Researchers fear possible government involvement
A major security operation has uncovered and dismantled one of the largest cybercrime infrastructures ever discovered, which had been operating in Indonesia for more than 14 years without interruption.
The findings were revealed by security researchers at Malanta.ai, who warn that the longevity, scale, and sophistication of the operation raise serious concerns about its true nature, suggesting possible state-level involvement.
A vast and deeply entrenched infrastructure
According to the report, the operation has been active since at least 2011. The threat actors controlled more than 320,000 domains, including:
- over 90,000 hijacked and compromised domains
- approximately 236,000 purchased domains
- more than 1,400 compromised subdomains
All were used to redirect users to illegal online gambling platforms.
Even more concerning, some of the compromised subdomains belonged to legitimate government and corporate infrastructures. In several cases, the attackers deployed NGINX-based reverse proxies to intercept TLS connections on legitimate government domains, effectively disguising command-and-control (C2) traffic as official government communications.
Android malware and abuse of trusted cloud services
The investigation also uncovered a highly complex malware ecosystem. Researchers identified thousands of malicious Android applications, distributed through legitimate public infrastructures, including Amazon Web Services S3 buckets.
Disguised as legitimate gambling apps, these applications acted as droppers, installing malware that granted full background access to infected devices.
The backdoors received commands through another trusted service: Google’s Firebase Cloud Messaging, further complicating detection efforts.
The campaign resulted in the theft of more than 50,000 login credentials, countless infected Android devices, and a large number of hijacked subdomains circulating on the dark web.
Cybercrime or state-sponsored operation?
“What if this ecosystem is not just cybercrime?” the researchers ask.
The global reach, financial backing, and technical support behind such an infrastructure more closely resemble the capabilities typically associated with state-sponsored threat actors rather than conventional cybercriminal groups.
If confirmed, the implications for global cybersecurity would be significant.
