The Digital Crime Axis: An Analysis of the Convergence Between Intelligence and Organized Crime in China and Russia

This analysis, based on the findings of the joint hearings of the Subcommittee on Border Security and Law Enforcement and the Subcommittee on Cybersecurity and Infrastructure Security—held on April 21 at the U.S. House of Representatives—outlines a hybrid threat that extends beyond U.S. borders to affect the entire Western security architecture.

The Architecture of Sino-Russian Money Laundering and Support for North Korea

The core of the threat lies in a shadow financial infrastructure where China acts as a global "laundromat" for hostile state actors. The Huione Group, through the Huione Pay platform, has been identified as the primary conduit for laundering billions of dollars derived from cybercrime and North Korean activities. This network allows Russia to evade sanctions via the A7 platform, which processed $56 billion in stablecoins in 2025 with the support of Chinese brokers in Hong Kong. In this scheme, Russia provides the market infrastructure, while Chinese brokers manage liquidity, allowing figures such as North Korea’s Sim Hyon-sop to convert the proceeds of record-breaking thefts ($1.92 billion a year) into cash, directly funding Pyongyang’s military programs.

Chen Zhi and the Industrialization of Transnational Fraud

A key player is the Prince Holding Group, led by Chen Zhi, which has industrialized cyber fraud and "pig butchering" in Southeast Asia. Zhi has been indicted for running forced-labor camps in Cambodia, where victims are forced to target citizens around the world. The seizure of 127,271 Bitcoin linked to this network demonstrates how these entities, while operating in Asia, hold such vast amounts of capital that they can destabilize Western financial markets and infiltrate European economies through seemingly legitimate investments.

Covert Espionage and the Risk of "Moonlighting"

The most serious systemic risk to intelligence is "moonlighting," a tactic in which Chinese and Russian intelligence agents conduct criminal operations while enjoying state protection. This enables disguised espionage: intrusions classified as financial theft actually conceal the exfiltration of intellectual property. Groups such as the Russian Cyber Army of Russia Reborn (CARR) collaborate with Chinese contractors to infiltrate industrial control networks (OT). For Italy and the EU, this means that ransomware attacks on strategic companies or hospitals could actually be operations to map national vulnerabilities conducted by Beijing and Moscow under the guise of criminal profit.

Infiltration of Critical Infrastructure and Sabotage of Telecommunications

Chinese espionage has achieved critical penetration through operations such as Salt Typhoon, which specifically target telecommunications. The goal is to establish a silent presence for surveillance and potential sabotage. The use of residential proxy networks like IPIDEA and botnets like Kimwolf allows Beijing to use users’ home devices as shields. This turns the Internet of Things (IoT) into a gateway for mapping allied strategic networks from the inside, putting the water, energy, and healthcare sectors at risk.

Generative AI and Deepfakes: The New Frontier of Sabotage

Artificial intelligence has become a force multiplier for Chinese Triads and their Russian partners. The use of deepfakes to impersonate figures of authority has led to a 500% increase in cyber fraud. For European partners, the risk lies in these actors’ ability to manipulate decision-making processes and conduct large-scale sextortion operations. Infected hardware, such as Superbox devices, and polymorphic malware allow traditional defenses to be bypassed, making digital communications extremely vulnerable to threats operating at machine speed.

Strategic Considerations

Although the data analyzed during the hearing on April 21, 2026, often focuses on the United States, the very nature of digital technology and transnational criminal networks makes these threats universal.

• Western partners should take the following points into account. Interconnection of illicit networks: Money laundering operations originating in China, used to launder the proceeds of Mexican drug cartels, are the same ones that finance Russian espionage activities in Europe. An investigation into an OTC broker in Hong Kong could shed light on the funding channels for destabilization operations in U.S. ally countries.

• Widespread Supply Chain Vulnerability. The exploits used by Chinese contractors to infect over 81,000 firewalls affect hardware deployed worldwide. The compromise of infrastructure in the U.S. foreshadows an infiltration of government networks in U.S. ally nations.

• Blackmail as an Intelligence Tool. The 75,000 reported cases of sextortion are not merely crimes; for an intelligence agency, they represent a database of potential blackmailable "assets" (kompromat) within allied governments.

• Service States in the Indo-Pacific. Countries such as Cambodia, Laos, and Myanmar have become safe havens for Chinese intelligence, where Western companies operating there are exposed to immediate physical and digital infiltration through facilities managed by the Prince Group.