Inside Indonesia’s Shadow Web: The 14-Year Cyber Syndicate Blurring the Line Between Crime and State

In the dim corners of the internet, a silent juggernaut has been at work. For 14 years, an Indonesian-speaking cybercrime syndicate has built and maintained a digital empire so vast and sophisticated that security experts are left wondering: is this the work of mere crooks - or something much bigger?

The Anatomy of a Cybercrime Colossus

The operation, meticulously documented by Malanta researchers, reads like a cyber-thriller. What began as illicit online gambling blossomed into an ecosystem encompassing malware distribution, domain hijacking, and the infiltration of both enterprise and government networks worldwide. Unlike opportunistic hackers, this syndicate operates with chilling precision, leveraging vulnerabilities in WordPress, PHP, expired cloud resources, and dangling DNS records to seize control of websites and subdomains.

The scale is staggering: more than 328,000 domains, including a mind-boggling 90,000 hijacked from legitimate owners, and nearly 1,500 compromised subdomains - some belonging to Western government agencies. Hosting is distributed across AWS, Azure, and cloaked behind Cloudflare and U.S. IP addresses, making takedowns a game of digital whack-a-mole.

Weaponizing Trust

The syndicate’s most insidious move? Hijacking government subdomains and deploying reverse proxies that disguise malicious command-and-control traffic as legitimate HTTPS connections. This allows them to pilfer session cookies and credentials from unsuspecting users, including those accessing sensitive financial or governmental systems. Analysis of 108,000 such domains revealed centralized control: 92% of their IP addresses hosted multiple hijacked domains - evidence of a single mastermind pulling the strings.

Mobile Malware and Localized Targeting

The mobile front is equally daunting. Some 7,700 domains serve up Android APKs disguised as gambling apps, which act as “droppers” to fetch further malware, exfiltrate data, and communicate with shared command servers. These apps are geo-restricted, requiring Indonesian phone numbers and banking details, ensuring the syndicate’s grip on local victims while avoiding global scrutiny.

Who’s Behind the Curtain?

Supporting infrastructure includes burner GitHub accounts, lookalike domains impersonating tech giants, and a steady stream of stolen credentials - over 51,000 surfacing on dark web forums. The technical sophistication, operational discipline, and sheer financial outlay all point to a force that goes beyond ordinary cybercrime. With costs exceeding millions per year, and a 14-year lifespan, experts warn this may be the work of a state-backed group - or one operating under its protection.