A recent investigation by security firm Malanta.ai has revealed the scale of a cybercrime operation that remained active in Indonesia since at least 2011. The network controlled an estimated 320,000 domains, including 90,000 that were successfully hijacked from legitimate owners. Among the compromised targets were over 1,400 subdomains belonging to various government agencies and private enterprises. The primary purpose of this vast network was to redirect internet traffic to illegal gambling platforms and distribute malware to unsuspecting users.
The sophistication of the operation was particularly notable in its use of cloud services. The attackers utilized Amazon Web Services (AWS) to host thousands of malicious Android applications and Google’s Firebase Cloud Messaging to send commands to infected devices. By using these reputable public platforms, the criminals were able to hide their activities within normal web traffic, making detection much more difficult for traditional security systems. In some cases, the group even used advanced reverse proxies to intercept and mask their communications as legitimate government data transfers.
Table of Contents
From gambling to global threats
What began over a decade ago as a relatively simple operation focusing on illegal gambling websites eventually evolved into a global threat infrastructure. The researchers noted that the sheer scale and financial backing required to maintain such a large network are rarely seen in typical criminal organizations. The system was used to steal at least 50,000 sets of login credentials from gambling users and provided the operators with deep access to thousands of infected mobile devices. This level of control allowed the group to sell sensitive data on the dark web and potentially launch secondary attacks on other institutions.
The investigation has led some researchers to question if the network was purely criminal or if it had ties to state-sponsored actors. The ability to maintain thousands of domains and successfully compromise government servers for over a decade suggests a level of organization and protection beyond that of “simple” hackers. While no specific government involvement has been proven, the technical methods used—such as killing secure TLS connections on official domains to hide traffic—mirror those used by professional intelligence agencies.
Release and pricing information
The findings of the 14-year investigation were made public in late 2025 and have led to a series of takedowns throughout early 2026. Law enforcement agencies in Indonesia, working with international cybersecurity partners, have begun dismantling the remaining servers and seizing the domains used by the group. This operation is part of a broader crackdown on illegal digital gambling and cyber fraud in the region.
For the general public, the primary defense against such large-scale networks is the use of updated security software and careful scrutiny of mobile applications. Security experts recommend that Android users only download apps from the official Google Play Store and avoid clicking on links found in unsolicited messages. Many leading antivirus providers offer mobile security tools for free or as part of a subscription package (typically ranging from $30 to $80 per year) that can detect the specific types of “dropper” malware used by this network to infect devices.
