A new report by CrowdStrike has revealed a rapidly expanding underground cybercrime economy across the Asia-Pacific and Japan (APJ) region, driven by Chinese-language marketplaces and the growing use of AI-enhanced ransomware. The findings, part of the 2025 APJ eCrime Landscape Report, highlight how artificial intelligence is transforming every phase of cyberattacks—from planning to execution—creating faster, more adaptive, and more destructive adversaries.
Despite the Chinese government’s restrictions on internet activity, the report found that anonymized marketplaces remain central to cybercrime operations across the region. These hubs enable the sale of stolen credentials, phishing kits, and money-laundering services, facilitating billions of dollars in illicit transactions.
Chinese Underground Marketplaces Fuel Illicit Trade
According to CrowdStrike, Chinese-language marketplaces such as Chang’an, FreeCity, and Huione Guarantee operate across the clearnet, darknet, and encrypted Telegram channels, maintaining operational security while trading stolen data and hacking tools. Before its disruption earlier this year, Huione Guarantee alone processed over $27 billion in illicit funds, underscoring the scale of organized digital crime networks in the region.
The report also uncovered sophisticated account takeover (ATO) campaigns targeting Japanese trading platforms. These coordinated attacks exploited compromised credentials to inflate the prices of low-liquidity China-based stocks—a pump-and-dump scheme designed to profit from manipulated market movements.
AI Fuels Next-Generation Ransomware Operations
CrowdStrike’s intelligence teams observed a sharp rise in AI-assisted ransomware attacks across India, Australia, and Japan. New Ransomware-as-a-Service (RaaS) groups such as KillSec and Funklocker are deploying AI-generated malware that adapts in real time to evade detection.
These AI-driven campaigns are designed for “Big Game Hunting”—targeting large enterprises with high-value data, particularly in manufacturing, finance, and technology. Between 2024 and 2025, more than 760 organizations across APJ were publicly listed as victims on leak sites, demonstrating the increasing scale and publicity of ransomware extortion models.
The Rise of Cybercrime-as-a-Service
CrowdStrike’s analysts note that the APJ region has become a testing ground for “industrialized cybercrime,” powered by service providers like CDNCLOUD (bulletproof hosting), Magical Cat (phishing-as-a-service), and Graves International SMS (spam operations). These actors offer plug-and-play cybercrime tools that allow even low-skilled attackers to launch sophisticated operations.
Remote Access Trojans (RATs) such as ChangemeRAT, ElseRAT, and WhiteFoxRAT are being deployed through phishing and SEO poisoning tactics, targeting users in China and Japan with fake purchase orders and finance documents.
Defenders Must Match AI with AI
“eCrime actors are industrializing cybercrime across APJ through thriving underground markets and complex ransomware operations,” said Adam Meyers, Head of Counter Adversary Operations at CrowdStrike. “Simultaneously, AI-developed malware enables adversaries to launch high-velocity, high-volume attacks. Defenders must meet this new pace of attack with decisive action, powered by AI and informed by human experience.”
CrowdStrike’s report concludes that as cybercriminals increasingly adopt AI tools, enterprises must accelerate adoption of AI-driven defense mechanisms—combining threat intelligence, behavioral analytics, and automation to anticipate and disrupt attacks before they occur.
