Southeast Asian scam camps, China’s cyber-espionage at scale, and other cybersecurity news

A roundup of the week’s most important cybersecurity news.

• Strike Force: America’s answer to Southeast Asian crypto scams.
• Police took down more than 1,000 malware servers.
• A leak exposed China’s global cyber-espionage methods.
• The FBI sought to unmask the owner of Archive.is.

Strike Force: a response to Southeast Asian crypto fraud

On 12 November, US authorities announced the creation of the Scam Center Strike Force to combat crypto investment fraud originating in Southeast Asia, according to a Department of Justice press release.
Alongside the department, the FBI, the Secret Service and other agencies are involved. The Strike Force is focused on key leaders, including members of Chinese groups operating in Cambodia, Laos and Myanmar. US companies were invited to help block the infrastructure used by criminals.
According to law enforcement, Chinese syndicates contact Americans via social networks and SMS, build trust and persuade them to invest in cryptocurrency. Victims then transfer funds to fake investment sites hosted on US servers. The criminals quickly launder the money and move it out of the United States.
Many operators in Southeast Asia are themselves victims of human traffickers and work under the control of armed groups. In Cambodia and Laos, revenues from these schemes amount to nearly half of GDP. Losses to Americans exceed $10 billion a year, according to the Department of Justice.
The press release cites early results:

• seizures of $401.6 million in cryptocurrency, with forfeiture complaints for a further $80 million;
• operations in Myanmar against several centres, including Tai Chang, and initiated seizures of Starlink satellite terminals;
• the DKBA insurgent group and related structures added to the sanctions list;
• 38 suspects arrested in Bali over fraud against more than 150 Americans;
• FBI agents sent to Thailand to join the international War Room Task Force campaign against scam camps, including the major KK Park hub.

Law enforcement took down more than 1,000 malware servers 

Law-enforcement agencies in nine countries, together with Europol and Eurojust, conducted another phase of Operation Endgame against major cyber threats.
Between 10 and 14 November, authorities dismantled 1,025 servers linked to campaigns using the Rhadamanthys infostealer, VenomRAT and the Elysium botnet. They seized 20 domains and carried out searches in Germany, Greece and the Netherlands.

The malware infrastructure comprised hundreds of thousands of infected computers containing several million stolen accounts. Many victims were unaware their systems had been attacked.
The operation was supported by private-sector players including Cryptolaemus, Shadowserver, Proofpoint, CrowdStrike, Lumen, Abuse.ch, HaveIBeenPwned and others.
During this phase, a key suspect linked to the VenomRAT remote-access trojan was arrested. Investigators say he had access to more than 100,000 victims’ crypto wallets, with assets potentially worth millions of euros.

Leak exposes China’s global cyber-espionage methods

A massive data leak at Chinese firm Knownsec exposed the infrastructure of Beijing’s global cyber-espionage network, says a post on Mrxn’s Blog. Experts called the incident one of the most significant leaks in the history of state-sponsored hacking.
More than 12,000 confidential files that surfaced on GitHub show how closely commercial contractors such as Knownsec are tied to China’s intelligence apparatus. Among the clients of the firm, which is supported by tech giant Tencent, are government agencies, banks and operators of critical infrastructure.
According to researchers, the leak describes a broad toolkit of attack instruments, including remote-access trojans for all popular operating systems that collect messages, contacts and users’ geolocation. Hardware implants were also identified, such as a modified power‑bank charger capable of covertly extracting data from connected devices.
Knownsec’s internal documents point to the scale of stolen dаta:

• 95 GB of data from India’s immigration service;
• 3 TB of data from South Korean telecom operators;
• 459 GB of Taiwan’s road‑infrastructure plans;
• materials from more than 20 countries, including the United Kingdom, Japan and Nigeria.

Beijing declined to acknowledge the incident, stating only that it “opposes all forms of cyberattacks”.
Richard Blech, head of software firm XSOC CORP, told Resilience Media that the leak reveals a new Chinese doctrine—shifting from direct intrusion to AI analysis of encrypted data.

“This is cognitive warfare — not breaking into systems, but training models that understand systems, even if the data are encrypted,” he said.

He warned that such AI systems can predict an adversary’s actions from metadata and telemetry, making traditional defenses less effective.

FBI seeks to unmask the owner of Archive.is

The FBI sent a court order to Canadian domain registrar Tucows demanding the identity of the owner of the web‑archiving service Archive.today and its mirrors, including Archive.is. 
The document states that the requested information “pertains to a federal criminal investigation being conducted by the FBI”, but gives no details.
The identity and location of Archive.is’s owner have remained unknown since the project launched in 2012. He may be a Prague resident using the pseudonym Denis Petrov.