
(Phnom Penh) According to a new report from cybersecurity researchers, several scam rings operating in Cambodia are purchasing and using various types of malware.understood as malwareThese tools are easier to operate and use to steal data from unsuspecting victims. Experts believe this trend could push cybercrime to an uncontrollable level, as even those without in-depth IT knowledge can use these tools to steal data like a real hacker.
For a long time, online scams operating in Cambodia, Myanmar, and Laos have been suspected of luring victims into downloading malware to steal login credentials for personal and business bank accounts. Previously, operating such schemes typically required sophisticated computer skills from the perpetrators.
However, the situation has now changed. The American cybersecurity company Infoblox and the non-profit organization Anti-Fraud in Vietnam have detected traces of a type of “malware-as-a-service” (MaaS) that is easier to use than before.
Editor's note: MaaS is a business model in the underground world where highly skilled hackers develop, package, and rent out cyberattack tools, complete with user manuals, 24/7 technical support, and sometimes even a "money-back guarantee if you're not satisfied."“
According to Report published on April 10th, This type of malware is linked to K99 Triumph City, a casino complex in Sihanoukville, southern Cambodia. Part of the information in the report was provided by people who previously worked at the complex.
According to former employees, the location where they worked reportedly coincides with the area of the Royal Union hotel and casino. This establishment is still listed as a commercial gambling business by the Cambodian government, but its parent company is no longer registered with the Cambodian Ministry of Commerce. Nikkei Asia contacted the Cambodian Ministry of Interior, the agency responsible for law enforcement and the crackdown on online fraud, for comment but received no response.
According to research, scammers buy up URLs in bulk and then build websites with interfaces tailored to each scam scenario. For example, the website might impersonate a bank, or trick visitors into downloading a game or investment app. These fake websites, also known as "trojans," will infect users' devices with malware.
The report states that the “malware-as-a-service” model is maintained by a group of unidentified programmers. This group regularly updates the program and receives a share of the profits from the fraudulent activity. Even more concerning is that the tool is so easy to use that even those with little computer literacy can operate it.
John Wojcik, a senior threat researcher at Infoblox, said the company has seen an unprecedented surge in the number of computers attempting to access suspicious domains associated with malware.
“[Access rates increased] from 400,000 [devices] attempting to connect to this malicious content to 1.8 million in March [of 2025]… and that increase has become the new normal, forcing us to investigate what’s going on,” he said.
He said that initially, the research team suspected the activity was related to fraudulent complexes, as the fake websites used many common languages in the neighboring area but not Chinese. This suspicion was later reinforced through cooperation with Anti-Fraud, which received leaked data about malware-as-a-service from former employees of K99 Triumph City.
“"Malware-as-a-service" is a term based on the increasingly popular cloud-based software distribution model, also known as Software-as-a-Service or SaaS.
“"Previously, such tools were usually only in the hands of highly skilled cybercrime groups. But now, accessing and using them is becoming much easier," Wojcik shared.
Ngo Minh Hieu, founder of Anti-Fraud, shared with Nikkei Asia that he had been tracking a large-scale malware operation on the internet for years. The investigation only truly expanded when a former employee of K99 Triumph City sent him a large amount of relevant data.
Furthermore, he discovered additional evidence suggesting that personnel at other fraudulent complexes were also using the same MaaS platform and regularly upgrading the system.
According to Ngo Minh Hieu, the most perplexing question currently is who is developing, updating, and benefiting from this service. Based on the source code, he believes the group behind it consists of highly skilled programmers who use Chinese as their native language. However, their true identities remain unknown.
“"Even those inside the fraudulent complex didn't know who they were," he said.
The MaaS business model is booming in many parts of Asia and is often only detected after victims have been identified. In 2024, a cybersecurity company discovered a group of Vietnamese hackers distributing malware through AI-powered video creation platforms advertised on Facebook. Another company also reported malware being distributed from a fake website impersonating the Indonesian government's tax filing site.
Gatra Priyandita, a senior analyst on networks, technology, and security at the Australian Strategic Policy Institute, said this trend has been present among cybercriminals for about a decade.
“The difference in the Infoblox case doesn’t lie in the concept of MaaS, or malware-as-a-service. What’s noteworthy is that this model has been embedded within a broader criminal ecosystem, encompassing psychological manipulation of victims and, in particular, the use of forced labor within fraudulent schemes,” he wrote in the email.
Priyandita warned that these organizations would be very difficult to dismantle, even once identified and located, due to issues of jurisdiction, the adaptability of scam and hacker groups, and the “political or economic motivations [on the part of law enforcement] that allow these activities to be tolerated.”.
According to Priyandita, if technologies that facilitate fraud continue to develop, the consequences will not be limited to financial losses. Individuals and businesses may face increasingly larger losses, while trust in digital systems is eroded.
“What’s even more worrying is that these widespread scams are eroding confidence in the digital financial system and digital identity infrastructure, two crucial pillars of the modern economy. In that sense, their impact is strategic, as they undermine the very systems that governments are working to build and protect,” Priyandita shared.
Hieu said that scam groups not only use malware, but also combine many other technologies to scale up their operations. Deepfakes are used to hide faces and voices, AI-powered automatic translation tools help reach victims in many countries, and automation helps speed up the operational process.
“"That's why, with the help of AI, the scale of cybercrime is increasingly spiraling out of control," he said.
According to Hieu, AI platforms from large companies like Meta or Alphabet (Google's parent company) are capable of detecting when their services are being used unusually in scam hotspots like Myawaddy in Myanmar or Sihanoukville in Cambodia. Using this internal data, these companies can be more proactive in flagging or blocking suspicious activities.
Dusan Farrington, Google's communications representative for Android in the Asia-Pacific region, stated via email that Google is aware of the malware described in the report and that Android currently has "proactive defense mechanisms to block them." He also cited a recent analysis showing that malware originating from external sources (sideloads), such as downloading apps via browsers, is more than 90 times higher than malware originating from apps downloaded directly from the Google Play Store.
(Before this article was published, Nikkei Asia also contacted Meta. The article will be updated if a response is received.)
John Wojcik of Infoblox also believes the private sector has a greater advantage in responding to this issue on a large scale. He has developed an algorithm currently used by Infoblox to flag potentially malicious domains. He is also in discussions with government officials in various countries regarding these findings, as well as measures to protect the Domain Name System, or DNS, the system that resolves domain names into internet addresses.
In recent times, Cambodia has actively publicized its efforts to crack down on the fraudulent industry, rescuing thousands of workers who reported being trafficked or deceived by job offers. However, Wojcik warned that the fraudulent activities are still protected by political networks.
“"What I want to say to governments in the region is that we cannot rely solely on investigation and prosecution to address this issue at its root. Because in meetings on mutual legal assistance and cross-border crime investigations, there may still be parties involved in these very scams, or have an incentive to turn a blind eye," he said.
According to Danielle Keeton-Olsen, Nikkei Asia, published April 24, 2026.