TZUTC: -0500
MSGID: 1815.consprcy@1:2320/105 2d9d69db
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
National cybercrime network operating for 14 years dismantled in Indonesia

Date:
Mon, 08 Dec 2025 19:15:00 +0000

Description:
A large network of domains, malware, and stolen credentials, has been making
rounds for 14 years.

FULL STORY

Security researchers have uncovered enormous cybercrime infrastructure in
Indonesia thats been operating unabated for more than 14 years. 

The length of the operation, the domains included, the malware circulated, 
and the data being sold on the black market, were all so big that the
researchers - Malanta.ai - said the campaign resembles a nation-state 
campaign more than that of simple cybercriminals. 

What began as simple gambling websites has evolved into a global, 
well-funded, sophisticated, state-sponsored-level attack infrastructure
operating across web, cloud, and mobile, Malanta said in a recently published
blog. 

Is the government involved?

As per the report, the operation had been active since at least 2011. The
operators controlled more than 320,000 domains, including over 90,000 hacked
and hijacked ones. They also controlled over 1,400 compromised subdomains, 
and 236,000 purchased ones - all used to redirect users to illegal gambling
platforms. 

To make matters worse, some of the compromised subdomains were on government
and enterprise servers. In some instances, the threat actors deployed
NGINX-based reverse proxies to kill TLS connections on legitimate government
domain names, thus hiding their C2 traffic as legitimate government comms. 

Then, there is the malware ecosystem - the researchers found thousands of
malicious Android applications, distributed through public infrastructure
(Amazon Web Services S3 buckets). 

These apps served as droppers, posing as legitimate gambling platforms while
deploying malware that granted full access to the compromised devices in the
background. The backdoors were getting their commands straight from another
piece of public infrastructure - Googles Firebase Cloud Messaging service. 

This resulted in more than 50,000 stolen login credentials from gambling
platforms, countless infected Android devices , and hijacked subdomains
circulating the dark web. 

What if this ecosystem isnt simply cybercrime? the researchers speculated. 

Normally, the scope, scale, and financial backing behind this infrastructure
align far more closely with the capabilities typically associated with
state-sponsored threat actors. 

 Via Cybersecuritynews 

======================================================================
Link to news story:
https://www.techradar.com/pro/security/national-cybercrime-network-operating-f
or-14-years-dismantled-in-indonesia

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426