A Deep Dive into the Triad Nexus Pig Butchering & Money Laundering Operation
Zach Edwards
BSidesSF 2025 — Here Be Dragons · Day 2 · Main
Zach Edwards, senior threat analyst at Silent Push, exposed Triad Nexus — a Chinese-operated CDN called Funnel that serves as critical infrastructure for large-scale investment scams, money laundering operations, and retail phishing campaigns. The network stays online by illicitly acquiring IP addresses from cloud providers including Amazon AWS, a technique Edwards calls "infrastructure laundering." Despite public disclosure in December 2024 and a follow-up report in February 2025, the network was still fully operational at the time of his BSidesSF talk. ---
AI review
Edwards traced a CDN called Funnel from the polyfill.io supply chain attack through investment scams, a Tether money laundering network with documented Sun City Group ties, retail phishing, and a technique he calls infrastructure laundering — rotating through illicitly acquired AWS IP ranges every 24-72 hours. Still fully operational at the time of the talk. This is serious threat intelligence research, not a blog post.