Roll the Dice, Steal the Data: Inside Indonesia’s Shadowy Cyber-Gambling Empire

It started as a small-time gambling ring. Fourteen years later, it’s a sprawling digital syndicate with the reach and sophistication of a nation-state. Deep beneath Indonesia’s surface, a clandestine cybercriminal operation has quietly grown into one of the world’s most complex cyber-gambling empires - hijacking legitimate domains, distributing malware, and raking in millions, all while evading detection behind layers of automation and subterfuge.

The Anatomy of a Digital Crime Syndicate

According to cybersecurity firm Malanta, this Indonesian-speaking threat actor has built an infrastructure that rivals some of the world’s most advanced hacking collectives. Their tactics go far beyond online betting: by exploiting WordPress and PHP vulnerabilities, seizing control of expired cloud assets, and hijacking DNS records, the group has commandeered tens of thousands of legitimate websites - including those of businesses and government agencies.

Some hijacked government subdomains were weaponized with sophisticated NGINX reverse proxies. These tools decrypted secure web traffic, intercepted session cookies, and tunneled command-and-control (C2) signals through otherwise trusted domains, making malicious activity nearly invisible to defenders. Meanwhile, the group’s gambling sites served as distribution points for Android malware, with over 7,700 domains linked to public AWS S3 buckets hosting droppers and exploit kits. The malware used Google Firebase Cloud Messaging for remote control, while shared C2 domains ensured operational cohesion.

Automation and AI-generated content helped the syndicate maintain and expand its vast network. Malicious files, templates, and verification artifacts were spread across burner GitHub accounts, Docker Hub, and even Scribd to boost search rankings and lend legitimacy to hijacked sites. The operation’s scale - both in infrastructure and reach - points to a well-resourced, possibly state-backed, group. While Indonesian connections are clear, occasional Chinese-language snippets in the code hint at broader regional ties.

Perhaps most alarming is the blurring of lines between cybercrime and statecraft. With millions spent annually, thousands of stolen credentials sold on dark web markets, and lookalike domains impersonating global tech giants, this operation illustrates the dangerous intersection of illicit gambling and espionage-grade cyber tactics in Indonesia’s digital underworld.

Conclusion

As Indonesia grapples with the dual threats of illegal gambling and cybercrime, the revelations from Malanta’s investigation raise urgent questions about governance, law enforcement, and the future of digital security in the region. In the murky overlap between state interests and organized cybercrime, the stakes have never been higher - and the dice are still rolling.

WIKICROOK: Glossary

Domain Hijacking

The unauthorized takeover of a website’s domain name, often by exploiting DNS or registrar vulnerabilities.

NGINX Reverse Proxy

A server tool that forwards client requests to other servers, often used to hide or manipulate traffic.

Command-and-Control (C2)

Communication channels used by attackers to remotely control infected devices or malware.

Droppers

Malicious programs designed to deliver and install additional malware onto a victim’s device.

Dangling DNS Records

Outdated or misconfigured DNS entries that can be exploited to hijack web traffic or domains.