According to monitoring data from Threat Hunter’s anti-fraud platform, cross-border exploitation activities have shown a sustained upward trend recently and have entered an active phase overall. At present, underground industry groups are primarily distributed across Vietnam, the Philippines, Myanmar, Pakistan, Brazil, and other regions. They repeatedly commit malicious acts against high-value markets such as the United States, Japan, and South Korea, and their targets now extend beyond mature markets to an increasing number of additional countries.

Under industrialized operational models, some fraudsters can control hundreds of devices simultaneously to conduct bulk exploitation. In a single day, they can generate promotional coupons worth approximately USD 15,000, demonstrating their industrial-scale arbitrage-abuse capabilities. Meanwhile, Threat Hunter has identified 82 underground industry groups on a single social media platform, capturing more than 20,000 discussion threads—indicating that cross-border exploitation has formed a sizable community ecosystem.

Overall, cross-border malicious activities now exhibit clear characteristics: high profit-driven incentives, increasing organized groups, and expanding operational scope. The overall risk level is escalating rapidly.

Ⅰ. Cross-Border Exploitation Has Evolved into a Cross-Region Coordinated & Industrialized Arbitrage Abuse Model

What Is Cross-Border Exploitation?

Cross-border exploitation refers to underground industry groups that leverage the asymmetries in regulatory, cost, and information across countries or regions. They organize and deploy exploitation in areas with lower labor and operational costs, then remotely control resources across borders to carry out large-scale fraud in high-reward or weak-risk-control markets, illegally obtaining referral commissions, promotional subsidies, coupons, and other benefits.

From a professional perspective, cross-border exploitation is essentially a cross-regional, industrialized attack model. Its core elements are cross-border coordination and large-scale arbitrage abuse.

The underground industry networks function like a “cross-border corporation” in operation:

They position the “production side” in regions with lower labor and operational costs and relatively loose controls. By leveraging technical infrastructure such as cloud services and proxy networks, they penetrate high-value markets (such as the U.S. and Japan) for low-cost, large-scale arbitrage abuse.

Key characteristics include:

1. Cross-Border Coordinated Operations

The underground industry operates under an organized division of labor. Source regions are responsible for device and account setup and resource allocation, while target markets focus on monetization and arbitrage abuse, forming a cross-national exploitation chain.

2. Highly Automated Production

By cloud phones, device control systems, and script automation, the underground industry achieves low labor input, high-frequency execution, and scalable replication, drastically compressing per-account costs.

3. Strong Obfuscation Capabilities

By modifying system language, time zone, IP, geolocation, and device fingerprinting identifiers (IMEI, UID, DID, etc.), their devices are disguised as legitimate local users in the target country to bypass basic risk controls.

Ⅱ. Overall Risk Landscape of Cross-Border Exploitation

Based on the monitoring data from Threat Hunter’s anti-fraud intelligence platform, from November 2025 to February 2026, discussions related to cross-border attacks within underground industry groups increased significantly, showing a sustained upward trend.

2.1 Primary Regions of the Underground Industry

Threat Hunter analysts have identified that the underground industry groups are mainly based in China, Vietnam, the Philippines, Myanmar, and Pakistan. They are targeting high-value markets such as the United States, Japan, Brazil, and South Korea. Furthermore, the range of target countries is showing an expanding trend, indicating that the operational scope of the underground industry is continuously being broadened.

2.2 Key Characteristics of Cross-border Exploitation

• Significant Large-Scale Profits: Threat Hunter's global intelligence team has monitored that some fraud groups can exploit promotional coupons within a short period. Based on coupon face value and volume, their daily arbitrage abuse can reach approximately USD 15,000, demonstrating clear large-scale monetization capabilities.

• Numerous and Active Fraud Groups: Threat Hunter's global intelligence operations team has found 82 fraud discussion groups on a single social platform. Within these groups, resource trading, tool sharing, and experience exchanges are persistent and highly active.

• Expansion in Scale and Scope of Exploitation: Some fraud groups have moved beyond existing operational regions. Some groups conduct pre-deployment before new campaigns launch. They prepare accounts, devices, and proxy resources in advance and rapidly engage in mass exploitation once campaigns go live, reflecting a distinct pattern of preemptive planning and scaled operations.

2.3 Primary Tactics of Cross-border Exploitation

The essence of Cross-border exploitation lies in two core pillars: large-scale production and high-intensity obfuscation. Its capability architecture is structured around four foundational infrastructure components:

1) Scalable Device Pools

By leveraging tools such as cloud phones, motherboard devices, and device arrays, the froud groups build scalable virtual device pools that enable remote, automated, and high-volume control.

2) Bulk Account Supply and “Near-Real” Account Warm-Up Capabilities

Through centralized bulk registration and structured account warm-up processes, newly registered accounts are preconditioned to mimic legitimate user behavior. This reduces the risk exposure associated with directly using new accounts in target markets.

3) Coordinated Organizational Networks

Through the trading and coordination of operational resources (e.g., proxy IPs, automation tools, and invitation codes) within social media groups on various platforms, the underground industry forms cross-regional, organized operational networks.

4) Multi-Layered Obfuscation Capabilities (Device + Network)

The underground industry implements synchronized obfuscation across both device and network layers, including modifying system language, time zone, geolocation, device fingerprint attributes, and proxy configurations for increasing operational concealment and success rates.

The following section provides a detailed breakdown of specific cross-border exploitation techniques.

Ⅲ. Detailed Analysis of Primary Cross-Border Exploitation Tactics

3.1 Attacks Using Cloud Phones and Device Farm Tools

Tactic Description: Fraud groups leverage cloud phone services (e.g., Moyunteng) or physical device farm control systems to remotely manage virtual or physical device clusters from operational base regions (such as Vietnam and Myanmar). These device clusters are then used to conduct large-scale account registration, account warm-up, daily check-ins, referral acquisition, and other promotional exploitation activities targeting markets such as Japan and the United States.

These devices are controlled by automated scripts simulating legitimate user behavior, enabling bulk registration, account warm-up, check-ins, coordinated engagement clicks, and so on.

Key Tactic Breakdown:

1. Device Obfuscation and Scalability: Cloud phone services enable rapid deployment and simulation of diverse device models and system configurations. Physical device clusters rely on device farm control systems for centralized orchestration and management, enabling scalable and repeatable operations.

   
   

2. Scale Effects: Through centrally managed device pools, a fraudster can simultaneously control a large number of terminal devices. This allows high-frequency registration, engagement, and referral-generation activity within a short time, creating traffic-surge-style impact patterns on promotional campaigns.

   
   

3. Cross-Regional Deployment: These device infrastructures can be redeployed across multiple target countries or regions, demonstrating clear cross-regional, large-scale promotional exploitation characteristics targeting markets such as the United States, Japan, and Korea.

A Typical Case Monitored by Threat Hunter:

Threat Hunter observed within an underground industry community that an individual operator—whose publicly available information indicated a location in Vietnam—was leveraging a device farm control system to centrally manage a large number of mobile devices to conduct promotional exploitation targeting a U.S.-region campaign on a particular platform.

Based on the observed device deployment setup, at least several hundred mobile terminals were arranged on site. The physical layout of the devices clearly lacked the practical feasibility for manual, device-by-device operation. Through a comprehensive assessment, activity was highly dependent on automated device farm control tools for unified orchestration. The operational pattern demonstrated clear characteristics of large-scale and organized cross-border promotional exploitation.

3.2 Bulk Registration and Account Warm-Up

Tactic Description: After bulk registration in source regions, fraudsters perform account warm-up through activities such as searches, browsing, and likes. At the same time, they enhance their chances of bypassing risk controls by maintaining consistency in language, time zone, geolocation, and SIM information to disguise their operations.

Key Tactic Breakdown:

1. Bulk Registration: leveraging resources such as SMS receiving platforms to obtain target-country phone numbers, enabling the mass registration of accounts. This creates a reserve of accounts for subsequent cheating activities.

   
   

2. Account Warm-up: Using scripted or semi-manual methods, newly registered accounts undergo basic behavioral training. This process aligns their activity patterns and engagement rhythms more closely with those of genuine users, gradually increasing the accounts' credibility and usability.

   
   

A Typical Case Monitored by Threat Hunter:

Threat Hunter identified through monitoring that an underground industry group in China posted video content in private group chats demonstrating attacks against a marketing campaign of an overseas platform. The footage shows a device cluster composed of multiple iPhones, involving different device models, being used to conduct attacks targeting a promotional campaign in Japan.

These devices are not being repeatedly operated as a single terminal. Instead, several phones have visible labels attached for identification and classification, and the setup exhibits clear characteristics of device farm (group control) tools, indicating centralized management and coordinated operation. Based on the observed evidence, this activity goes beyond the scope of normal individual user behavior. It is assessed as a cross-border malicious operation conducted by organized and large-scale underground industry operators.

3.3 Coordinated Malicious Activities via Social Media Groups

Tactic Description: The underground industry leverages group features on social media platforms to form underground community networks, enabling resource trading, knowledge exchange, and coordinated malicious activities. These groups serve as marketplaces for proxy IPs, cloud phone accounts, invitation codes, and automation scripts, as well as hubs for discussing attack strategies, sharing operational experience, and coordinating large-scale actions.

Key Points:

1. Resource-sharing mechanism: Fraudsters share or exchange available proxy IP ranges, risky campaign opportunities, and related resources within these groups. This reduces the acquisition cost for individual members while improving the overall efficiency of malicious acts.

   
   

2. Rapid Dissemination of Techniques and Experience: Group discussions frequently focus on strategies to bypass platform risk control, as well as tool usage experience and operational precautions. This enables effective tactics to be quickly replicated and disseminated to a larger number of members within a short timeframe.

   
   

A Typical Case Monitored by Threat Hunter:

Across multiple monitored groups, fraudsters frequently post user acquisition links targeting different countries or regions in both threads and comment sections, accompanied by status updates such as "currently valid" or "payout functioning normally." to inform others about the viability of these activities.

In the comment sections of some posts, multiple members actively responded and provided synchronized feedback on their operational results. This pattern indicates coordinated participation by multiple fraudsters targeting the same campaign or promotional activity.

3.4 Virtualization and Device Spoofing Capabilities

Tactic Description: Fraudsters leverage mobile virtualization and sandbox technologies to modify key device identifiers (IMSI, Android ID, SIM ID, phone numbers, etc.), simulating legitimate user environments in target countries or regions and participating in region-specific promotional campaigns.

Key Points:

1. Virtual Machines/Sandboxes Simulate Legitimate Devices in Target Regions: Through virtualization environments, attackers reconstruct device hardware and system identifiers so that the device appears to the platform as a legitimate user terminal from the target region. This reduces the likelihood of cross-border accounts being flagged during registration and behavioral monitoring.

   
   

2. Device Spoofing/Device Resetting Enable Hardware Reuse (iOS scenarios): In iOS-related scenarios, fraudsters employ device spoofing or resetting techniques to restore or alter device characteristics. This allows the same physical device to be reused across multiple accounts or multiple promotion cycles, significantly lowering operational costs while extending the lifecycle of fraudulent campaigns.

   
   

3. Combined Device and Network Spoofing Techniques: Virtualization and device resetting techniques are typically used in conjunction with network-layer spoofing methods such as proxy IPs. This creates a dual-layer disguise (device environment + network environment) that improves the overall success rate of evading risk controls.

   
   

A Typical Case Monitored by Threat Hunter:

Monitoring revealed that a fraudster based in Myanmar shared information in a Telegram group on how to use a mobile Android virtualization tool to commit exploitation against a platform's campaign in Japan. The shared materials showed that by modifying key device identifiers within the virtual machine—such as IMSI, Android ID, SIM ID, and phone numbers—the virtual device was made to appear to the platform as a legitimate user terminal located in Japan, thereby enabling participation in region-specific acquisition or check-in activities.

3.5 Multi-Session Isolation via Proxy Boxes and Routing Devices

Tactic Description: Fraudsters deploy proxy boxes and routing devices to assign different proxy egress IPs to multiple devices. This setup enables a “one device, one IP” configuration or multi-session isolation, effectively reducing the risk of detection caused by concentrated traffic originating from the same IP range or network gateway.

Key Points:

1. Unified Proxy Allocation at the Router Level: Fraudsters have advanced proxy traffic distribution capabilities to the routing layer, with routing devices centrally managing and allocating proxy resources. The network architecture no longer relies on device-level VPNs but instead forms a centralized, scalable traffic distribution system.

   
   

2. Multi-Session Isolation Reduces Exposure Risk: Through proxy boxes or routers, multiple devices can simultaneously operate through different proxy exits. This approach reduces the detection risks associated with installing VPNs on terminals while enhancing concurrent stability in group control scenarios.

   
   

3. Network Devices as Infrastructure: Routing devices are publicly showcased, traded, and reused within underground communities, becoming standardized network infrastructure supporting large-scale exploitation.

   
   

A Typical Case Monitored by Threat Hunter:

Monitoring revealed that within a Facebook-based underground group in Vietnam, a fraudster publicly showcased and traded a specific router model—the ARUBA 335—using this device to support cross-border exploitation.

The shared information not only disclosed the device's hardware identifiers but also indicated that multiple cross-border exploitation groups have employed this router model in real operational environments to support large-scale malicious activities.

Ⅳ. Defensive Recommendations Against Cross-Border Exploitation

Based on the currently observed intelligence and sample characteristics related to cross-border exploitation, we recommend that enterprises upgrade their defensive approach from "single-point rule-based blocking" to a "full account lifecycle management + underground industry intelligence-driven defense" model. Through systematic capability development, organizations can increase the operational costs for the underground industry, reduce arbitrage opportunities, and ensure that marketing budgets are converted into genuine user growth.

4.1 Strengthen Account Lifecycle Management

Cross-border exploitation does not occur at a single stage. Instead, it spans the entire lifecycle: registration → account warm-up → campaign participation → reward withdrawal. Defensive strategies should therefore cover each stage of the account lifecycle.

• Registration Stage: Establish and continuously update global intelligence profiles covering IP addresses, ASN, telecom carriers, and proxy infrastructure. Implement layered verification for high-frequency requests within short windows or abnormal geographic origins. Introduce stronger human verification and behavioral verification mechanisms to reduce the efficiency of automated script registrations.

  
  

• Account Warm-up and Activity Stage: Develop account risk profiles. Detect abnormal signals such as sudden spikes in activity within a short period, highly synchronized behavioral sequences, and unusually high behavioral similarity across multiple accounts. These indicators can help identify coordinated account farm clusters operating at scale.

  
  

• Campaign Reward Verification Stage: Apply graph-based relationship analysis to evaluate connections between inviters and invitees (IP, Device Fingerprinting, behavioral similarity, network exit, geographic consistency) to suppress self-referral abuse and collusive reward farming.

  
  

4.2 Build Intelligence-Driven Collaborative Defense Systems

Cross-border exploitation is highly organized and information-sharing driven. Relying solely on internal detection rules is insufficient for long-term defense. Enterprises should establish a defense framework combining external threat intelligence with internal dynamic response capabilities.

• Continuous Intelligence Collection: Continuously monitor social media platforms frequently used by the underground industry, such as Facebook and Telegram, as well as relevant Dark Web forums. Collect intelligence on emerging attack tools, exploitation techniques, proxy infrastructure, and automation scripts. Establish intelligence-sharing mechanisms with industry partners to further strengthen risk control capabilities.

  
  

• Rapid Response and Blocking: Implement automated anomaly detection and response workflows. Quickly block identified fraudulent accounts, devices, and IPs, and regularly review attack patterns. Dynamically optimize risk control strategies based on anti-fraud intelligence to promptly disrupt fraud operations.

  
  

• Attribution and Enforcement Collaboration: Enhance intelligence acquisition capabilities to collect actionable information about underground industry operators. In addition to collecting technical indicators (regions, IP, tools, social groups, cheating script, etc.), efforts could be made to gather available information about real-world actors involved in these activities(names, physical locations, accounts, phone numbers, bank accounts, etc.). Collaborate with legal teams to pursue cross-border enforcement, increasing operational costs and risks for underground industry actors while significantly reducing the expected returns and long-term sustainability of such activities.

  
  

The essence of cross-border exploitation is large-scale operational production plus cross-regional arbitrage.Accordingly, defense systems must evolve from rule-level countermeasures to system-level management frameworks. Only through lifecycle management and intelligence-driven collaborative defense can enterprises effectively raise the operational costs of the underground industry, compress arbitrage abuse margins, and build sustainable growth security barriers.

As a research team focused on underground industry intelligence, Threat Hunter leverages a global intelligence network and risk monitoring infrastructure to continuously track a wide range of risk scenarios, including cross-border exploitation, account-related underground markets, marketing arbitrage abuse, and Know Your Customer (KYC) attacks. By developing multidimensional risk profiling capabilities spanning devices, accounts, networks, and organizational structures, Threat Hunter will continue to monitor emerging fraud trends and provide enterprises with timely intelligence insights and actionable defense recommendations.

Explore your organization’s risk profile with a complimentary assessment snapshot.

For media inquiries, please contact marketing@threathunter.com.