Savvy Seahorse

Savvy Seahorse is a threat actor newly observed in CYFIRMA’s Q2 2026 finance-sector campaign dataset, where it was listed among state-sponsored APT activity targeting the finance industry. The reporting places finance organizations in 14 observed campaigns during the period, with web applications as the dominant attack surface and victim organizations spanning 32 countries, led by the United States, Japan, India, and South Korea. Savvy Seahorse was specifically described as using DNS CNAMEs and Facebook ads to lure victims to fake investment platforms. Supporting reporting on the associated scam ecosystem describes a large-scale cryptocurrency investment fraud operation that combines malvertising with pig-butchering-style social engineering, heavily targeting users in Asia, especially Japan, while expanding to other language groups. The campaigns use Facebook and Instagram ads impersonating financial experts or promoting “AI investing,” redirect victims through lure websites, and move them into legitimate messaging apps such as LINE, KakaoTalk, and WhatsApp, where one-on-one and group chats—assessed by researchers as potentially automated or AI-assisted—build trust through scripted interactions, fabricated success stories, and incentives before driving escalating deposits and eventual fraudulent transfer demands. Researchers linked more than 23,000 domains to this ecosystem and identified extensive infrastructure clustering, including RDGA-generated domains, lookalike domains, and shared website frameworks or kits. No additional aliases or sub-groups for Savvy Seahorse were provided in the source content.