Is Indonesia’s Gambling Empire a Front for State Cyber Activity?

A decade-long cyber operation hiding in plain sight may be far more sophisticated than previously understood. 

New research from Malanta suggests Indonesia’s sprawling gambling ecosystem, long dismissed as routine cybercrime, exhibits the scale, automation, and operational maturity typically associated with state-sponsored threat actors.

“This combination — longevity, scale, cost, and sophistication — goes well beyond a typical ‘quick‑hit’ gambling scam or financially motivated crew,” said Kobi Ben Naim, CEO of Malanta.

He added, “That’s why we classify it as an APT and describe it as state‑sponsored‑level, while being careful not to assert that we have direct evidence tying it to a specific government entity.”  

The Massive Infrastructure Behind This Long-Running Operation

Malanta uncovered a unified infrastructure active since at least 2011, revealing more than 328,000 domains, 236,000 gambling sites, 1,400 hijacked subdomains, and thousands of malicious Android applications — an ecosystem large enough to rival established APT groups. 

The operation also includes stolen credentials, reverse proxies buried inside government and enterprise environments, and over 500 impersonation domains mimicking major brands.

This indicates a threat actor capable of silently staging large-scale operations years before launching full attacks. 

The infrastructure’s reach into Western government systems and cloud environments elevates its national security and supply chain impact.

Inside the APT-Scale Operation Behind Indonesia’s Network

Unlike traditional gambling scams, this operation blends domain hijacking, cloud resource staging, mobile malware distribution, and large-scale credential trafficking. 

Threat actors hijack subdomains — including those belonging to Western government entities — then use them for session-cookie theft or covert command-and-control (C2) tunneling. 

This creates stealth pathways that blend malicious traffic into legitimate enterprise or governmental reputations.

The infrastructure also abuses mass domain automation, SEO redirection, AI-generated phishing kits, and persistent cloud staging through S3 buckets, Azure blobs, and GitHub-hosted payloads. 

Malanta’s IoPA Indicators of Pre-Attack (IoPA) analysis revealed:

• Newly created brand-impersonating domains not yet weaponized
• Misconfigured or abandoned cloud resources staged for future malware delivery
• AI-generated phishing templates in staging
• Domain takeover vectors like dangling DNS and expired certificates

This pre-attack visibility allowed analysts to connect thousands of previously unrelated assets into a unified APT-scale campaign. 

The operation reflects systemic exploitation of cloud misconfigurations and domain hygiene failures.

Key Defenses to Strengthen Your Security Posture

Modern threat campaigns increasingly exploit misconfigured domains, cloud assets, and identity pathways to gain silent footholds inside enterprise environments. 

As attackers blend commodity infrastructure with hijacked subdomains and staged cloud resources, traditional perimeter defenses are no longer enough. 

Organizations need a layered approach that strengthens visibility, hardens configurations, and accelerates detection.

• Audit DNS records, cloud assets, and subdomains to eliminate takeover paths and enforce strict decommissioning procedures.
• Deploy strong web protections such as CSP, SRI, Secure/HttpOnly cookies, and continuous monitoring for unauthorized domain activity.
• Strengthen cloud governance with IaC scanning, least-privilege controls, short-lived credentials, and restricted API/token scopes.
• Monitor network and application traffic for anomalies, including suspicious POST requests, brand impersonation domains, and cloud-hosted C2 infrastructure.
• Implement zero-trust segmentation and identity controls to limit lateral movement and detect abnormal authentication events.
• Expand threat intelligence and SOC detection capabilities to flag hijacked subdomains, commodity cloud IP misuse, and impersonation infrastructure.
• Enhance incident response readiness through dedicated playbooks, tabletop exercises, and security reviews of third-party and vendor-managed domains.

These mitigations help organizations build cyber resilience against similar threats.

Inside the Shift to Infrastructure-First Attacks

By distributing malicious assets across cloud platforms, hijacked government domains, and widely used CMS ecosystems, adversaries gain stealth by blending into trusted services, automation to rapidly regenerate infrastructure, and global reach across global networks. 

Because this activity hides within legitimate internet ecosystems, it often evades traditional threat intel filters and takedown processes, giving attackers long-lived infrastructure with minimal friction. 

This convergence of criminal and nation-state tradecraft signals a fundamental shift in attacker behavior. 

As threat actors industrialize their pre-attack infrastructure, defenders must shift from reactive detection to proactive disruption — identifying and dismantling malicious assets before they are ever weaponized.

Staying ahead of this shift requires threat intelligence feeds that can help spot emerging attacker infrastructure before it matures into an active campaign.