Recent research from cybersecurity firm Malanta has raised significant concerns regarding Indonesia’s extensive gambling ecosystem, suggesting it may serve as a cover for sophisticated state-sponsored cyber activities. The study indicates that what has long been perceived as routine cybercrime is, in fact, a complex operation with a level of scale and sophistication typically associated with advanced persistent threat (APT) groups.
Kobi Ben Naim, CEO of Malanta, stated, “This combination—longevity, scale, cost, and sophistication—goes well beyond a typical ‘quick-hit’ gambling scam or financially motivated crew.” He emphasized the necessity of classifying this operation as an APT while clarifying that there is no direct evidence linking it to a specific government entity.
Infrastructure Behind the Operation
Malanta’s investigation uncovered a unified infrastructure active since at least 2011. The operation includes over 328,000 domains, approximately 236,000 gambling sites, and 1,400 hijacked subdomains. This sprawling network also features thousands of malicious Android applications, indicating a scale that rivals established APT groups.
The findings reveal a sophisticated threat actor capable of silently staging large-scale operations long before executing full-scale attacks. The infrastructure’s potential reach extends into Western government systems and cloud environments, highlighting serious national security and supply chain implications.
Analysis of the operation shows it combines various tactics, including domain hijacking, mobile malware distribution, and large-scale credential trafficking. By hijacking subdomains, including those belonging to Western governmental entities, the threat actors can engage in session-cookie theft and covert command-and-control (C2) operations, creating stealth pathways that blend malicious activity with legitimate enterprise operations.
Threat Mitigation Strategies
Given the evolving nature of this cyber threat, organizations must adopt a layered approach to strengthen their security posture. Traditional perimeter defenses are inadequate against such sophisticated attacks. Key recommendations include:
1. **Audit DNS records, cloud assets, and subdomains** to eliminate potential takeover paths and enforce strict decommissioning procedures.
2. **Deploy strong web protections** such as Content Security Policy (CSP), Subresource Integrity (SRI), and Secure/HttpOnly cookies, along with continuous monitoring for unauthorized domain activity.
3. **Enhance cloud governance** with Infrastructure as Code (IaC) scanning, least-privilege controls, short-lived credentials, and restricted API/token scopes.
4. **Monitor network and application traffic** for anomalies, including suspicious POST requests and brand impersonation domains.
5. **Implement zero-trust segmentation and identity controls** to limit lateral movement and detect abnormal authentication events.
6. **Expand threat intelligence and security operations center (SOC) capabilities** to flag hijacked subdomains and commodity cloud IP misuse.
These strategies can help organizations build cyber resilience against similar threats. As attackers increasingly leverage automated infrastructure and stealth tactics, the focus must shift from reactive detection to proactive disruption.
The convergence of criminal and nation-state tactics signifies a change in attacker behavior that may have long-term implications for cybersecurity. As this research from Malanta illustrates, understanding the full extent of these cyber operations is crucial for developing effective defenses.