Risky Bulletin: Indonesia emerges as a new hub for cyber scams

Written by

Catalin Cimpanu

News Editor

This newsletter is brought to you by Push Security. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed. You can also add the Risky Business newsletter as a Preferred Source to your Google search results by going here.

Indonesia is emerging as a new hub for cyber scam operations and illegal online gambling in Southeast Asia after massive crackdowns in neighboring countries have sent criminal groups fleeing across borders and seeking to relocate facilities.

Local authorities have detained more than 550 suspects following three raids this month alone.

More than 200 suspects were detained after a raid on an apartment complex in the city of Batam on May 6. Another 321 were arrested in a commercial building near Jakarta's Chinatown neighborhood on May 10. Another 30 were then detained at guest houses on the island of Bali a few days after.

Almost all the arrested suspects were foreigners, mainly from China, but also from the Philippines, Myanmar, Thailand, Malaysia, Cambodia, and other Southeast Asian countries.

Indonesia's national police says most entered the country using the country's visa-free policy, requested a visa on arrival, and then overstayed the visa's 30-day period while they worked in the cyber compounds, carrying out online scams or helping lure people on betting portals.

The visa-on-arrival scheme was specifically designed to help the country's tourism sector, but officials are now having second thoughts.

The Indonesian government has started procedures to review the process and even rescind the policy for nationals of neighboring Southeast Asian countries, as a way to combat criminal group relocating operations within its borders.

Over the past years, hidden cyber scam compounds have been mainly located in Cambodia, Myanmar, and Thailand.

As the local authorities started cracking down, operators started moving operations to other states such as Vietnam and the Philippines. Scam compounds also started popping up in the Middle East and Africa as well.

Indonesia is just the latest hotspot where these criminal organizations have found a foothold to operate.

Cyber scam compounds are generating billions in US dollars. Left unattended, they have spread like a plague and rotted Myanmar and Cambodia's governments, where several government and military officials have been added to international sanctions lists for protecting and benefiting from the compounds.

Risky Business Podcasts

The main Risky Business podcast is now on YouTube with video versions of our recent episodes. Below is our latest weekly show with Pat, Adam, and James at the helm!

Breaches, hacks, and security incidents

Hackers breach US tank gauges: Suspected Iranian hackers have breached tank readers at US gas stations. The attacks targeted automatic tank gauges that were left exposed online without a password. The hackers modified fuel level readings but no accident has been reported so far. [CNN]

Post by @neurovagrant@masto.deoan.org

View on Mastodon

Tabiq leaks reservation data: Hotel check-in platform Tabiq has exposed more than one million passports and other government IDs after it left an AWS storage bucket exposed online without a password. [TechCrunch]

JLR profit falls after hack: Jaguar Land Rover's annual profit fell by 99% in the aftermath of US tariffs and a cyberattack that shut down its UK factories for more than a month. The company reported only £14 million in profit this year, down from £2.5 billion the previous year. Jaguar expects the worst from the cyberattack to have passed. [The Guardian]

THORChain hacked for $10.7m: The THORChain DeFi platform suspended crypto trading on Friday after hackers stole $10.7 million worth of assets. The hack involved a complex exploit that leaked private key material over time. The attackers eventually reconstructed the private key and drained one of THORChain's wallets. [The Crypto Times // THORChain]

the exploit took months of data leakage to reconstruct the key. that's a failure mode most audits don't model. would need to see if the wallet was a hot or cold setup to know how much this generalizes.

— falsifylab (@falsifylab.bsky.social) May 17, 2026 at 7:13 PM

Grafana hacked and held for ransom: Hackers have breached and stole the GitHub repos of devops company Grafana. The company received a ransom notice but said it would not pay the attackers. Grafana cited a recent FBI industry alert against paying hackers. A group calling itself the CoinbaseCartel took credit for the hack on Friday. [Grafana BlueSky thread]

General tech and privacy

Microsoft adds driver rollback feature: Microsoft has launched a new feature to roll back problematic driver updates. The new Cloud-Initiated Driver Recovery feature will allow system administrators to roll back drivers to a previous version. The feature only works with drivers sent through the official Windows Update channel and with drivers registered in the Hardware Dev Center. [Microsoft]

Microsoft removes Edge passwords from RAM: Microsoft's Edge browser will stop storing the user's passwords in cleartext in the Windows active memory. The change is already live in Edge canary builds and is set to arrive in the main branch with version 148. Microsoft is taking this step after a security researcher found the odd behavior and released a tool to dump the passwords. [Microsoft // SANS ISC]

KDE gets EU funding: The KDE Project has received €1.28 million from Germany's Sovereign Tech Fund. The money will be spent to strengthen the project's core infrastructure. The project's main product is the KDE desktop environment for Linux. European countries have recently shown a lot of interest in open-source software and alternatives to US tech. [KDE]

Google tests new Gmail quota: New Gmail accounts will be limited to a 5GB storage limit unless owners provide a valid phone number. Google is testing the new policy for all new accounts created in selected regions. By default, all Gmail accounts have had a free quota of 15GB. [PiunikaWeb // AndroidAuthority]

BlueSky considering Edit button: BlueSky devs have decided they want to get out of the Stone Age and are considering the idea of an Edit button. [Alex Benzer]

arXiv will ban authors of AI-generated papers: Academic research portal arXiv will ban authors for a year if they submit AI-generated work with incorrect content and fake references. After the ban expires, authors will have to publish papers on a reputable peer-reviewed platform before being allowed back on arXiv. The new policy comes after arXiv has been flooded with AI slop. [arXiv CS Section Chair]

Bitwarden scraps "always free" from its website: Password manager Bitwarden has removed mentions of inclusivity and "always free" from its website after a change in leadership. It re-added the "always free" after the negative feedback. [FastCompany // Response on Reddit]

The emerging business of Starlink tracking: At least two Israeli companies are touting their ability to track, map, and deanonymize Starlink customers using online advertising data in what appears to be a new shadowy realm in the already shadowy data brokerage market. Both articles are paywalled, but the name of one company is the TargeTeam. [Haaretz // Intelligence Online]

Government, politics, and policy

Trump & Xi discussed cyberattacks: Presidents Donald Trump and Xi Jinping discussed cyberattacks and espionage activities during their joint summit last week. President Trump acknowledged the conversation but did not provide any other details. Chinese officials have routinely denied hacking and espionage in public comments over the years. [NextGov]

Tech giants threaten to leave Canada over lawful access bill: Signal, NordVPN, and Windscribe have threatened to pull services from Canada if the country's government passes its proposed lawful access bill. Bill C-22 would force tech companies to store user metadata and force companies to redesign systems to allow law enforcement access. Apple and Meta have also criticized the government's plans.

Poland warns officials of Signal campaigns: The Polish government has advised officials to replace Signal with its national secure messenger platform mSzyfr. mSzyfr launched at the end of March and is based on the Matrix open-source protocol. Russian hackers launched massive Signal phishing campaigns this year that targeted EU and US officials. Both Germany and France have told lawmakers and state employees to move to similar platforms. [Polish government alert // mSzyfr]

Sponsor section

In this Risky Business sponsor interview, James Wilson chats with Push Security’s Chief Research Officer Jacques Louw about how the company has integrated an army of AI agents into its threat detection platform. Not only has agentic AI led to the discovery of Install Fix campaigns, but it will help simplify the platform for new customers.

Arrests, cybercrime, and threat intel

FBI advises against paying ShinyHunters: The FBI has advised schools, parents, students, and other victims against paying ransom demands to the ShinyHunters hacking group. The group has recently breached edTech company Instructure and successfully ransomed the company. The agency is worried the group or impersonators may move to demanding individual ransoms from Instructure customers, such as schools or even the student families themselves. [FBI PSA]

CRXfiltrate campaign: A cluster of malicious Chrome extensions posing as basic dev and usability tools are actually backdooring browsers and allowing for remote JS code execution. Twenty of the 23 extensions have already been removed by Google from the Web Store. [7AI]

A new data extortion group emerges: A new hacking group is targeting large corporations for data theft and extortion campaigns. The group operates a new data extortion site named BlackFile. Google says the group, which it tracks as UNC6671, uses the same tactics as the ShinyHunters group but is a separate operation. After the group's activities were documented in a joint Palo Alto Networks and RH-ISAC report, the group shut down its dark web leak site but appears to be still operating. [Google Cloud // RH-ISAC]

The Gentlemen leak analysis: As time goes by, we have more insight into the leak of internal chats from The Gentlemen ransomware operation. The latest reports come from Ransom-ISAC and KELA, but don't forget to take a look at the one from Check Point. [Ransom-ISAC // KELA // Check Point]

Americans lost $388m to crypto ATMs: Americans lost more than $388 million last year to scams leveraging cryptocurrency ATMs and kiosks. The biggest losses were recorded in Texas, Florida, and California, which accounted for almost a third of the total. Minnesota and Tennessee have already banned crypto ATMs due to the risk of scams. Canada is also preparing a similar ban. [FBI IC3]

Malware technical reports

FlowerStorm PhaaS: FlowerStorm, a phishing kit that's been around since 2024, is now using the KrakVM library to obfuscate and hide the code of its phishing pages. [Sublime Security]

Qilin ransomware: GuardSix looks at how the Qilin ransomware emerged as a rebrand of the old Agenda ransomware in 2022 and has now become the largest and most active operation today. The group's publicly known victim count has now passed over 1,500. [GuardSix]

Gremlin Stealer: The Gremlin Stealer is now using a new obfuscation technique to hide its payload. [Palo Alto Networks]

Vidar 1.6: Security researcher Matt Kirkland looks at the 1.5 version of the Vidar infostealer, the one written in Go, before the C-based 2.0 rewrite. [Matt Kirkland]

XWorm: Researchers have spotted a campaign spreading a PyInstaller-packed Python malware loader designed to deploy the XWorm Remote Access Trojan (RAT). [Point Wild]

Sponsor section

In this wholly sponsored Soap Box edition of the show, Patrick Gray chats with Adam Bateman and Luke Jennings from Push Security. 

APTs, cyber-espionage, and info-ops

APT37 poses as the police: North Korean hackers are posing as police officers, defense officials, and North Korea experts in attacks targeting South Korean security and policy officials. The phishing operation was linked to a group known as APT37. Officials believe the campaign is part of North Korea's expansion of cyber-espionage operations after reorganizing its intelligence agency last year. [UPI]

DPRK's OtterCookie: RedAsgard looks at OtterCookie, a JS-based RAT often used by North Korean hackers in their operations, a RAT that is often miscategorized as a BeaverTrail variant. [RedAsgard]

TencShell attacks: Security researchers have spotted a new Chinese threat actor targeting the manufacturing sector with TencShell, "a previously undocumented, Go-based implant derived from the open-source Rshell C2 framework." [Cato Networks] 

Twill Typhoon's FDMTP backdoor: A Chinese APT group tracked as Twill Typhoon is deploying a new version of the FDMTP backdoor in a campaign targeting the Asia-Pacific & Japan (APJ) region. [Darktrace]

Fast16 targeted LS-DYNA and AUTODYN: New analysis suggests the Fast16 malware was designed to sabotage LS-DYNA and Autodyn, two software programs used for high-explosive simulations. The malware fed false data to engineers from explosion simulations. The sabotage behavior only activated at a threshold specific to uranium-based nuclear tests. According to Symantec and journalist Kim Zetter, the malware was live at around the same time with Stuxnet and was likely designed to sabotage Iran's nuclear program in the late 2010s. [Broadcom Symantec // Zero-Day // David Albright]

"The target metal appears to be uranium. The software lists a value of 19, where 19 g/cc is the density of solid uranium at atmospheric pressure. The manipulation of the simulation output was to start when the density of the compressed material would reach 30, which again indicates uranium. The density of 30 g/cc is the point at which the lattice structure of solid uranium is soon to collapse, and the material starts to liquify under shock. A density of 30 g/cc is further assessed to be a compression within reach of an early nuclear implosion weapons program. This indicates that a core of uranium is the target and shows the malware starting to act in a particularly important region where the uranium is starting to undergo a phase change from solid to liquid. This region is particularly important to a nuclear weapons team that wants to understand how to increase the uranium’s density, and ultimately help achieve a higher explosive yield, but also a region that is very difficult to study experimentally. The accuracy of predicted pressures, densities, and phase states becomes increasingly uncertain at high compression because of limitations in available uranium equation-of-state data and the complexity of its phase behavior, leaving the designer more dependent on the model rather than experimental data."

Leek Likho: Kaspersky looks at Operation SkyCloak, a series of phishing and malware delivery campaigns that targeted Russian and Belarusian military personnel. The campaign is the work of a group known as Leek Likho, also known as SkyCloak and Vortex Werewolf. [Kaspersky]

Sandworm activity still going: Nozomi researchers have found 17 systems across seven customers infected by the Sandworm Russian APT group between July 2025 through January 2026. [Nozomi Networks]

UK sanctions Russian disinfo firms: The UK government has sanctioned two Russian disinformation groups for attempts to destabilize Armenia's pro-western government. Sanctions were imposed on ANO Dialog and the Social Design Agency, two well-known purveyors of pro-Kremlin disinformation. The sanctions were imposed as part of a joint package with the EU, which held a summit in Yerevan last week. Both groups are responsible for a wave of propaganda threatening the country with a Russian invasion and the "Ukraine scenario." [UK sanctions // EU sanctions]

Vulnerabilities, security research, and bug bounty

Microsoft warns of an OWA zero-day: Hackers are exploiting a zero-day in Microsoft Exchange Outlook Web Access servers. The zero-day (CVE-2026-42897) allows attackers to run malicious JavaScript code in OWA inboxes if certain conditions are met. Microsoft deployed temporary mitigations on Tuesday to servers where the Exchange Emergency Mitigation Service is enabled. A more permanent patch is in the works. [Microsoft]

NGINX Rift comes under attack: Hackers are exploiting a recent vulnerability in NGINX web servers. Nicknamed NGINX Rift, the vulnerability allows attackers to execute malicious code on servers in specific configurations. Security firm VulnCheck detected active exploitation three days after a patch and proof-of-concept code was published online. [VulnCheck // NGINX Rift write-up]

openDCIM exploitation: Hackers are trying to exploit vulnerabilities in an open-source software used to manage data center infrastructure. The attacks are targeting two recently patched vulnerabilities that can allow threat actors to take over openDCIM servers through left-over installation artifacts. The bugs (CVE-2026-28515 and CVE-2026-28517) were fixed in February but exploitation was spotted last week. Security firm VulnCheck says the attacker is using an AI tool to find and drop PHP webshells. All the exploit activity is coming from one single IP address in China. [VulnCheck // Chokapikk's bug write-up // openDCIM patches]

Bug bounty hunters break Apple's MIE: Security researchers have bypassed one of Apple's most powerful security features with the help of the Mythos cybersecurity AI model. The Memory Integrity Enforcement was added to Apple devices last September. It is a top-of-the-art system that protects a device's memory data against memory corruption attacks. Researchers at Calif notified Apple of the bug last week and plan to publish more details once the company patches the issues. The exploit targets macOS devices running the company's latest M5 chip. [Calif]

Windows patch gets rolled back: A security patch for an old 2020 vulnerability in Windows (CVE-2020-17103) is missing in the operating system's newer versions. The original exploit still works and allows threat actors to elevate privileges on Windows systems. The missing patch was noticed by a security researcher going by Nightmare Eclipse. It is unclear if the patch was rolled back on purpose or by accident. [Nightmare Eclipse // Microsoft patch // Project Zero write-up]

Post by @wdormann@infosec.exchange

View on Mastodon

Eris LPE: A group of security researchers going by the name of The SNEK Initiative have published a proof-of-concept for Eris, a Windows local privilege escalation that abuses the fax service provider. [GitHub]

Claw Chain vulnerabilities: A chain of four OpenClaw vulnerabilities can be exploited to take over and extract data from a system where the agent is installed. All four have been patched. [Cyera]

GitHub bug bounty program update: GitHub says it has no problems with security researchers using AI to find bugs in its service, but it has a problem with researchers filing bad reports that haven't been validated, are extra-verbose and long, and don't contain steps to reproduce and a proof-of-concept. [GitHub]

AI-assisted vulnerability discovery is here: VulnCheck has noted a common trend this year, with new CVEs exploding for some vendors, a clear sign of more vulnerabilities being discovered with the help of AI tools. [VulnCheck]

Infosec industry

Threat/trend reports: CrowdStrike, CyFirma, FBI, IAS, and VulnCheck have recently published reports and summaries covering various threats and infosec industry trends.

New tools—PatchWatch & pocsmith: Origin Security has released PatchWatch & pocsmith, two tools it developed as part of its attempt to replicate some of Mythos' features. PatchWatch is a tool for ingesting Windows Patch Tuesday CVEs, and diffing patched binaries, while pocsmith is an autonomous Windows POC development tool.

Pwn2Own 2026 Berlin: Taiwanese security firm Devcore has won this year's edition of the Pwn2Own hacking contest. Devcore researchers went home with half a million US dollars after hacking Windows 11, Microsoft Edge, Exchange, and SharePoint. This year's edition was held at the OffensiveCon security conference in Berlin and was also the first edition where researchers were able to target AI systems like AI databases, coding agents, and local inferences. Day one, two, and three results are here. [ZDI]

Risky Business podcasts

In this episode of Risky Business Features, James Wilson and Brad Arkin workshop the advice they think the industry needs to hear when it comes to deploying agentic AI in the enterprise.