Report Interpretation | Fraud Report on Transnational Organized Crime in Southeast Asia

On October 7, 2024, the United Nations Office on Drugs and Crime (hereinafter referred to as "UNODC") released a report titled "The Convergence of Transnational Organized Crime with Cyber ​​Fraud, Underground Banking and Technological Innovation in Southeast Asia: A Changing Threat Landscape" (https://www.unodc.org/roseap/uploads/documents/Publications/2024/TOC_Convergence_Report_2024.pdf). UNODC thanked SlowMist for its information, data and analytical support in the report.

This report is the latest analysis of transnational organized crime in Southeast Asia by the United Nations Office on Drugs and Crime (UNODC), and follows the comprehensive report "Transnational Organized Crime in Southeast Asia: Evolution, Growth and Impact" (https://www.unodc.org/roseap/uploads/archive/documents/Publications/2019/SEA_TOCTA_2019_web.pdf) released in 2019. The latest report mainly covers three aspects, namely an overview of the development of Southeast Asia, underground banking and money laundering activities, and technological innovations that facilitate criminal activities. Specifically, the report focuses on the characteristics and evolution of organized crime in Southeast Asia, especially drug trafficking and money laundering activities related to casinos and special economic zones; and analyzes in detail the main threats and risks posed by the proliferation of casinos and the complex money laundering methods adopted by organized crime groups, such as how the rise of online gambling and electronic gambling has changed the underground banking and money laundering landscape; the report also provides a series of recommendations to assist governments and international partners to better deal with the rapid development of casinos and organized crime in Southeast Asia. This article will interpret the core content of the report to help readers quickly grasp the key information and enhance their understanding and response capabilities to these complex security threats.

Key Point 1: Overview of Development in Southeast Asia

Southeast Asia is facing unprecedented challenges of transnational organized crime and illegal economy. The rapid development of the region's physical, technological and digital infrastructure has given organized crime networks more opportunities to expand, covering a variety of activities such as drug production and trafficking, illegal gambling, forced criminal trafficking, prostitution and money laundering. Casinos, hotels and special economic zones have become hotbeds for these illegal activities, further exacerbating the governance challenges in border areas.

1. Gambling and criminal activities

Over the past decade, Southeast Asia's casino industry has experienced exponential growth, with more than 340 licensed and illegal casinos. Although increased regulation in Macau, China has led to the closure of some casinos, the gambling market in Southeast Asia remains active, especially online gambling. The vast majority of casinos in the Lower Mekong countries are located in border areas bordering China, Thailand and Vietnam, where gambling activities are mostly illegal. Let's talk about gambling intermediaries, which are very important in Southeast Asia's gambling industry. However, due to the epidemic and increased law enforcement, many intermediaries are facing the challenge of declining profits. The founders of Suncity and Tak Chun, two of the world's largest gambling intermediaries, were sentenced for money laundering and organized crime. This is one of the most serious money laundering and underground money cases in recent years. The two were sentenced to 18 and 14 years in prison respectively. The charges include hundreds of charges related to organized crime and illegal gambling. They handled more than $100 billion through casinos, online gambling platforms and underground money houses.

Despite the strengthening of law enforcement in various countries, online fraud remains rampant, and the economic losses caused by fraud targeting victims in East Asia and Southeast Asia in 2023 are estimated to be between $18 billion and $37 billion. With the rise of high-risk virtual asset service providers (VASPs), cybercriminals are increasingly using cryptocurrencies to launder money. It is common to exchange the proceeds of crime directly into cash or into USDT as a stable intermediary currency in the over-the-counter market. The transaction volume of this behavior is huge and is associated with a variety of criminal activities, which poses many challenges to governments in regulating and combating money laundering. It was found that a high-risk VASP located in the Mekong River processed a total cryptocurrency transaction volume of US$49 billion to US$64 billion between 2021 and 2024. It is estimated to be the largest service provider of its kind in the Asia-Pacific region. It also traded with OFAC-approved entities and multiple wallets associated with the Lazarus Group that appeared in the hacking incident. The Lazarus Group is a notorious hacker group that plays an important role in cryptocurrency-related money laundering activities. According to SlowMist's analysis, the money laundering methods of the North Korean hacker Lazarus Group are complex and varied, and new money laundering methods will appear every once in a while. For details, please refer to SlowMist: Blockchain Security and Anti-Money Laundering Report in the First Half of 2024 (https://www.slowmist.com/report/first-half-of-the-2024-report(CN).pdf).

The report also mentioned that in recent years, stablecoins have become increasingly popular not only among legitimate users, but also among criminal groups, especially those involved in cyber fraud. This is consistent with the findings of East Asian and Southeast Asian authorities: stablecoins, especially Tether (USDT) on the TRON (TRX) blockchain, are the first choice of Asian criminal groups engaged in cyber fraud and money laundering.

2. Regional Cyber ​​Fraud

In recent years, independent fraud gangs have been replaced by larger and more unified criminal groups, which often disguise themselves as industrial or technology parks to form stable networks. Take KK Park in Karen State, Myanmar, for example. It showed signs of development as early as the beginning of 2020. In the past four years, it has become one of the largest and most active crime clusters in the region. At the same time, the popularity of cryptocurrencies has also made cross-border transactions more convenient, and online fraud activities can expand globally, especially taking advantage of law enforcement agencies' lack of understanding of how they operate, including "pig killing" scams, investment scams, job scams, asset recovery scams, etc. For details, please refer to the report interpretation | FBI releases 2023 cryptocurrency fraud report.

The targets of scammers are becoming more and more extensive, especially targeting young people and Chinese communities. Fraud organizations are usually complex pyramid structures, including recruitment, finance, and operations. The operation of these criminal activities requires cooperation from multiple parties. The fraud landscape has also changed over the past year, with data showing that 43% of fraud inflows so far this year have gone to newly active wallets, compared to just 29.9% in 2022, meaning that new types of fraud are increasing rapidly.

From 2020 to date, the average number of active days for fraudulent activity has decreased significantly, from an average of 271 days in 2020 to 42 days in the first half of 2024.

This macro trend is consistent with the shift of scammers from carefully planned Ponzi schemes to more targeted activities, and is also partly due to increased law enforcement and the increasing number of stablecoin issuers blacklisting fraud addresses. For example, on May 14, the chain tracking and anti-money laundering platform MistTrack monitored that Tether, the world's largest stablecoin issuer, froze 5.2 million USDT related to phishing:

3. Human trafficking and forced crimes

In some areas, especially Myanmar, victims are often forced to sign false contracts and forced to work to repay high "debts". These contracts are not actually legal and cover up the criminal behavior of traffickers. Many victims still face legal risks after escaping or being rescued, and may be prosecuted or intimidated.

4. Law enforcement actions

Although countries have taken a series of measures to combat these activities, online gambling and fraud are still prevalent. Moreover, the intensity and effectiveness of enforcement vary from country to country, with measures including arrests of suspects, freezing of accounts and blocking of websites. Cross-border cooperation has resulted in the seizure of some assets and an increase in the number of convictions of criminals, especially in raids on scam centers and gambling operators.

The following table, compiled from statements from law enforcement agencies in each region, lists some of the most prominent law enforcement actions taken against websites for illegal online gambling and online fraud activities since January 2023. These raids were led by local law enforcement agencies, sometimes in cooperation with regional law enforcement agencies. Chinese public security organs played an important role in several of these operations.

According to statistics from the Ministry of Public Security of China, from January to November 2023, a total of 391,000 telecom fraud cases were uncovered, and 79,000 suspects were arrested, including 263 main offenders. In 2023, more than 50,000 people were prosecuted for telecom fraud. The new Anti-Telecom Fraud Law passed in 2022 stipulates the responsibilities of service providers such as telecommunications, Internet and financial services, including raising customer awareness, and monitoring, blocking and reporting suspicious activities.

Over the past year, Chinese media have widely reported on the prosecution of persons suspected of involvement in illegal online gambling and online fraud, both inside and outside China. Procuratorial agencies have also issued multiple reports, including summaries of typical cases of convictions of persons who voluntarily or were deported from Cambodia, the Philippines, Laos, Myanmar, Malaysia, and other countries. In China, enforcement actions have focused on those who provide support to overseas organizations, including those who develop software, maintain websites, and provide technical support, as well as underground banking networks that facilitate the transfer of funds obtained from cybercrime and those who sell account information to money laundering groups for use as mule accounts. Law enforcement actions also target gangs that smuggle Chinese citizens across borders by land and sea.

Key Point 2: The Rise of Underground Banking, Money Laundering, and Crime-as-a-Service

Transnational organized crime groups in East and Southeast Asia have become market leaders in underground banking, informal cross-border value transfer, and money laundering. These groups have become increasingly sophisticated, adapting to and exploiting changes in the political and business environment and technological innovations, especially in the application of casinos and online gambling. They have established complex underground money laundering networks by integrating information, finance, and blockchain technologies.

In addition, the rise of inadequate regulation and unauthorized virtual asset service providers (VASPs) has also exacerbated the current situation. More specifically, the proliferation of high-risk exchanges, over-the-counter (OTC) services, large peer-to-peer (P2P) dealers and other related businesses controlled and promoted by transnational organized crime has fundamentally changed the criminal environment in Southeast Asia, promoted the expansion of the illegal economy, and attracted new service providers and business models. In particular, large transnational criminal groups based in Hong Kong, Macau and Taiwan, China, dominate the money laundering industry, work closely with intermediaries, use credit services provided by intermediaries to circumvent capital controls, and rely on unregulated payment companies to transfer funds.

In recent years, law enforcement agencies in East Asia and Southeast Asia have also strengthened monitoring of third-party payment providers, but many cases show that online fraud still has a great impact on this industry. In the online gambling industry, unregulated casinos and gambling intermediaries have become an important infrastructure for money laundering. They conceal the source of funds through "custody" transactions and "investment", forming a complex money laundering method. Due to the anonymity and non-face-to-face transaction characteristics of online gambling, the flow of funds becomes very difficult to track, which facilitates organized crime.

At the same time, Southeast Asia's offshore online gambling industry has grown rapidly, especially in areas where regulation is relatively weak. Intermediaries have taken advantage of this trend to help organized crime profit by disguising illegal funds as legal proceeds through money laundering. Despite the gradual strengthening of regulation and law enforcement, many online gambling platforms still survive well in the "gray" or "black" market. Transnational organized crime has also begun to integrate cryptocurrencies into its operations, especially in high-risk exchanges and over-the-counter transactions. Due to the lack of regulation, these platforms have become a hotbed for money laundering, allowing criminal networks in East Asia and Southeast Asia to easily evade regulation and further support their illegal activities.

Key Point 3: The Development of Cyber ​​Fraud and Technological Innovation

In recent years, cybercrime activities in East Asia and Southeast Asia have increased significantly, especially the increasing activity of transnational organized crime groups. Cybercriminals not only behave like regular businesses in developing and selling criminal services, but also adopt the "Crime as a Service" (CaaS) model to outsource various criminal activities to others, lowering the threshold for committing crimes.

1. Underground data markets and information-stealing malware

The underground data market has also become an important part of online fraud groups, providing a large amount of stolen data, including bank information, credit card details and personal identity information. Among them, the information required for knowing your customer (KYC) is very popular in the underground market, and criminals use this data to carry out identity theft, commercial fraud and money laundering.

There is strong evidence that the underground data market is shifting to Telegram. Against the backdrop of Southeast Asia's thriving criminal ecosystem, the surge in information-stealing malware and underground log cloud (UCL) services is at the core of this shift. The simplicity, availability and low cost of information-stealing programs make them particularly popular services for criminals in the region. These tools are often accessed through a malware-as-a-service (MaaS) model, where developers license them to others. This growing data pipeline has created a plethora of new opportunities for transnational organized crime in the region, which in turn has helped diversify the strategies, techniques, targets, and criminal groups engaged in cyber fraud. Data shows that the number of hosts infected with information stealers for sale in the Asia-Pacific region continues to increase, which is consistent with the surge in cyber fraud incidents in the region.

2. SEO and Fraudulent Advertising

While many cyber fraud schemes require detailed target analysis and direct contact between the fraudster and the potential victim, there are also some simple scams that can easily deceive victims with just an enticing ad, a fake web page, or a phishing link. These criminals extensively use search engine optimization (SEO) poisoning and deceptive advertising to achieve these goals, both of which have proven effective as the use of search engines and social media continues to increase around the world. In terms of scale, Google alone blocked or removed 206.5 million ads that violated its paid advertising misrepresentation policy in 2023, including online scams and fraudulent ads, an increase from 142 million ads in 2022.

In March of this year, the SlowMist Security Team and the Rabby Wallet Team disclosed an attack method that used Google ads for phishing. Specifically, the Rabby Wallet team did not purchase any Google ads, but the fake ads jumped to the real official website. From the Google search keyword situation, the top two search results are phishing ads, but the link of the first ad is very abnormal. It shows the official website address of Rabby Wallet, rabby[.]io. Through tracking, it is found that the phishing ad sometimes jumps to the real official address rabby[.]io, and after changing the proxy to different regions many times, it will jump to the phishing address rebby[.]io, and the phishing address will be updated and changed. Analysis shows that the key operation is that the phishing gang uses the 302 jump of Google's own Firebase short link service to deceive Google's display. Similar phishing routines also appear in various chat software. Take Telegram, a chat software, as an example. When a URL link is sent during a chat, the Telegram background will capture the URL link domain name, title and icon for preview display.

In addition, criminals use SEO poisoning to increase or boost the visibility of their malicious websites, making them look more authentic in the eyes of unsuspecting users, who believe that search engine hot rankings are trustworthy. Criminals also use various SEO poisoning techniques, such as so-called domain squatting, to profit from users accidentally entering URLs or clicking on links with misspelled URLs. Social media platforms have also become their new battlefield, where criminals deceive users through advertisements disguised as legitimate promotional materials. In September 2023, Singapore authorities confirmed that at least 43 victims lost $875,000 to malware scams on social media ads.

3. AI-driven fraud

With the popularity of generative AI, the complexity of criminal activities has increased, and issues such as identity theft and data privacy violations have also posed a threat to national security. Criminal groups use AI for phishing, creating false identities and personalized fraud, which has greatly lowered the technical threshold and increased the speed and scale of fraud. Deepfake technology is widely used in cyber fraud. Criminals use fake videos and audio to carry out complex frauds, and the corresponding criminal activities have increased significantly. Cyber ​​fraud combined with QR codes is also increasing, and victims are often induced to visit malicious websites or disclose sensitive information. Overall, the widespread application of artificial intelligence has increased the complexity and frequency of cybercrime.

4. Others

While the "pig killing" scam is still popular, criminal gangs are gradually adopting more complex strategies, such as phishing and malicious smart contracts, which can efficiently steal victims' funds and data.

This asset draining method requires victims to unknowingly connect their cryptocurrency wallets to malicious contracts, thereby transferring cryptocurrencies and NFTs to the criminals' wallets. A well-known case is the phishing attack launched by criminals against users of the non-fungible token (NFT) market OpenSea in 2022, which resulted in the theft of more than 250 NFTs worth about $2 million. According to security researchers, criminals took advantage of the opportunity of OpenSea system upgrades to send fake emails to lure users into operations, which ultimately led to the transfer of their assets.

In addition, more and more criminals are using Drainer smart contracts to target investors who lack knowledge of decentralized finance (DeFi). Specifically, this scam usually connects victims to fake liquidity mining pools, draining their wallets. It is easy to find a variety of DeFi application suites on underground markets and forums, which are promoted as legitimate applications but are actually used for scams.

Liquidity mining scams take advantage of the complexity of DeFi cryptocurrency trading platforms to deceive people. These scammers often promise high returns by investing in "liquidity pools" that lend cryptocurrencies and allow different currencies to be traded. But in reality, they will create fake liquidity pools, use smart contracts to easily access users' wallets, and may even deposit some cryptocurrencies to create the illusion of "making money", or put in some fake coins that are not worthy of the name. In these scams, the websites linked to the wallets will show daily income promises and false profit growth. Ultimately, the scammers will use the contract permissions to "steal" the money from the user's wallet. Investors are usually told that they need to reach a certain staking "target" to withdraw funds, but in fact, once you have tasted the sweetness, the money will never be recovered; and any additional deposits will be stolen in the same way. SlowMist has disclosed similar scams. If you are interested, you can read  Web3 Security Beginner's Guide to Avoiding Pitfalls｜Fake Mining Pool Scams.

The report also mentioned that a common malware used by Southeast Asian criminal groups is a clipper. This software monitors the clipboard of the infected system and waits for an opportunity to replace the address in the cryptocurrency transaction. Once the victim inadvertently conducts a transaction, the funds will be transferred to the attacker's address. Because the encrypted wallet address is usually very long, users are unlikely to notice the change of the payment address, thereby increasing the effectiveness of the malware.

Conclusion

In general, the threat of transnational organized crime in Southeast Asia is becoming more complex and hidden. In order to effectively respond to these challenges, law enforcement and regulatory agencies need to continuously improve their capabilities. Southeast Asian countries should strengthen the capacity and coordination of governments, supervisory agencies and law enforcement agencies, formulate comprehensive policies and action plans, and strengthen cooperation with other countries and regions. In the face of a rapidly evolving transnational organized crime environment, timely action will be key. Close cooperation between Southeast Asian countries and their allies will help meet this increasingly severe challenge and protect regional security and stability.