Albert, a 68-year-old retiree, received a call noon on August 14, 2025. The call came at a perfect time because Albert needed a payment reference number (PRN) from his SSS (social security service) but he was having a challenging time logging on to his app.

The caller knew his full name, his SSS number, and his address, and offered to assist him in downloading a supposed updated SSS app. The assistance came in the form of him clicking a link provided over Viber, followed by a very long installation process.

In one-and-a-half hours, his three bank accounts and two cash wallets — all connected to his Android phone — were swiped. More than one million pesos in life savings gone.

“My dad was depressed for the first few months,” Albert’s daughter Jobelle Garcia told Rappler.

The scam is a banking trojan deployed through malware on Android, and it has been traced to scam compounds in Cambodia, according to a first-of-its-kind report by US-based cybersecurity firm InfoBlox, and Vietnamese cyber safety non-profit Chong Lua Dao.

“We uncovered an Android banking trojan that is likely operated from multiple locations, including the K99 Triumph City compound in Cambodia,” said the report.

This is the first time that strong evidence has been found to connect a specific type of malware to a physical location of a scam compound, and it was made possible by trafficked workers who escaped from the compound and took damning evidence with them.

The malware

The team found a “sophisticated malware-as-a-service (MaaS),” which is a high-end malicious tool sold to cybercriminals. MaaS providers essentially build a top-of-the-line tool and make that available to low-skilled criminals for a fee. To put it simply, it makes it easier for criminals to commit a sophisticated crime.

This particular MaaS is “likely attributed to an unknown Chinese-speaking MaaS administrator servicing multiple scam centers in the Mekong region, where forced labor has been reported, and which are used to distribute malware and operate scams,” according to the report.

The victims are mostly from the Philippines, Thailand, Indonesia and Vietnam, and seeping into Africa and Latin America, the report said.

Unlike pig-butchering scams, where criminals invest time to nurture a relationship with their victims, and where victims actually send their money, this malware needs only a few hours and an unsuspecting victim to click a link.

Here’s how it works.

Social engineering

The team has a screenrecording of one work station inside K99 compound, and it shows “detailed personal and corporate data used to inform victim targeting,” said the report, referring to data to help them choose and exploit their victims. That data can be bought in internet black markets. That’s called social engineering, which also includes “tailored scripts.”

The criminal then makes contact with a victim through different means, and the goal is for the victim to click a link to a website.

The website, called a “lure domain,” looks legitimate — spoofing mostly government services websites like SSS.

In 2025, which is when Albert was victimized, 400 lure domains were registered to target victims. “This report presents evidence indicating that these domains are part of a coordinated, centrally managed operation designed for scale and resilience,” said the report.

Once the victim is on the lure website, they are asked to install an app — like the pretend updated SSS app. Once that “app” starts to install on the Android phone, the criminals gain remote access to your device without your knowledge.

When that remote access is secured, the malware can intercept texts and phone calls, which is how they can access the banks and wipe out the deposits.

Some Filipinos who posted their experience on Facebook were made to input biometric data like facial recognition.

“Facial recognition data is then used to authenticate into the victim’s online banking application without their knowledge. By intercepting the bank’s SMS OTP code, the operator has full access to the victim’s bank accounts and can transfer funds wherever they wish,” said the report.

Albert did not do facial recognition, said his daughter.

Albert spoke with Filipino-speaking scammers who guided him on how to install the fake app, and who warned him that it would take long. “Be patient lang po,” the scammer told Albert, according to his affidavit.

That rendered Albert’s phone practically unusable to him, and to his daughter who was trying to call him. Because she could not reach her father by phone, Jobelle went to his home and discovered they could neither turn off the phone nor take a screenshot.

“Nag-decide kami na tanggalin ‘yung sim card. Noong matanggal ang sim card, doon lang natigil ‘yung SSS app installation,” said Albert in his affidavit. (We decided to remove the sim card, and that’s the only time the SSS app installation stopped.)

Unfortunately, like in Albert’s case, biometrics are not strictly required to run this scam. “Biometrics are optional for app security. Not all institutions will use it,” John Wojcik, an InfoBlox senior threat researcher for Asia who worked on the report, told Rappler.

The Philippines now has a sim registration law, where everyone who owns a sim card must register with the government. It was branded as a way to crack down on cyber crime, but the sim card that Albert’s scammer used was registered to a different name.

The facial recognition in the sim card registration was “blurry,” said Jobelle, relaying what the National Bureau of Investigation (NBI) told her. What the NBI knows at this point is “the call came from another Asian Country but used a Philippine number — might have used VPN,” according to Jobelle.

Other spoofs

It’s highly possible that Albert’s scammer called from the Cambodian compound, because Jobelle was able to take note of the URL provided by the criminals to her father. I then provided the URL to Wojcik who confirmed it is indeed among the domains they tracked.

We are posting it here as a warning, along with several websites targeting Filipinos. These websites spoof government services like e-gov, and private services like Philippine Airlines. Make sure you do not ever click them. These are just a few of possibly thousand fake URLs.

While this specific banking trojan runs on Android only “likely due to more rigid security protocols [of Apple app store],” according to Wojcik, there is a possibility that there’s also malware deployed on iOS or iPhones.

“We’ve identified a growing number of MaaS vendors as well as other service providers supporting the scam networks in the region. They are increasingly easy to find, often adverising out in the open on various illicit online market places in Southeast Asia, although Android devices certainly represent the operating system targeted most frequently within this mobile malware ecosystem,” said Wojcik.

What this report means

Scam compounds all over the world, but more particularly in Southeast Asia, had been exposed, raided, and shut through the years. “But connecting specific malware to the notorious compounds has been elusive … until now,” the report said.

“This report includes details of the operation, obtained directly from people who were held captive in the K99 compound and forced to participate in cybercrime,” said the report.

This points to a possibility that the scammer these victims have spoken with, either by call or message, could be victims of trafficking, too. But they could also be willing scammers.

⁠”While we’re only able to speculate at this point, it’s clear that human trafficking and forced labor has been widespread within the scam industry for years. Philippine nationals have frequently been lured by deceptive recruitment practices and victimized, particularly in the Mekong region,” Wojcik said.

Through the testimonies and evidence obtained from those trafficked into the K99 compound in Cambodia, the team found “direct evidence supporting a link between the domains we are tracking to activity associated with the compound.”

Politically-connected

The K99 compound is located in Sihanoukville, Cambodia, which is notorious for scam centers. While Cambodia has said it has shut down 200 scam centers, the team said “recent reports from rights groups and other sources suggest that K99 Triumph City remains active despite the Cambodian government’s ongoing crackdown.”

The K99 compound (or more formally known as ‘K99 Triumph City’) is owned by Cambodia’s K99 group, whose chairman is tycoon Rithy Raksmei (aka Xie Liguang), according to the report. Rithy Raksmei is “an extended family member of one of Cambodia’s wealthiest men, Senator Kok An, who has been identified in reporting as being wanted by Thai authorities in connection with cyber-enabled fraud and money laundering,” said the report.

A bill introduced in the US Congress to “dismantle and shut down transnational criminal syndicates perpetuating mass online scam operations against Americans” names both Rithy Raksmei and Kok An as among the foreign people and entities covered by the bill.

“The concentration of actors tied to this area points to a highly centralized ecosystem, where a relatively small circle of politically connected insiders serve as key facilitators enabling access, protection, and operational continuity for transnational criminal groups,” said the report.

What now?

Jobelle said her father recovered from depression when a senior citizens group helped connect them to authorities. “Our case is still open with CICC [Cybercrime Investigation and Coordinating Center] as they are still tracking where the funds went,” Jobelle said.

They were told that it would be difficult to recover the money if it’s been withdrawn. So far, the family has been able to recover P250,000 from BDO.

“Yes mahirap maghabol. Needs a lot of time, patience and effort. Yes, the authorities assigned to us are helpful. Medyo matagal lang talaga progress kasi sobrang daming scam ngayon, kaya madami din silang ibang taong inaasikaso. But still may progress and so we are thankful,” said Jobelle.

(Yes, it’s hard to run after them. Needs a lot of time, patience and effort. Yes, the authorities assigned to us are helpful. Progress just takes a while because there are so many scams today, so they are also busy. But still there is progress, and so we are thankful.)

The scam won’t end here, and “it’s likely we’ll see them pivot and spin up more in the near future,” said Wojcik.

The malware, according to Wojcik, “has also evolved over time, finding ways to adapt to and circumvent new security measures. It’s no surprise organizations in many countries are struggling to keep up.”

“While it’s urgent for banks and other financial institutions to respond quickly to such threats, Asian criminal networks are highly agile, innovative, and increasingly capable, rapidly integrating the new technologies made available to them in order to stay steps ahead of efforts to disrupt them,” Wojcik said.

Jobelle said the family has now become “paranoid to answer calls from unknown numbers.”

You should be, too. – Rappler.com