Today’s Topics:

• INTERPOL Warns Cybercrime Is Surging Across Asia-Pacific as Phishing, Ransomware, and AI Scams Scale Up
• The Gentlemen Ransomware Shows How Former Affiliates Are Building Faster, Leaner RaaS Operations
• How can Netizen help?

---

INTERPOL Warns Cybercrime Is Surging Across Asia-Pacific as Phishing, Ransomware, and AI Scams Scale Up

Cybercrime is rising sharply across Asia and the South Pacific, with phishing, ransomware, banking malware, information stealers, deepfakes, and AI-assisted fraud placing new pressure on governments, businesses, and law enforcement agencies across the region. A new INTERPOL assessment says the threat environment has been shaped by fast digital adoption, wider internet access, organized criminal networks, uneven cybersecurity maturity, and the growing use of artificial intelligence in online crime.

According to INTERPOL’s 2025/2026 Asia and South Pacific Cyberthreat Assessment Report, phishing is now the most widespread and financially damaging form of cybercrime reported across the region. A third of countries covered in the assessment recorded more than 10,000 phishing cases between January 2024 and March 2025. More than half of INTERPOL member countries also reported that cybercrime made up at least 30% of all nationally recorded crime.

The numbers point to a broader shift in how cybercrime is operating. Phishing is no longer limited to low-effort credential theft emails or generic lures. Criminal groups are combining social engineering, fake login pages, malware delivery, business impersonation, and AI-generated content to reach more victims at scale. In many cases, phishing now serves as the entry point for broader fraud, account takeover, ransomware deployment, or data theft.

Ransomware also remains a major threat across the Asia-Pacific region. INTERPOL estimated that more than 135,000 ransomware-related attacks affected the region in 2024, with real estate, manufacturing, and financial services among the most heavily impacted sectors. These industries are attractive targets due to their operational reliance on digital systems, high-value data, financial exposure, and limited tolerance for downtime.

Ransomware groups are also increasing pressure during extortion by using victims’ regulatory and legal obligations against them. Rather than relying only on encryption, attackers may steal data, threaten public leaks, contact customers, reference compliance requirements, or use breach disclosure timelines to force faster payment decisions. This makes ransomware a legal, financial, operational, and reputational crisis, not just a technical incident.

INTERPOL also warned that AI-enabled scams are becoming more common, especially in impersonation and fraud campaigns. Deepfake audio, synthetic video, AI-generated personas, and more convincing written messages are being used to impersonate executives, manipulate victims, authorize fraudulent transfers, and support romance or investment scams. These tools reduce the skill required to produce believable social engineering content and allow criminal groups to run higher-volume campaigns with more convincing narratives.

The report also points to the industrialization of cyber-enabled fraud by transnational organized crime groups. Scam centers in Cambodia, Laos, Myanmar, and the Philippines have been linked to large-scale fraud operations that use forced labor to conduct investment scams, romance baiting schemes, and other online fraud. INTERPOL said organized crime groups in Myanmar, Cambodia, and Laos have used deepfakes in romance baiting scams, combining AI personas with social engineering in schemes tied to billions of dollars in regional cybercrime losses.

Malware activity is also expanding. Banking trojans and information stealers ranked as the second most common category of cybercrime in the report, with families such as RedLine, Lumma, LokiBot, Negasteal, and ZBot appearing among the most active threats. These tools are often used to harvest browser-stored credentials, session cookies, cryptocurrency wallet data, system information, and authentication material that can later be sold, reused, or combined with other intrusion activity.

Phishing link engagement in the region also exceeded the global average. INTERPOL reported that 5.5 out of every 1,000 individuals in Asia and the South Pacific clicked phishing links monthly, compared with a global average of 2.9 per 1,000. That higher rate gives attackers more opportunities to harvest credentials, compromise accounts, deliver malware, and move into business email compromise or identity fraud.

Distributed denial-of-service attacks also increased sharply, rising 92% in 2024 compared with the prior year. These attacks can be used to disrupt public services, pressure businesses, distract defenders, or support extortion campaigns. For organizations with weak network resilience or limited incident response capability, DDoS activity can create service outages that damage operations and public trust.

System intrusions remain a major driver of data breaches, accounting for about 80% of all data breach activity in 2024, according to the report. INTERPOL cited misconfigured systems, weak encryption, insecure APIs, and insufficient monitoring as common weaknesses attackers exploit to gain access to target networks. These issues are familiar to defenders, but their impact grows as organizations move more services online and expose more cloud, application, and identity infrastructure to the internet.

The rise in deepfake abuse has also created new risks beyond financial fraud. INTERPOL warned that synthetic media is being used for sexual exploitation, blackmail, and coercion. That threat category shows how AI-enabled cybercrime can cross from enterprise risk into personal harm, placing pressure on law enforcement agencies to respond to both technical abuse and human exploitation.

The regional trend is clear: cybercrime across Asia and the South Pacific is becoming more organized, more automated, and more closely tied to traditional criminal enterprises. Phishing, ransomware, infostealers, deepfakes, and online scams are no longer separate threat categories. They increasingly operate as connected parts of a broader criminal economy, where stolen credentials, synthetic identities, malware access, extortion, and fraud infrastructure support one another.

INTERPOL said law enforcement organizations across the region are scaling joint efforts to disrupt cybercriminal infrastructure, coordinate investigations, share intelligence, train personnel, and strengthen cyber resilience policies. That cooperation will be necessary as criminal groups continue using AI, ransomware-as-a-service, social engineering, and cross-border infrastructure to target victims at scale.

For organizations, the report reinforces the need to treat phishing resistance, ransomware readiness, identity security, endpoint visibility, API hardening, monitoring, incident response planning, and employee training as connected defensive priorities. The threat is no longer limited to isolated scams or opportunistic malware. It is a regional cybercrime ecosystem built to exploit weak controls, human trust, exposed systems, and the growing use of AI in both business and crime.

---

The Gentlemen Ransomware Shows How Former Affiliates Are Building Faster, Leaner RaaS Operations

The Gentlemen ransomware operation is a case study in how the ransomware-as-a-service economy is changing. The group did not appear as a fully isolated criminal brand with no prior tradecraft behind it. Reporting from PRODAFT, Microsoft, Check Point Research, Huntress, Trend Micro, and other threat intelligence teams indicates that The Gentlemen grew out of earlier affiliate activity tied to established ransomware ecosystems, then moved into its own independent partnership program after disputes, leaks, and instability inside the underground market.

PRODAFT tracks the group as Phantom Mantis and says it was initially known as ArmCorp. The operation has been active since March 2025 and is assessed to be led by a Russian-speaking threat actor tracked as LARVA-368, associated with aliases including hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. Before launching The Gentlemen as a standalone program, the actor is said to have worked with or borrowed from ransomware ecosystems linked to LockBit, Qilin, Medusa, and Embargo. That background matters, since The Gentlemen does not look like a novice operation. It looks like a group built by people who already knew how ransomware crews recruit affiliates, manage panels, negotiate payments, move data, and pressure victims.

The operation’s shift from ArmCorp into The Gentlemen appears to have accelerated in July 2025 after a dispute with Qilin, with LARVA-368 alleging that roughly $48,000 in affiliate commissions had been withheld. That dispute fits a larger pattern in the ransomware market. Since 2023, major crews have been disrupted, exposed, rebranded, or accused of cheating affiliates. LockBit was hit by law enforcement action, ALPHV collapsed after payment controversy, RansomHub disappeared from public view, and several smaller crews splintered into private or semi-private programs. In that climate, experienced affiliates have more incentive to build their own platforms rather than depend on larger brands that may steal commissions, lose infrastructure, or attract too much law enforcement pressure.

The Gentlemen’s growth has been tied closely to that affiliate-first model. Check Point Research reported that the group publicly claimed more than 320 victims by April 2026, with 240 of those claims occurring in the first months of 2026. Halcyon has assessed that the group offered affiliates a 90/10 revenue split, giving affiliates 90 percent of ransom proceeds. That is higher than the 70/30 or 80/20 split common across many RaaS programs, making it a strong recruitment tool for operators who already have access, tradecraft, and victim pipelines.

This is one reason The Gentlemen should be seen as a business-model threat, not just a malware threat. The ransomware itself is dangerous, but the affiliate structure is what allows the operation to scale. Operators provide the locker, infrastructure, support, leak site, and build process. Affiliates bring access, execute intrusions, steal data, deploy ransomware, and negotiate with victims through their own Tox or messaging identifiers. That separation lets the core program support many intrusions without directly conducting each one.

The group’s internal communications, later exposed through leaks affecting its Rocket.Chat environment, gave researchers an unusually clear view into how the operation functioned. PRODAFT said it identified 34 registered users in the group’s Rocket.Chat instance between May 2025 and April 2026. Check Point Research reported that leaked material included conversations about initial access, edge appliance exploitation, affiliate roles, shared tools, backend systems, victim handling, and ransom negotiations. The leak also exposed accounts connected to the administrator, who reportedly managed infrastructure, built lockers, handled the RaaS panel, and oversaw payouts.

The internal structure shows a division of labor that resembles a criminal services platform. One role, referred to as The Gentlemen Data, appears focused on data exfiltration support, helping move stolen information from affiliate-controlled cloud storage into The Gentlemen infrastructure for publication on the group’s leak site. LARVA-368 and related support channels appear to have helped affiliates with encryption, intrusion troubleshooting, and security-tool bypasses. Support moved through Tox, SimpleX Chat, Ricochet Refresh, and other messaging platforms after the Rocket.Chat leaks damaged the group’s internal trust.

The affiliate panel also reflects the maturity of the operation. PRODAFT reported that prospective affiliates needed to provide at least 1 GB of exfiltrated victim data before gaining access to the panel, a vetting method also seen in other ransomware crews trying to keep researchers and law enforcement out. The panel reportedly allowed affiliates to configure targets, build ransomware packages, download lockers, manage users, and track victim states. That kind of infrastructure lowers friction for affiliates and helps standardize attacks across different operators.

The ransomware payload is built for broad enterprise coverage. Reporting indicates that The Gentlemen supports Windows, Linux, ESXi, older Windows systems, and LVM environments. Microsoft tracks the operators as Storm-2697 and described the Windows encryptor as a Go-based ransomware family obfuscated with Garble. Microsoft also reported that the ransomware can use self-propagation logic, turning a single-host encryptor into malware that attempts to spread across reachable systems once enabled by the operator. That feature raises the risk of domain-wide impact after initial access, particularly in flat networks with weak segmentation and overprivileged accounts.

The ransomware’s options show a focus on speed, reach, and recovery disruption. Analysts have reported features for local encryption, network share encryption, delayed execution, selective scope, self-deletion, free-space wiping, GPO-based deployment, and propagation using credential material. ESXi support gives the group a path to affect virtualization infrastructure, where encrypting hosts or datastores can impact many workloads at once. LVM support extends the reach against Linux storage configurations and block-device targets. This cross-platform coverage reflects how modern ransomware crews build for mixed enterprise environments rather than single endpoint classes.

Incident reporting from Huntress and Trend Micro also shows that affiliates deploying The Gentlemen have used common enterprise intrusion tradecraft before encryption. Observed activity has included scheduled task abuse, Windows scripting, log clearing, Defender tampering, antivirus exclusions, remote access tooling such as AnyDesk, Group Policy manipulation, privileged account compromise, encrypted file transfer, and legitimate driver abuse. These techniques are not new on their own. The risk comes from how they are packaged into a repeatable affiliate workflow backed by a growing RaaS program.

Initial access patterns also match broader ransomware trends. Researchers have pointed to exposed edge devices, VPN appliances, firewall infrastructure, stolen credentials, and public-facing services as common entry paths. Check Point’s analysis of an affiliate-linked incident involving SystemBC found more than 1,570 victims connected to the relevant command-and-control server, with signs that many were corporate or organizational environments. SystemBC is often used in human-operated ransomware intrusions to create proxy access, support tunneling, and enable later payload delivery.

The Gentlemen’s use of AI, as described by PRODAFT, adds another layer to the story. LARVA-368 reportedly used AI to assist with ransomware and tool development, maintenance, and post-exploitation procedures. That does not mean AI created the operation by itself. The more realistic concern is that AI can reduce development time, help operators troubleshoot code, generate scripts, translate instructions, maintain panels, and produce procedural guidance for affiliates. For groups already familiar with ransomware operations, AI can act as a force multiplier across coding, documentation, support, and attack planning.

---

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

---