Fourteen-Year Indonesian Cybercrime Network Dismantled After Researchers Uncover Massive State-Level Operation

A vast cybercrime network that operated undetected in Indonesia for more than fourteen years has been exposed and dismantled, following an investigation that has raised serious questions about potential government involvement. The findings, published by security researchers at Malanta.ai, reveal one of the largest and longest running illicit digital infrastructures ever uncovered in Southeast Asia, with characteristics more commonly associated with nation-state threat groups than with conventional cybercriminal enterprises.

According to the report, the operation had been active since at least 2011 and controlled an enormous web of more than 320,000 domains. This included more than 90,000 hacked and hijacked domains, 1,400 compromised subdomains, and around 236,000 domains purchased outright. The entire network functioned as a redirection ecosystem designed to funnel users toward illegal gambling sites.

What alarmed researchers most was the infiltration of government and enterprise servers. Threat actors had managed to hijack official subdomains and deploy NGINX based reverse proxies that allowed them to dismantle legitimate TLS connections. By doing so, malicious traffic could be disguised as government communications, effectively hiding the attackers’ command-and-control channels in plain sight.

The scope of the mobile component was equally significant. Investigators found thousands of Android apps posing as gambling platforms but acting as malware droppers. These fraudulent apps were distributed through Amazon Web Services S3 infrastructure and deployed backdoors that granted attackers full control of infected devices. Their command-and-control instructions were being delivered through Google’s Firebase Cloud Messaging system, diverting attention from traditional malicious servers.

This sprawling ecosystem led to the theft of more than 50,000 gambling platform credentials, widespread device compromise across the region, and a thriving trade of hijacked subdomains on the dark web. The level of coordination and funding required to maintain such a system for more than a decade prompted the Malanta.ai team to suggest that the network may not be the work of ordinary cybercriminal groups.

Researchers noted that the size, longevity, and technical sophistication of the campaign align more closely with state sponsored operations, raising concerns about whether elements within Indonesia could be connected to the activity or whether attackers simply exploited government infrastructure for cover.

The revelation comes amid heightened global scrutiny of cyber operations using public cloud architecture and legitimate digital services to conceal malicious activity. The dismantling of the network marks a major disruption, but analysts caution that its true origins and intended purpose may take significant time to fully unravel.

The investigation underscores a growing challenge for security professionals: cybercrime environments that are larger, more resilient, and more deeply entwined with government-level systems than ever previously documented.

Photo Credit: DepositPhotos.com