BSides Tokyo 2026 Speaker

Yu Chiao-Lin

Chiao-Lin Yu (Steven Meow) is a Staff Red Team Security Threat Researcher at Trend Micro Taiwan. He holds professional certifications including OSCE³, OSCP, CRTO, CRTP, CARTP, CESP-ADCS, and LPT. He has previously spoken at DEF CON (USA), CCC (Germany), BSides Tokyo, HITCON Training, and CYBERSEC. He has disclosed over 50 CVE vulnerabilities affecting major vendors such as VMware, NEC, D-Link, and Zyxel. His recent research focuses on using AI for offensive security and investigating cross-border scam ecosystems — he has been actively breaching phishing-as-a-service infrastructure across Asia through vulnerability research and AI-powered OSINT. He specializes in red teaming, web security, IoT, and cats🐱.

My AI Partner Fell Down a Rabbit Hole — Accidentally Uncovered a Criminal Food Chain Across Asia

It started with a scam message. The rabbit hole went deeper than expected.

Using AI-assisted vulnerability research and 0-day exploitation, we breached phishing-as-a-service (PhaaS) platforms and traced criminal infrastructure across Taiwan, Malaysia, Japan, Hong Kong, and Russia. We mapped 80+ infrastructure hosts impersonating 8 major Taiwanese brands, extracted thousands of victim records, and reverse-engineered how fraud groups deploy and scale their operations — with AI doing the heavy lifting on OSINT automation.

Inside the compromised scam infrastructure, we discovered webshells that weren’t ours. The platform developers had shipped pre-backdoored installation packages — a supply chain attack targeting their own criminal customers. Meanwhile, a separate threat actor had deployed PHP SEO parasitic implants (link179 campaign) with 4-layer obfuscation, hijacking the already-compromised scam sites to run large-scale SEO poisoning — including fake Japanese shopping sites and phishing pages targeting Japanese users — alongside Russian bank fraud.

Each layer exploits the one below — with its own infrastructure, its own automation, and its own victims. And the impact reaches directly into Japan.

This talk traces the full descent: how one researcher, with AI as a partner, dug through a criminal ecosystem layer by layer — and found a food chain where nobody is safe, not even the criminals themselves.