top of page

Article 6 | Emerging Threats from Southeast Asia

Southeast Asia’s Increasing Darknet Activities

Makenna Petersen & Olivia Maxymiv

10-12 Minutes

Article 6 | Emerging Threats from Southeast Asia

The threat of transnational organized crime in Southeast Asia is growing faster than ever, especially in the cyber world. From ransomware attacks to sophisticated phishing schemes, the evolving cyber environment in this region reflects both the growth of digital infrastructure and the risks that come with it. Nations like Vietnam and Malaysia show that these issues deserve broader international attention. For example in 2023, cyber-enabled fraud caused estimated losses of $18 to $37 billion, primarily targeting victims in East and Southeast Asia. Many of these scams have been  linked to organized crime groups in the region.1 Therefore, understanding these threats is essential for the region and the world.


Vietnam can be seen as an example of domestic cyber actors targeting victims both locally and abroad as we will see in the case of APT32/Ocean Lotus. Malaysia has become a hub of operations for foreign malicious cyber actors such as DragonForce Malaysia, a pro-Palestinian hacktivist group.2 

 

This region has been experiencing exuberant growth not only in its digital infrastructure but also in its rate of cybercrime marking activities, such as buying and selling drugs, cybercrime tools, fake passports, counterfeit money, child exploitation material, stolen credit card data and personal information from breaches.3 Efforts to combat darknet-enabled cybercrime in Southeast Asia are limited, both in policy and operations, due to local resource constraints.4 Most law enforcement actions stem from international investigations, with few investigations initiated locally.5 This makes Southeast Asia a significantly low-risk/high-gain environment for cybercriminals because chances of detection or prosecution are relatively low. This creates opportunities for criminal exploitation. In other words, malicious cyber actors exploit opportunities to achieve their goals, securing financial gain with minimal risk. Thus, a cycle of policy gaps persists, which leads to a lack of law enforcement awareness, prioritization and resources for addressing illicit cyber activities.6 


In Vietnam, cyberfraud is mainly regulated by the 2015 Criminal Code and Decree No. 144/2021/ND-CP. Section 2, Chapter XXI of the Criminal Code includes a section on crimes related to information technology and telecom networks with sanctions like a “noncustodial reform sentence or imprisonment; monetary fines; prohibition from holding certain positions, practicing certain professions, or doing certain jobs; or partial or complete confiscation of assets.”7 


Additionally, Article 15 of Decree 144 outlines penalties not covered by the Criminal Code, including a “relatively small monetary fine and confiscation of exhibits and means used for committing the administrative violation, such as the violator's computer or phone.”8


While cyber laws exist to penalize criminals, the problem lies in law enforcement’s ability to locate and prosecute them. With cyber-enabled fraud, organized crime has  adapted by expanding activities across inaccessible and autonomous territories in the region and beyond.9 This is why extradition treaties increase the likelihood of effectively catching cybercriminals. Vietnam, for example, has signed 14 Mutual Legal Assistance Agreements with provisions on extradition.10 Malaysia, on the other hand, is part of a multilateral mutual legal assistance treaty on criminal matters and has five bilateral treaties that provide the legal basis for requesting and offering mutual legal assistance, like extradition.11 


Despite these legal provisions, cybercrime continues to flourish. With abusive content and disinformation, new material is posted continuously while previously shared content is reposted. As mentioned, these activities create cycles of illegal action and law enforcement is unable to keep up.12 


The development of crime-as-a-service in Southeast Asia has managed to lower the barrier to entry for cybercrimes and other types of crime, allowing them to thrive. As reported cases continue to grow, it is evident that criminals can easily outsource illegal activities by buying key components and services in underground markets and forums, often at low costs. Such components may consist of malware code, stealing sensitive information, phishing, hacking, money muling, software-as-a-service and bulletproof hosting – a technical infrastructure service that provides internet hosting that evades complaints of illicit activities.13 These components serve as a secure base for criminal cyber activity. Considering the crime combined with thoroughly relaxed legislation, it is easy to see why the area has become a hotspot for cybercrime. 


As mentioned, the swift advancements of malicious cyber activities and their use of advanced technology have caused concern. Artificial intelligence (AI) has been continuously integrated into the Southeast Asian cybercrime environment. The use of generative AI tools for automated phishing campaigns, deepfake technology for impersonation and other forms of audio and video manipulation, and large language models (LLMs) used to develop malicious code have been outpacing the government's ability to contain these activities.14 


Tech-savvy criminals have used deepfake technology to impersonate public figures in Southeast Asia, aiming to undermine public trust by spreading disinformation and extorting people. Between 2022 and 2023, Vietnam saw one of the highest increases in deepfake fraud in the region.15 


What’s more, is the widespread use of the messaging app Telegram as “key venues” where cybercriminals and service providers connect and conduct business.16 After mapping and analysis of data from thousands of Telegram underground marketplaces, various clear web platforms, dark web platforms, marketplaces and forums were found. These are used for illicit activity ranging from cyberfraud to underground banking and money laundering in the region.17 


The use of messaging apps described above is especially relevant for Malaysia, where the connection between social platforms and malicious cyber activity is gaining increased recognition. For instance, DragonForce Malaysia, a pro-Palestinian hacktivist group based in Malaysia, shares information, posts announcements and holds discussions on its Telegram channel and on other social platforms.18 In fact, a report by Proxyrack found that Malaysia ranked third in the world for screen time, with one of the highest rates of daily internet usage.19;20


In 2023, the Deputy Prime Minister of Malaysia warned of increasing online scams posted in social media advertisements. Financial fraud scams, love scams and job scams have lured victims into sending money to cybercriminals or by blackmailing victims into becoming scammers themselves, frequently through social media channels.21 


Due to a mostly online community, Malaysia has thorough cyber regulations.They consist of the Computer Crimes Act 1997, Communications and Multimedia Act 1998, Electronic Commerce Act 2006, Copyright Act 1987, Personal Data Protection Act 2010, Cybersecurity Act 2024 and a Malaysian Computer Emergency Response Team (MyCERT).22 


The abundance of regulations can be linked to the prevalence of cybercrime in Malaysia. According to a report by Surfshark, Malaysia was the eighth most breached country in the world in the third quarter of 2023, with nearly half a million accounts breached from data leaks.23 Most breaches occurred from ransomware attacks or from underdeveloped cybersecurity practices. For example, in September of 2023, Malaysia reported its highest number of data breaches, reaching an estimated 15 cases per week caused mainly by ransomware attacks.24 


Another widespread form of cybercrime in Malaysia is phone scams. A survey by Ipsos claimed that 76 percent of Malaysians have faced a phone scam at least once in their lives.25 Though phones are a popular form of scam, Whatsapp is a rising hotspot for phishing and fraudulent activity, with 54 percent of all scams stemming from Whatsapp messages.26  


One notable feature of Surfshark’s report is the fact that over half of scam victims failed to report their situation to the relevant authorities, even when impacted by significant financial losses.27;28 Before the Cybersecurity Act 2024, organizations were not legally required to notify customers of data breaches when they occurred.29;30;31 The Personal Data Protection Act 2010 also lacks provisions concerning mandatory reporting of data breaches, showing a lack of responsibility and awareness in the reporting of cybercriminal activity, emphasizing why Malaysia is a prime hotspot for cybercrime.32


In fact, lack of cybersecurity awareness in Malaysia extends to organizations as well as individuals as many users have poor password hygiene and do not install software updates. Similarly, organizations fail to backup data, implement multi-factor authentication and train their employees on the best cybersecurity practices.33 This draws attention to the importance of consistently updating cybersecurity protocols and regularly monitoring your networks.


The next section examines APT32/Ocean Lotus and DragonForce Malaysia. Both groups use tactics such as ransomware, malware attacks and the use of social media for social engineering.


APT32 / Ocean Lotus 

APT32, also known as Ocean Lotus, is a suspected Vietnamese cyber military threat actor. Active since 2014, Ocean Lotus targets everything from private sector industries to dissidents to foreign governments to journalists covering the Southeast Asian region.34  


This group is known to use “highly customized spear-phishing campaigns that include attached files with double extensions such as .doc.exe. These are designed to trick victims into thinking they are opening an Office document when they are actually executing the APT32 portable executable (PE) payload.”35


Malware strains, METALJACK; Denis; Kerrdown; Windshield; Komprogo; Soundbite are all used by this group, as well as common Tactics, Techniques, and Procedures (TTP) such as “hacking websites to collect info and track users, custom macOS malware and malicious Office macros, Facebook use for social engineering attacks, and use of Cobalt Strike for command and control spyware.”36

DragonForce Malaysia

DragonForce Malaysia is a pro-Palestinian hacktivist group located in Malaysia. This group has a plethora of targets, yet throughout 2021 and 2022, government agencies and organizations located in the Middle East and Asia were the primary targets. In fact, DragonForce Malaysia “was the driving force behind several activist operations including #OpsBedil, #OpsBedilReloaded, #OpsRWM (Raids Without Mercy) and #OpsPatuk/#OpsIndia.”37


The group's aim is to spread information, publish announcements, and have discussions on its websites, Telegram channel, and social media platforms. In the past, this group has been known to work with other threat actor groups including T3 Dimension Team, ReliksCrew and AnonGhost.38 


While this group is not nearly as advanced as the other APT groups mentioned in this article series, it is very organized in its actions and is able to disseminate information very quickly. How do they do this? The group’s forum has many tutorials and guides on installing tools and launching attacks. They use eye-catching advertisements that share target details to attract followers to join and often announce campaigns less than 24 hours notice.39  


Various reports connect DragonForce Malaysia to DragonForce Ransomware which started December 2023.However, DragonForce Malaysia denies the claims on their Telegram channel.40 


Article 7 of the series covers Brazil’s cybercrime ecosystem, with a special focus on its online banking fraud. 

Notes

1  Karimipour, Masood, Benedikt Hofmann, Inshik Sim, John Wojcik, Mark Bo, Seong Jae Shin, Jisu Kim, Joshua James, Rebecca Miller, Sylwia Gawronska, and Akara Umapornsakula, Transnational Organized Crime and the Convergence of Cyber-Enabled Fraud, Underground Banking and Technological Innovation in Southeast Asia: A Shifting Threat Landscape, Bangkok, Thailand: United Nations Office on Drugs and Crime (UNODC) Regional Office for Southeast Asia and the Pacific, 2024, 3. https://www.unodc.org/roseap/uploads/documents/Publications/2024/TOC_Convergence_Report_2024.pdf

2 Lusthaus, Jonathan, “Cybercrime in Southeast Asia,” Australian Strategic Policy Institute, May 20, 2020. https://www.aspi.org.au/report/cybercrime-southeast-asia 

3 Douglas, Jeremy, Neil J Walsh, Alexandru Caciuloiu, Pawinee (Ann) Parnitudom, Mikko Niemelae, Juha Nurmi, and Praphaphorn Tamarpirat, Rep, Darknet Cybercrime Threats to Southeast Asia, 2020, Bangkok, Thailand: United Nations Office on Drugs and Crime (UNODC) Regional Office for Southeast Asia and the Pacific, 2021, 3. https://www.unodc.org/roseap/uploads/archive/documents/Publications/2021/Darknet_Cybercrime_Threats_to_Southeast_Asia_report.pdf

4 Ibid, 3. 

5 Ibid, 11. 

6 Karimipour, Masood, Benedikt Hofmann, Inshik Sim, John Wojcik, Mark Bo, Seong Jae Shin, Jisu Kim, Joshua James, Rebecca Miller, Sylwia Gawronska, and Akara Umapornsakula, Transnational Organized Crime and the Convergence of Cyber-Enabled Fraud, Underground Banking and Technological Innovation in Southeast Asia: A Shifting Threat Landscape, Bangkok, Thailand: United Nations Office on Drugs and Crime (UNODC) Regional Office for Southeast Asia and the Pacific, 2024, 1, 3. https://www.unodc.org/roseap/uploads/documents/Publications/2024/TOC_Convergence_Report_2024.pdf.

7 Tran, Duc Anh and Chi Phuong Nguyen, “Cyber fraud in Vietnam: law and practice,” Tilleke & Gibbins, 2024, 2. https://www.tilleke.com/wp-content/uploads/2024/03/Tilleke_Cyber_Fraud_in_Vietnam.pdf

8 Ibid, 2.

9 Karimipour, Masood, Benedikt Hofmann, Inshik Sim, John Wojcik, Mark Bo, Seong Jae Shin, Jisu Kim, Joshua James, Rebecca Miller, Sylwia Gawronska, and Akara Umapornsakula, Transnational Organized Crime and the Convergence of Cyber-Enabled Fraud, Underground Banking and Technological Innovation in Southeast Asia: A Shifting Threat Landscape, Bangkok, Thailand: United Nations Office on Drugs and Crime (UNODC) Regional Office for Southeast Asia and the Pacific, 2024, 3. https://www.unodc.org/roseap/uploads/documents/Publications/2024/TOC_Convergence_Report_2024.pdf

10 Nguyen, Mai Thi. “Extradition of Criminals in ASEAN and Practice in Vietnam,” Open Journal of Social Sciences 11, no., 09 (2023), 190. https://doi.org/10.4236/jss.2023.119013

11 Kamal, Baizura, Publication, INTERNATIONAL COOPERATION: MUTUAL LEGAL ASSISTANCE AND EXTRADITION, United Nations Asia and Far East Institute for the Prevention of Crime and the Treatment of Offenders (UNAFEI), n.d., 87.  https://www.unafei.or.jp/publications/pdf/GG6/05-4_Malaysia.pdf

12 Douglas, Jeremy, Neil J Walsh, Alexandru Caciuloiu, Pawinee (Ann) Parnitudom, Mikko Niemelae, Juha Nurmi, and Praphaphorn Tamarpirat, Rep, Darknet Cybercrime Threats to Southeast Asia, 2020, Bangkok, Thailand: United Nations Office on Drugs and Crime (UNODC) Regional Office for Southeast Asia and the Pacific, 2021, 2. https://www.unodc.org/roseap/uploads/archive/documents/Publications/2021/Darknet_Cybercrime_Threats_to_Southeast_Asia_report.pdf.

13 Karimipour, Masood, Benedikt Hofmann, Inshik Sim, John Wojcik, Mark Bo, Seong Jae Shin, Jisu Kim, Joshua James, Rebecca Miller, Sylwia Gawronska, and Akara Umapornsakula, Transnational Organized Crime and the Convergence of Cyber-Enabled Fraud, Underground Banking and Technological Innovation in Southeast Asia: A Shifting Threat Landscape, Bangkok, Thailand: United Nations Office on Drugs and Crime (UNODC) Regional Office for Southeast Asia and the Pacific, 2024, 7,8. https://www.unodc.org/roseap/uploads/documents/Publications/2024/TOC_Convergence_Report_2024.pdf

14 Coker, James, “Cyber Fraud Cost up to $37bn in Southeast Asia Last Year,” Infosecurity Magazine, October 8, 2024. https://www.infosecurity-magazine.com/news/cyber-fraud-cost-37bn-southeast/

15 Surasit, Natnicha, “Rogue replicants: Criminal exploitation of deepfakes in South East Asia,” Global Initiative Against Transnational Organized Crime, February 29, 2024. https://globalinitiative.net/analysis/deepfakes-ai-cyber-scam-south-east-asia-organized-crime/

16 Karimipour, Masood, Benedikt Hofmann, Inshik Sim, John Wojcik, Mark Bo, Seong Jae Shin, Jisu Kim, Joshua James, Rebecca Miller, Sylwia Gawronska, and Akara Umapornsakula, Transnational Organized Crime and the Convergence of Cyber-Enabled Fraud, Underground Banking and Technological Innovation in Southeast Asia: A Shifting Threat Landscape, Bangkok, Thailand: United Nations Office on Drugs and Crime (UNODC) Regional Office for Southeast Asia and the Pacific, 2024, 4. https://www.unodc.org/roseap/uploads/documents/Publications/2024/TOC_Convergence_Report_2024.pdf.

17 Ibid, 4.

18 “DragonForce Malaysia,” Radware, n.d.. https://www.radware.com/security/ddos-knowledge-center/ddospedia/dragonforce-malaysia/ 

19  Low, Celine, “Study: Malaysia ranks as 3rd country with highest daily internet usage,” SAYS, November 2, 2023. https://says.com/my/tech/malaysia-ranks-third-for-spending-most-time-on-the-internet-daily

20  “Screen Time Report,” Proxyrack, n.d.. https://www.proxyrack.com/screen-time-report/ 

21 Nizam, Fuad. “Fadillah: Online financial fraud, scams posing a significant risk to Malaysia,” New Straits Times, December 7, 2023. 

https://www.nst.com.my/news/nation/2023/12/987630/fadillah-online-financial-fraud-scams-posing-significant-risk-malaysia

22 Ning, Yun, “Malaysia's Cyber Security Laws: A Comprehensive Guide 2024,” VeecoTech Solutions, January 12, 2024. https://www.veecotech.com.my/malaysia-cyber-security-laws/

23 Serota, Eli, and Hezril Azmin, “How Malaysia is regulating the rise in cybersecurity threats - FTI Strategic Communications,” FTI Strategic Communications, April 30, 2024. https://fticommunications.com/how-malaysia-is-regulating-the-rise-in-cybersecurity-threats/

24 Raj, Aaron, “Malaysian telco provider has data breach – again,” Tech Wire Asia, January 29, 2024. https://techwireasia.com/2024/01/malaysian-telco-provider-has-data-breach-again/ 

25  “Scam in Malaysia,” Ipsos, December 18, 2023. https://www.ipsos.com/en-my/press-release-scam-malaysia

26 Tan, Ben, “Scams on the rise in Malaysia: Survey finds phone calls most popular route, followed by WhatsApp,” Malay Mail, December 19, 2023. https://www.malaymail.com/news/malaysia/2023/12/19/scams-on-the-rise-in-malaysia-survey-finds-phone-calls-most-popular-route-followed-by-whatsapp/108274

27 “Scam in Malaysia,” Ipsos, December 18, 2023. https://www.ipsos.com/en-my/press-release-scam-malaysia

28 Tan, Ben, “Scams on the rise in Malaysia: Survey finds phone calls most popular route, followed by WhatsApp,” Malay Mail, December 19, 2023. https://www.malaymail.com/news/malaysia/2023/12/19/scams-on-the-rise-in-malaysia-survey-finds-phone-calls-most-popular-route-followed-by-whatsapp/108274

29 Ven, Koay Shiau, and Ryan Heng, “Overview of data breach incidents in Malaysia and the proposed law reforms in tackling the issue,” Mondaq, March 8, 2024.  https://www.mondaq.com/data-protection/1433674/overview-of-data-breach-incidents-in-malaysia-and-the-proposed-law-reforms-in-tackling-the-issue

30 Serota, Eli, and Hezril Azmin, “How Malaysia is regulating the rise in cybersecurity threats - FTI Strategic Communications,” FTI Strategic Communications, April 30, 2024. https://fticommunications.com/how-malaysia-is-regulating-the-rise-in-cybersecurity-threats/

31 “Malaysia Cybersecurity Laws,” International Trade Administration, June 26, 2023. https://www.trade.gov/market-intelligence/malaysia-cybersecurity-laws

32 Ven, Koay Shiau, and Ryan Heng, “Overview of data breach incidents in Malaysia and the proposed law reforms in tackling the issue,” Mondaq, March 8, 2024.  https://www.mondaq.com/data-protection/1433674/overview-of-data-breach-incidents-in-malaysia-and-the-proposed-law-reforms-in-tackling-the-issue

33 Vijjayandran, M., and Ahmad Moradi, “Malaysia – A use case in Cybersecurity,”  The Borneo Post, February 17, 2023. https://www.theborneopost.com/2023/02/17/malaysia-a-use-case-in-cybersecurity/

34 “Who is APT32?,” BlackBerry, n.d.. https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/apt32 

35 Ibid.

36 Ibid.

37 “DragonForce Malaysia,” Radware, n.d.. https://www.radware.com/security/ddos-knowledge-center/ddospedia/dragonforce-malaysia/ 

38 Ibid.

39 “DragonForce Malaysia: OpsPetir,” Radware, April 12, 2023. https://www.radware.com/security/threat-advisories-and-attack-reports/dragonforce-malaysia-opspetir/

40 “Dark Web Profile: DragonForce Ransomware,” SOCRadar, June 20, 2024. https://socradar.io/dark-web-profile-dragonforce-ransomware/ 


bottom of page