For years, the scam compounds of Southeast Asia have occupied an uncomfortable space in the global conversation about cybercrime: widely reported, frequently condemned by the United Nations, and yet frustratingly difficult to connect to specific acts of digital theft. These sprawling, often coercive operations were known to run phone scams and romance fraud. But a direct, evidenced link to malware-enabled bank account raids? That remained elusive, until now.

[For more news, click here]

Researchers at Infoblox Threat Intel, working alongside Vietnamese non-profit Chong Lua Dao, have published findings that trace an Android banking trojan to what they believe is an operation run from multiple locations, including the K99 Triumph City compound in Cambodia, a site previously flagged by the United Nations for large-scale fraud and forced labour. The malware isn't a crude tool. It is part of a polished, industrialised "malware-as-a-service" platform, and it is actively targeting banking customers and government-service users across four continents.

An anomaly in DNS traffic that cracked open a factory

The investigation began with a data signal, not a tip-off. Infoblox researchers noticed a spike in anomalous DNS traffic across their customer networks — the kind of pattern that suggests something is phoning home to infrastructure it shouldn't be. Following that thread led to a previously undocumented malware-as-a-service platform: a professional, subscription-style criminal offering that handles domain registration, hosting, and trojan deployment on behalf of whoever is running the attacks.

The platform is prolific. It registers roughly 35 new domains every month, each one impersonating a legitimate institution — banks, tax authorities, social-security agencies, utility companies, law enforcement. The fakes are distributed across at least 21 countries, with the most concentrated activity targeting users in Indonesia, Thailand, Spain, and Türkiye. The breadth alone signals an organised operation with significant resources, not a lone opportunist.

It turns your phone's security features against you

What makes this trojan particularly insidious is that it weaponises the very things designed to keep you safe. The attack unfolds in stages, each one stripping away a layer of the victim's protection.

• The lure: Victim receives a link to a convincing fake app — a spoofed government portal, bank, or utility service.

  
  

• Fake KYC check: The app runs a spoofed "Know Your Customer" identity verification — capturing the victim's facial recognition data in the process.

  
  

• SMS interception: The trojan silently intercepts incoming SMS messages, including one-time passcodes sent by real banks.

  
  

• Silent account access: With biometric data and OTPs in hand, operators log in to the victim's real banking apps without triggering alerts — and move funds across borders.

In short: the security measures banks have spent years rolling out, biometric verification, SMS-based two-factor authentication, become the attack surface. The trojan doesn't break through security; it harvests the keys and walks in through the front door.

Not random scams — factory lines

"These aren't random one-off scams. They're factory lines. For years we knew these scam compounds existed, and suspected malware distribution at the sites, but this is a firm confirmation," said Dr. Renée Burton, VP of Infoblox Threat Intel

Photo: Dr. Renée Burton, VP of Infoblox Threat Intel

The K99 Triumph City compound in Cambodia is not new to international scrutiny. The UN and various human rights organisations have previously documented the site in connection with large-scale fraud operations and the exploitation of trafficked workers — people lured with false job promises and coerced into running scams under threat of violence. What is new is the direct connection to a technically sophisticated malware operation.

Dr. Burton's "factory lines" framing matters. It reframes what might otherwise be perceived as a diffuse, hard-to-address cybercrime problem into something with physical addresses, organisational hierarchies, and infrastructure that can, at least in principle, be targeted by law enforcement and financial regulators. The research provides the kind of attribution that has historically been missing from discussions of Southeast Asian scam compounds.

The operation also extends what researchers call the compound model beyond "pig butchering", the romance-scam playbook where fraudsters cultivate victim relationships over weeks before convincing them to invest in fake platforms. This trojan operation runs in parallel: faster, more automated, and capable of draining accounts without any sustained human interaction at all.

SMS and basic biometrics are no longer enough

The implications for financial institutions are pointed and uncomfortable. The research makes clear that standard mobile security measures — the ones most retail banks have deployed as their primary fraud defence — can be systematically defeated by a well-resourced trojan operation. SMS one-time passcodes are interceptable. Biometric data is harvestable. And once both are in the hands of a remote operator, the victim's account is effectively open.

The researchers' message to banks and fintechs is direct: unless mobile channels are hardened well beyond these baseline protections, coordinated cross-border account raids will continue — and regulators are likely to take a harder look at the resilience of mobile fraud defences across the industry. Device-binding, behavioural analytics, and on-device authentication that doesn't rely on SMS transmission are among the countermeasures increasingly discussed in the industry. The question is whether institutions will move quickly enough.

For consumers, the immediate lesson is one of source verification: no legitimate government agency or bank will ask you to install a new app via a link sent by text or messaging platform. That's the delivery vector every time. The trojan has no power without the install.

Malware now has a physical home — and that changes things

The significance of this research extends beyond any individual fraud campaign. For years, the conversation about cybercrime originating from Southeast Asian scam compounds has been hampered by a gap between the known existence of these operations and hard technical evidence linking them to specific cyberattacks. That gap has now narrowed considerably.

When malware infrastructure can be traced to a compound that is also a site of forced labour and human trafficking, the response calculus changes. This is no longer purely a cybersecurity problem, a financial crime problem, or a human rights problem — it is all three simultaneously, and the agencies equipped to address each dimension need to be in the same room. The Infoblox and Chong Lua Dao research makes that conversation considerably harder to avoid.