This article will interpret the core content of the report to help readers quickly grasp key information and improve their understanding and response capabilities to these complex security threats.
Source: United Nations Office on Drugs and Crime (UNODC)
Written by: Lisa
Editor: Liz
On October 7, 2024, the United Nations Office on Drugs and Crime (hereinafter referred to as “UNODC”) released a report titled “Transnational Organized Crime in Southeast Asia: The Convergence of Cyber Fraud, Underground Banking and Technological Innovation: The Changing Threat Landscape”. In the report, UNODC thanked SlowMist for its information, data and analytical support, and our partner Bitrace was also thanked.
The report is the latest analysis of transnational organized crime in Southeast Asia by the United Nations Office on Drugs and Crime (UNODC), and follows up on the comprehensive report (Transnational Organized Crime in Southeast Asia: Evolution, Growth and Impact) released in 2019. The latest report mainly covers three aspects, namely, an overview of the development of Southeast Asia, underground banking and money laundering activities, and technological innovations that facilitate criminal activities. Specifically, the report focuses on the characteristics and evolution of organized crime in Southeast Asia, especially drug trafficking and money laundering activities related to casinos and special economic zones; and a detailed analysis of the main threats and risks posed by the proliferation of casinos and the complex money laundering methods used by organized crime groups, such as how the rise of online gambling and electronic gambling has changed the underground banking and money laundering landscape; the report also provides a series of recommendations to assist governments and international partners in better dealing with the rapid development of casinos and organized crime in Southeast Asia. This article will interpret the core content of the report to help readers quickly grasp the key information and enhance their awareness and response capabilities to these complex security threats.
Key point 1: Overview of development in Southeast Asia
Southeast Asia is facing unprecedented challenges of transnational organized crime and illegal economy. The rapid development of the region's physical, technological and digital infrastructure has given organized crime networks more opportunities to expand, covering a variety of activities such as drug production and trafficking, illegal gambling, forced criminal trafficking, prostitution and money laundering. Casinos, hotels and special economic zones have become "hotbeds" for these illegal activities, further exacerbating the governance difficulties in border areas.
1. Gambling and criminal activities
Southeast Asia's casino industry has experienced exponential growth over the past decade, with more than 340 licensed and illegal casinos. Although increased regulation in Macau, China has led to the closure of some casinos, the gambling market in Southeast Asia remains active, especially online gambling. The vast majority of casinos in the Lower Mekong countries are located in border areas with China, Thailand and Vietnam, where gambling activities are mostly illegal. Let's talk about gambling intermediaries, which are very important in Southeast Asia's gambling industry. But due to the epidemic and increased law enforcement, many intermediaries are facing the challenge of declining profits. The founders of Suncity and Tak Chun, two of the world's largest gambling intermediaries, were sentenced for money laundering and organized crime. This is one of the most serious money laundering and underground money cases in recent years. The two were sentenced to 18 and 14 years in prison respectively. The charges include hundreds of charges related to organized crime and illegal gambling. They handled more than $100 billion through casinos, online gambling platforms and underground money.
Despite increased law enforcement efforts, online fraud remains rampant, with economic losses from fraud targeting victims in East and Southeast Asia estimated to be between $18 billion and $37 billion in 2023. With the rise of high-risk virtual asset service providers (VASPs), cybercriminals are increasingly using cryptocurrencies to launder money. A common practice is to convert the proceeds of crime directly into cash or into USDT as a stable intermediary currency in the over-the-counter market. The huge volume of transactions and the association with a variety of criminal activities have made it difficult for governments to regulate and combat money laundering. A high-risk VASP in the Mekong River was found to have processed a total cryptocurrency transaction volume of $49 billion to $64 billion between 2021 and 2024. It is estimated to be the largest service provider of its kind in the Asia-Pacific region. It also trades with OFAC-approved entities and multiple wallets associated with the Lazarus Group that appeared in the hacking incident. Lazarus Group is a notorious hacker organization that plays an important role in cryptocurrency-related money laundering activities. According to SlowMist's analysis, the money laundering methods of the North Korean hacker Lazarus Group are complex and varied, and new money laundering methods will appear every once in a while. For details, please refer to SlowMist: Blockchain Security and Anti-Money Laundering Report in the First Half of 2024 (https://www.slowmist.com/report/first-half-of-the-2024-report(CN).pdf).
The report also mentioned that stablecoins have become increasingly popular not only among legitimate users in recent years, but also among criminal groups, especially those involved in cyber fraud. This is consistent with the findings of East Asian and Southeast Asian authorities: stablecoins, especially Tether (USDT) on the TRON (TRX) blockchain, are the first choice of Asian criminal groups engaged in cyber fraud and money laundering.
2. Regional online fraud
In recent years, independent fraud gangs have been replaced by larger and more unified criminal groups, which often disguise themselves as industrial or technology parks to form stable networks. Take KK Park in Karen State, Myanmar, for example. It showed signs of development as early as the beginning of 2020. In the past four years, it has become one of the largest and most active crime clusters in the region. At the same time, the popularity of cryptocurrencies has also made cross-border transactions more convenient, and online fraud activities have been able to expand globally, especially taking advantage of law enforcement agencies’ lack of understanding of how they operate, including “pig killing” scams, investment scams, job scams, asset recovery scams, etc. For details, please refer to the report interpretation | FBI releases 2023 cryptocurrency fraud report.
Scammers are targeting more and more people, especially young people and the Chinese community. Fraud organizations are usually complex pyramid structures, including multiple departments such as recruitment, finance and operations, and the operation of these criminal activities requires cooperation from multiple parties. The fraud situation has also changed in the past year. Data shows that 43% of the fraud inflows so far this year have flowed to newly active wallets. In contrast, this proportion in 2022 was only 29.9%, which means that the number of new frauds is increasing rapidly.
The average number of days scam activity was active decreased significantly from 2020 to the present, from an average of 271 days in 2020 to 42 days in the first half of 2024.
This macro trend is consistent with the shift of scammers from carefully planned ponzi schemes to more targeted activities, and is also partly due to increased law enforcement and the increasing blacklisting of fraud addresses by stablecoin issuers. For example, on May 14, the chain tracking and anti-money laundering platform MistTrack monitored that Tether, the world's largest stablecoin issuer, froze 5.2 million USDT related to phishing:
3. Human trafficking and forced crimes
Traffickers gain economic benefits by deceiving and coercing victims to participate in criminal activities. After being trafficked, victims are often restricted in their freedom, their passports are confiscated, and they face violence and various threats. Although the nature of forced trafficking has not changed, the professionalization of the industry has led to a blurred line between victims and willing participants, forming multiple categories of people involved.
In some areas, especially Myanmar, victims are often forced to sign fake contracts and work to repay high "debts", which are not actually legal and cover up the criminal behavior of traffickers. Many victims still face legal risks after escaping or being rescued, and may be prosecuted or intimidated.
4. Enforcement Actions
Despite a range of measures to combat these activities, online gambling and fraud remain widespread. Moreover, enforcement efforts vary from country to country, with measures such as arrests of suspects, freezing of accounts and blocking of websites. Cross-border cooperation has resulted in the seizure of some assets and an increase in convictions of criminals, particularly with an increase in raids on scam centers and gambling operators.
The following table, compiled from statements from law enforcement agencies in each region, lists some of the most prominent law enforcement actions taken against websites involved in illegal online gambling and online fraud activities since January 2023. These raids were led by local law enforcement agencies, sometimes in cooperation with regional law enforcement agencies. Chinese public security organs played a major role in several of these operations.
According to statistics from the Ministry of Public Security of China, from January to November 2023, a total of 391,000 telecom fraud cases were uncovered, and 79,000 suspects were arrested, including 263 main offenders. In 2023, more than 50,000 people were prosecuted for telecom fraud. The new (Anti-Telecom Fraud Law) passed in 2022 stipulates the responsibilities of service providers such as telecommunications, Internet and financial services, including raising customer awareness, and monitoring, blocking and reporting suspicious activities.
Over the past year, Chinese media have widely reported on proceedings against persons suspected of involvement in illegal online gambling and online fraud, both inside and outside China. Prosecutors have also released multiple reports, including summaries of typical cases of convictions of persons who were voluntarily or deported from Cambodia, the Philippines, Laos, Myanmar, Malaysia, and other countries. In China, enforcement actions have focused on those who provide support to overseas organizations, including those who develop software, maintain websites, and provide technical support, as well as underground banking networks that facilitate the transfer of funds derived from cybercrime and those who sell account information to money laundering groups for use as mule accounts. Enforcement actions have also targeted groups that smuggle Chinese citizens across borders by land and sea.
Key Point 2: The Rise of Underground Banking, Money Laundering, and Crime-as-a-Service
Transnational organized crime groups in East and Southeast Asia have become market leaders in underground banking, informal cross-border value transfer and money laundering. These groups have become increasingly sophisticated, adapting to and taking advantage of changes in the political and business environment and technological innovation, especially in the application of casinos and online gambling. They have established complex underground money laundering networks by integrating information, finance and blockchain technologies.
In addition, the rise of inadequately regulated and unauthorized virtual asset service providers (VASPs) has also exacerbated the current situation. More specifically, the proliferation of high-risk exchanges, over-the-counter (OTC) services, large peer-to-peer (P2P) dealers, and other related businesses controlled and facilitated by transnational organized crime has fundamentally changed the criminal environment in Southeast Asia, driving the expansion of the illicit economy and attracting new service providers and business models. In particular, large transnational criminal groups based in Hong Kong, Macau, and Taiwan, China, dominate the money laundering industry, work closely with intermediaries, use credit services provided by intermediaries to circumvent capital controls, and rely on unregulated payment companies to transfer funds.
In recent years, law enforcement agencies in East Asia and Southeast Asia have also stepped up monitoring of third-party payment providers, but many cases show that online fraud still has a great impact on the industry. In the online gambling industry, unregulated casinos and gambling intermediaries have become an important infrastructure for money laundering. They conceal the source of funds through "custody" transactions and "investments", forming a complex means of money laundering. Due to the anonymity and non-face-to-face transactions of online gambling, the flow of funds becomes very difficult to track, which facilitates organized crime.
At the same time, Southeast Asia’s offshore online gambling industry has grown rapidly, especially in areas where regulation is relatively weak. Intermediaries have taken advantage of this trend to help organized crime reap profits, disguising illegal funds as legal proceeds through money laundering. Despite the gradual strengthening of regulation and enforcement, many online gambling platforms still survive well in the “grey” or “black” market. Transnational organized crime has also begun to integrate cryptocurrencies into its operations, especially in high-risk exchanges and over-the-counter transactions. Due to the lack of regulation, these platforms have become a hotbed for money laundering, allowing criminal networks in East Asia and Southeast Asia to easily evade regulation and further support their illegal activities.
Key Point 3: The Development of Online Fraud and Technological Innovation
In recent years, cybercrime activities in East and Southeast Asia have increased significantly, especially the increasing activity of transnational organized criminal groups. Cybercriminals not only behave like formal enterprises in developing and selling criminal services, but also adopt a "crime as a service" (CaaS) model to outsource various criminal activities to others, lowering the threshold for committing crimes.
1. Underground data markets and information-stealing malware
Underground data markets have also become an important part of online fraud groups, providing a large amount of stolen data, including bank information, credit card details, and personal identity information. Among them, the information required for knowing your customer (KYC) is very popular in the underground market. Criminals use this data to carry out identity theft, commercial fraud, and money laundering.
There is strong evidence that the underground data market is shifting to Telegram. The proliferation of information-stealing malware and underground log cloud (UCL) services is at the heart of this shift against the backdrop of Southeast Asia’s thriving criminal ecosystem. The simplicity, availability, and low cost of information stealers make them particularly popular services for criminals in the region. These tools are often accessed through a malware-as-a-service (MaaS) model, where developers license them to others. This growing data pipeline has created a plethora of new opportunities for transnational organized crime in the region, which in turn has helped diversify the strategies, techniques, targets, and criminal groups engaged in cyber fraud. Data shows that the number of hosts infected with information stealers for sale in the Asia-Pacific region continues to increase, which is consistent with the surge in cyber fraud incidents in the region.
2. Search engine optimization and fraudulent advertising
While many online fraud schemes require detailed targeting analysis and direct contact between the fraudster and the potential victim, there are also simple scams that can easily deceive victims with just an enticing ad, a fake webpage, or a phishing link. These criminals widely use search engine optimization (SEO) poisoning and deceptive advertising to achieve these goals, both of which have proven effective as the use of search engines and social media continues to increase around the world. In terms of scale, Google alone blocked or removed 206.5 million ads in 2023 for violating its paid advertising misrepresentation policy, including online scams and fraudulent ads, an increase from 142 million ads in 2022.
In March this year, the SlowMist Security Team and the Rabby Wallet Team disclosed a phishing attack method using Google ads. Specifically, the Rabby Wallet team did not purchase any Google ads, but the fake ads jumped to the real official website. From the Google search keyword situation, the top two search results are phishing ads, but the link of the first ad is very abnormal. It shows the official website address of Rabby Wallet, rabby[.]io. Through tracking, it was found that phishing ads sometimes jump to the real official address rabby[.]io, and after changing the proxy to different regions many times, it will jump to the phishing address rebby[.]io, and the phishing address will be updated and changed. Analysis found that the key operation is that the phishing gang used the 302 jump of Google's own Firebase short link service to deceive Google's display. Similar phishing routines also appear on various chat software. Take Telegram, a chat software, as an example. When a URL link is sent during a chat, the Telegram background will capture the URL link domain name, title and icon for preview display.
Criminals also use SEO poisoning to increase or boost the visibility of their malicious websites, making them look more authentic in the eyes of unsuspecting users, who perceive search engine top rankings as trustworthy. Criminals also use various SEO poisoning techniques, such as so-called domain squatting, to profit from users accidentally typing in URLs or clicking on links with misspelled URLs. Social media platforms have also become a new battleground for them, with criminals deceiving users through ads disguised as legitimate promotional materials. In September 2023, Singaporean authorities confirmed that at least 43 victims had lost $875,000 to malware scams from social media ads.
3. AI-driven fraud
As generative AI becomes more prevalent, criminal activities become more complex, and identity theft, data privacy violations, and other issues pose a threat to national security. Criminal groups use AI for phishing, fake identities, and personalized fraud, which significantly lowers the technical threshold and increases the speed and scale of fraud. Deepfake technology is widely used in online fraud, and criminals use fake videos and audio to conduct complex frauds, resulting in a significant increase in corresponding criminal activities. Online fraud combined with QR codes is also increasing, and victims are often lured to visit malicious websites or disclose sensitive information. Overall, the widespread use of AI has increased the complexity and frequency of cybercrime.
4. Others
Although the "pig killing" scam is still popular, criminal gangs have gradually adopted more complex strategies, such as phishing, malicious smart contracts, etc., which can efficiently steal victims' funds and data.
This asset draining method requires the victim to unknowingly connect their cryptocurrency wallet to a malicious contract, thereby transferring cryptocurrency and NFTs to the criminals' wallets. A well-known case was the phishing attack launched by criminals against users of the non-fungible token (NFT) market OpenSea in 2022, which resulted in the theft of more than 250 NFTs worth about $2 million. According to security researchers, criminals took advantage of the opportunity of OpenSea's system upgrade to send fake emails to lure users into taking actions, which ultimately led to the transfer of their assets.
In addition, more and more criminals are using Drainer smart contracts to target investors who lack knowledge of decentralized finance (DeFi). Specifically, this scam usually connects victims to fake liquidity mining pools to drain their wallets. It is easy to find a variety of DeFi application suites on underground markets and forums, which are promoted as legitimate applications but are actually used for scams.
Liquidity mining scams take advantage of the complexity of DeFi cryptocurrency trading platforms to deceive people. These scammers often promise high returns by investing in "liquidity pools" that lend cryptocurrencies and allow different currencies to be traded. But in reality, they will create fake liquidity pools, use smart contracts to easily access users' wallets, and may even deposit some cryptocurrencies to create the illusion of "making money", or put in some fake coins that are not worthy of the name. In these scams, the website linked to the wallet will show daily income promises and false profit growth. Ultimately, the scammers will use the contract permissions to "steal" the money from the user's wallet. Investors are usually told that they need to reach a certain staking "target" to withdraw funds, but in fact, once you have tasted the sweetness, the money will never be recovered; and any additional deposited funds will be stolen in the same way. SlowMist has disclosed similar scams. If you are interested, you can read the Web3 Security Beginner's Guide to Avoiding Pitfalls|Fake Mining Pool Scams.
The report also mentioned that a common malware used by Southeast Asian criminal groups is a clipper. This software monitors the clipboard of the infected system and waits for an opportunity to replace the address in the cryptocurrency transaction. Once the victim inadvertently makes a transaction, the funds will be transferred to the attacker's address. Since the cryptocurrency wallet address is usually very long, users are unlikely to notice the change of the receiving address, which increases the effectiveness of the malware.
Conclusion
In general, the threat of transnational organized crime in Southeast Asia is becoming more complex and hidden. In order to effectively respond to these challenges, law enforcement and regulatory agencies need to continuously improve their capabilities. Southeast Asian countries should strengthen the capacity and coordination of governments, supervisory agencies and law enforcement agencies, formulate comprehensive policies and action plans, and strengthen cooperation with other countries and regions. In the face of a rapidly evolving transnational organized crime environment, timely action will be key. Close cooperation between Southeast Asian countries and their allies will help to meet this increasingly severe challenge and protect regional security and stability.