Infoblox Threat Intel has uncovered a large-scale mobile banking fraud operation that traces back to scam compounds in Cambodia. Notably, this growing cyber threat has already impacted users across at least 21 countries, signaling a significant escalation in global financial cybercrime.
To begin with, researchers collaborated with Chong Lua Dao, a Vietnamese non-profit organization, to investigate the source of these attacks. During the investigation, they identified a sophisticated Android banking trojan that appears to operate from multiple locations, including the well-known K99 Triumph City compound. Authorities, including the United Nations, have previously associated this site with large-scale scam operations and forced labor activities.
Moreover, the investigation started after analysts detected unusual DNS traffic patterns across Infoblox customer networks. As a result, they uncovered what they described as a previously undocumented malware-as-a-service platform. This platform actively registers approximately 35 new spoofed domains every month. These domains cleverly mimic trusted institutions such as banks, tax agencies, social security offices, utilities, and even law enforcement organizations.
Furthermore, the cybercriminal infrastructure primarily targeted users in countries like Indonesia, Thailand, Spain, and Türkiye. Attackers distributed fake mobile applications disguised as legitimate banking or government tools. Once users unknowingly installed these apps, the malware granted attackers full control over their devices.
Consequently, the malicious software could capture facial recognition data during fake KYC (Know Your Customer) processes, intercept SMS-based one-time passwords, and directly access banking applications to transfer funds. This method effectively bypassed traditional security measures, turning them into tools for exploitation.
Importantly, these findings highlight a concerning shift. Criminal groups linked to Southeast Asian scam centers are no longer relying solely on social engineering or romance scams. Instead, they are adopting more direct and technically advanced financial theft methods.
Explaining the scale of the operation, Dr. Renée Burton, VP of Infoblox Threat Intel, stated:
“These aren’t random one-off scams. They’re factory lines. For years we knew these scam compounds existed, and suspected malware distribution at the sites, but this is a firm confirmation,”
She further added:
“We now know that beyond the social engineering associated with so-called pig butchering scams, the compounds are being used to run sophisticated operations that steal banking credentials and allow threat actors to spy on victims,”
In addition, the research emphasizes a critical vulnerability in current authentication systems. Since attackers gain control of the victim’s device, security layers like SMS verification and biometric checks become ineffective.
Therefore, banks, fintech companies, and government agencies must strengthen mobile security frameworks beyond basic authentication methods. Otherwise, coordinated cross-border cyberattacks will likely continue to rise.
Ultimately, the consistent creation of spoofed domains and the global scale of these campaigns point toward a highly organized and industrialized fraud ecosystem linked to physical scam compounds.
Recommended Cyber Technology News:
- DoveRunner Expands Application Security To Apple TV
- Self Acquires Loam To Expand AI Identity Infrastructure
- Symmetry Systems Expands AI Security With AIGuard Updates
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
