Analysis: A New Phase in the Cyber Threat Economy

The 2025 APJ eCrime Landscape Report illustrates a stark reality: cybercrime is now operating at enterprise scale, with AI serving as both a weapon and an accelerator.

As eCrime ecosystems grow more decentralized and cross-border in nature, organizations in the APJ region must shift toward AI-powered defense models, continuous threat intelligence integration, and proactive incident response frameworks.

The convergence of AI, ransomware, and underground economies represents not just a technological challenge, but a strategic imperative for both enterprises and national cybersecurity agencies.

Key Takeaways

• USD 27 billion processed through Chinese eCrime marketplace Huione Guarantee before disruption

• 763 public ransomware victims recorded in APJ

• 120+ incidents linked to AI-based RaaS operators KillSec and Funklocker

• India, Japan, and Australia emerge as top regional ransomware targets

• Financial sector exploitation and AI automation mark the new frontier of cybercrime

Conclusion: Cyber Defense Must Evolve at AI Speed

CrowdStrike’s latest findings reinforce the need for AI-driven cybersecurity ecosystems capable of detecting, interpreting, and responding to machine-speed threats.

As adversaries exploit automation and anonymity to expand their operations, defenders must combine intelligence, automation, and human expertise to stay ahead of an increasingly industrialised eCrime economy.

Read More:

Dell empowering Indian SMBs with AI powered design and security

Partner Pulse: Mieux Technologies | Cybersecurity System Integrator and Channel Partner (India)