- Malanta.ai uncovered a 14‑year cybercrime infrastructure in Indonesia, resembling state‑sponsored operations
- Network spans 320K+ domains, hijacked government subdomains, and thousands of malware‑laden Android apps
- Campaign stole 50K+ gambling credentials, used AWS and Firebase for C2, raising nation‑state suspicions
Security researchers have uncovered enormous cybercrime infrastructure in Indonesia that’s been operating unabated for more than 14 years.
The length of the operation, the domains included, the malware circulated, and the data being sold on the black market, were all so big that the researchers - Malanta.ai - said the campaign resembles a nation-state campaign more than that of “simple” cybercriminals.
“What began as simple gambling websites has evolved into a global, well-funded, sophisticated, state-sponsored-level attack infrastructure operating across web, cloud, and mobile,” Malanta said in a recently published blog.
Is the government involved?
As per the report, the operation had been active since at least 2011. The operators controlled more than 320,000 domains, including over 90,000 hacked and hijacked ones. They also controlled over 1,400 compromised subdomains, and 236,000 purchased ones - all used to redirect users to illegal gambling platforms.
To make matters worse, some of the compromised subdomains were on government and enterprise servers. In some instances, the threat actors deployed NGINX-based reverse proxies to kill TLS connections on legitimate government domain names, thus hiding their C2 traffic as legitimate government comms.
Then, there is the malware ecosystem - the researchers found “thousands” of malicious Android applications, distributed through public infrastructure (Amazon Web Services S3 buckets).
These apps served as droppers, posing as legitimate gambling platforms while deploying malware that granted full access to the compromised devices in the background. The backdoors were getting their commands straight from another piece of public infrastructure - Google’s Firebase Cloud Messaging service.
This resulted in more than 50,000 stolen login credentials from gambling platforms, countless infected Android devices, and hijacked subdomains circulating the dark web.
“What if this ecosystem isn’t simply cybercrime?” the researchers speculated.
Normally, the scope, scale, and financial backing behind this infrastructure align far more closely with the capabilities typically associated with state-sponsored threat actors.
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.