Albert, a 68-year-old retiree, received a call in the afternoon on August 14, 2025. The call came at the right time because Albert needed a payment reference number (PRN) from his SSS (social security service) but was having a hard time logging into his program.
The caller knew her full name, SSS number, and address, and offered to help her download the supposedly updated SSS software. Help came in the form of him clicking on the link provided on Viber, followed by a lengthy installation process.
In an hour and a half, his three bank accounts and two wallets – all linked to his Android phone – were swiped. More than a million bucks in life savings gone.
“My father was sad for the first few months,” Albert’s daughter Jobelle Garcia told Rappler.
The scam is a banking trojan deployed via Android malware, and has been traced to fraud compounds in Cambodia, according to a first-of-its-kind report by US cybersecurity firm InfoBlox, and Vietnamese cybersecurity nonprofit Chong Lua Dao.
“We detected an Android banking trojan that is likely operating from multiple locations, including the K99 Triumph City location in Cambodia,” the report said.
This is the first time hard evidence has been found linking a specific type of malware to the actual location of a fraud compound, and it was made possible by smuggled workers who escaped from the compound and took the incriminating evidence with them.
Malware
The team found “modern malware-as-a-service (MaaS),” which is a sophisticated malware tool sold to cybercriminals. MaaS providers create advanced tools and make them available to low-skilled criminals for a fee. To put it simply, it makes it easier for criminals to commit serious crimes.
This MaaS “may be linked to an unknown Chinese-speaking MaaS administrator who operates multiple hacking centers in the Mekong region, where forced labor has been reported, and which is used to distribute malware and conduct fraud,” according to the report.
Most of the victims come from the Philippines, Thailand, Indonesia and Vietnam, and enter Africa and South America, the report said.
Different pig slaughter scandalswhere criminals invest time to develop relationships with their victims, and where victims send their money, this malware only needs a few hours and an unsuspecting victim to click on a link.
This is how it works.
Social engineering
The team has a record of one workstation within the K99 area, and shows “extensive personal and organizational data used to inform victim targeting,” the report said, referring to data to help them select and exploit their victims. The data can be bought in the black markets of the Internet. That’s called social engineering, which also includes “targeted documents.”
The criminal then contacts the victim through a different channel, with the goal being for the victim to click on a website link.
The website, called a “spooky domain,” appears to be legitimate – destroying many government service websites like the SSS.
In 2025, when Albert was victimized, 400 interesting domains were registered to target victims. “This report provides evidence that these domains are part of a coordinated, centrally managed operation designed for scale and resilience,” the report said.
Once the victim is on the attractive site, they are prompted to install software – such as the updated SSS software. Once the “app” starts to install on an Android phone, criminals gain remote access to your device without your knowledge.
When that remote access is secured, malware can intercept texts and phone calls, which is how they can access banks and wipe out deposits.
Some Filipinos who posted their experiences on Facebook were subjected to biometric data such as facial recognition.
“The facial recognition data is then used to authenticate in the victim’s online banking application without their knowledge. By capturing the bank’s SMS OTP code, the operator gains full access to the victim’s bank accounts and can transfer funds wherever they want,” the report said.
Albert did not do facial recognition, said his daughter.
Albert spoke to Filipino-speaking scammers who guided him on how to install the fake software, and who warned him that it would take a long time. “Be patient only,” the scammer told Albert, according to his affidavit.
This made Albert’s phone unusable for him, and for his daughter who was trying to call him. Because she could not reach her father by phone, Jobelle went to his house and found that they could not turn off the phone or take a screenshot.
“We decided to remove the sim card. When the sim card was removed, the SSS software installation stopped,” said Albert in his affidavit. (We decided to remove the sim card, and that was the only time the SSS software installation stopped.)
Unfortunately, as with Albert, biometrics aren’t really needed to carry out this scam. “Biometrics is optional for application security. Not all institutions will use it,” John Wojcik, InfoBlox’s senior Asia threat researcher who worked on the report, told Rappler.
The Philippines now has a sim registration law, where everyone who owns a sim card must register with the government. It was marked as a way to combat cybercrime, but the sim card Albert’s fraudster used was registered under a different name.
Facial recognition in sim card registration was “flaky,” said Jobelle, relaying what the National Bureau of Investigation (NBI) told him. What the NBI knows at this time is “the call originated from another Asian Country but used a Philippine number – it may have used a VPN,” according to Jobelle.
Other bubbles
It is very likely that Albert’s scammer called from the Cambodian compound, because Jobelle was able to consider the URL provided by the criminals to her father. I then gave the URL to Wojcik who confirmed that it was indeed one of the domains they tracked.
We’re posting it here as a warning, along with several other Filipino-focused websites. These websites are destroying government services such as e-gov, and private services such as Philippine Airlines. Make sure you never click on them. These are just some of the thousands of fake URLs.
While this particular banking trojan is running on Android “probably only because of (Apple’s app store’s) stricter security protocols,” according to Wojcik, it’s possible there’s also malware deployed on iOS or iPhone.
“We have identified an increasing number of MaaS vendors as well as other service providers supporting fraud networks in this region. They are becoming increasingly easy to find, often advertising publicly on various illegal online marketplaces in Southeast Asia, although Android devices certainly represent the most frequently targeted operating system for this mobile malware,” said Wojcik.
What does this report mean?
Fraud is included all over the world, but especially in Southeast Asiahad been exposed, invaded, and closed for years. “But linking malware to notorious compounds has been difficult … until now,” the report said.
“This report includes details of the operation, obtained directly from people who were held in the K99 compound and forced to participate in cybercrime,” the report said.
This indicates the possibility that the fraudster these victims have spoken to, either by phone or text, may be victims of human trafficking, too. But they can also be willing scammers.
“Although we can only speculate at this point, it is clear that human trafficking and forced labor have been prevalent in the fraudulent industry for years. Filipino citizens have repeatedly been lured into fraudulent recruitment practices and victimized, especially in the Mekong region,” Wojcik said.
Through testimony and evidence obtained from those transported to the K99 compound in Cambodia, the team found “direct evidence supporting the relationship between the domains we are monitoring for activity related to the compound.”
It is politically connected
The K99 compound is located in Sihanoukville, Cambodia, which is famous for fraud centers. While Cambodia has said it is closed 200 scam stationsthe team said “recent reports from human rights organizations and other sources indicate that K99 Triumph City is still alive despite the Cambodian government’s ongoing crackdown.”
The K99 complex (or better known as ‘K99 Triumph City’) is owned by Cambodia’s K99 group, whose chairman is tycoon Rithy Raksmei (aka Xie Liguang), according to the report. Rithy Raksmei is “a family member of one of Cambodia’s richest men, Senator Kok An, who has been identified as reportedly wanted by Thai authorities in connection with cyber-enabled fraud and money laundering,” the report said.
Bill presented in the US Congress “to dismantle and shut down international criminal groups that perpetrate massive online fraud against Americans” names Rithy Raksmei and Kok An as among the foreign individuals and organizations involved in the bill.
“The concentration of actors associated with this region reflects a highly centralized ecosystem, in which a small circle of politically connected insiders serve as key enablers to facilitate access, protection, and continuity of operations for transnational criminal groups,” the report said.
What now?
Jobelle said her father recovered from depression when a group of seniors helped connect them with authorities. “Our case is still open to the CICC (Cyber Crime Investigation and Coordination Centre) as they are still tracking where the money went,” Jobelle said.
They were told that it would be difficult to get the money back if it was given. So far, the family has been able to recover P250,000 from BDO.
“Yes, it is difficult to chase each other, it requires a lot of time, patience and effort, yes, the authority given to us is help. It takes a lot of time to bring progress because there are many fraudsters at the moment, so they also have many other people to deal with. But there is still progress and so we are grateful,” said Jobelle.
(Yes, it is difficult to follow them. It requires a lot of time, patience and effort. Yes, the authority given to us is useful. Progress just takes time because there are many scammers today, so they are also busy. But there is still progress, and for that we are grateful.)
The scams won’t stop here, and “we’re likely to see more and more of them in the near future,” Wojcik said.
Malware, according to Wojcik, “has also evolved over time, finding ways to counter and circumvent new security measures. It’s no wonder organizations in many countries are struggling to keep up.”
“While it is important for banks and other financial institutions to respond quickly to such threats, Asian criminal networks are sophisticated, innovative, and increasingly capable, quickly integrating new technologies available to them to stay one step ahead of efforts to disrupt them,” Wojcik said.
Jobelle said the family is now “anxious to answer calls from unknown numbers.”
You should be, too. – Rappler.com
