Exploring cybercrime on the dark web in Southeast Asia

The rapid digitalization of Southeast Asia is driving economic growth while also boosting illegal online activities. The widespread adoption of internet technologies, mobile connectivity, and anonymous digital tools has fueled the rise of underground platforms and illicit trade.

This report examines the cybercrime landscape on the dark web in Southeast Asia during the second half of 2024 and the first half of 2025. It focuses on the following countries: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam.

Study objectives:

• Assess the cyberthreat landscape on the dark web in Southeast Asia.
• Identify cybercrime trends in the region.
• Highlight the interconnected nature of cybercriminal activities in the region.
• Provide insights and predictions on APT attacks in the region for the second half of 2025.

The study covers current cyberthreats for 2024–2025, using Positive Technologies' expertise, reports from leading cybersecurity vendors, data from key dark web forums, as well as information from reputable open sources and Telegram channels used by cybercriminal groups and hacktivists.

Over 300 Telegram channels and dark web forums were analyzed, focusing on Southeast Asia. The study covers the period from September 1, 2024, to May 1, 2025.

The research covered forum posts and Telegram messages on the following topics:

• Databases: breaches of personal data, user credentials, and confidential corporate documents
• Corporate access: offers to sell or share data enabling unauthorized access to corporate infrastructures
• Spam: tools and data used for mass distribution of text messages, emails, and automated phone calls
• Carding: posts advertising the sale of stolen credit card details
• Documents: forging services
• Traffic redirection: offers to redirect traffic to phishing websites or downloads of malicious files
• DDoS attacks: claims by hacker groups of successful DDoS attacks
• Hacks: declarations of successful cyberattacks by hacker groups

This study aims to raise awareness among companies, government organizations, and individuals interested in the current state of cyberthreats on the dark web in Southeast Asia. Definitions of terms used in this report are available in the glossary on the Positive Technologies website.

Our incident database is updated regularly. However, some incidents may be reported online long after the actual attack took place. Therefore, this report is accurate as of the date of publication.

• The number of cyberattacks in Southeast Asia is growing exponentially, doubling in 2024 compared to 2023. This surge is driven by increased APT activity, the global rise of hacktivism, and unstable geopolitical conditions in the region.
• Indonesia and Malaysia lead in the number of attacks and data breaches, particularly in the public sector and online services. This is explained by the high activity of local hacktivists and hackers who are motivated by profit or political agendas. These industries handle vast amounts of sensitive data, making them prime targets for attackers seeking to cause significant harm or steal information.
• Common malware in the region includes popular infostealers and RATs (Remote Access Trojans) such as RedLine, AgentTesla, and Remcos. The reliance on imported malware, often provided through malware-as-a-service (MaaS), reflects a lack of local malware development.
• Access to RDP and VPN is among the most sought-after on dark web forums, due to their widespread use in corporate environments.
• On average, access credentials are priced at around $2,800, but in some cases, prices can reach up to $25,000. The variation depends on the target's potential value—access to large corporations or critical infrastructure is significantly more expensive.
• Data breaches are the most lucrative and prevalent category on dark web forums. The most traded items include government databases, passports, IDs, and customer information. Such data is often used in fraudulent schemes.
• Hacktivists are active participants on dark web forums, frequently sharing data obtained from their attacks.

Southeast Asia has experienced a sharp rise in cybercriminal activity in recent years. Research shows that the number of cyberattacks in the region doubled in 2024 compared to 2023.

Why cybercrime in Southeast Asia is growing:

• Digitalization and the expansion of the online environment. The rapid growth of digital services and users, combined with the region's increasing reliance on e-commerce, online banking, smart cities, and super apps, has expanded the attack surface for cybercriminals.
• Geopolitical tensions. Conflicts in the South China Sea, tensions in the Pacific, and internal ASEAN crises have fueled APT activity. State-sponsored groups are targeting the region, while local political unrest has led to a rise in hacktivism targeting government resources. Geopolitics further complicates an already challenging threat landscape, fueling increased APT activity in a region already rife with cybercrime.
• Economic motivation and data value. Southeast Asia's dynamic economy includes numerous billion-dollar companies handling sensitive personal data for tens of millions of residents. This data is highly lucrative for monetization through scams, and the growing purchasing power of the region further motivates cybercriminals to carry out attacks. According to Interpol, online scams in the region generate $43.8 billion annually.
• Criminal migration. Crackdowns in other jurisdictions, such as China, have pushed illegal operations (such as online gambling and financial crimes) into Southeast Asia, where legal oversight is weaker. This has turned the region into a haven for transnational criminal groups, which establish local offices and call centers to facilitate their schemes.
• Service-oriented criminal ecosystem. Cybercriminals collaborate extensively on dark web forums, with APT groups purchasing initial access from brokers or malware from other hackers. Advertisements vary in content, especially those seeking partners for cybercriminal operations. Below are examples of ads: one seeks a partner to monetize activities in Asia, while another proposes creating a botnet and banking malware to launch a large-scale malicious campaign across multiple regions (see Figures 1 and 2). The dark web acts as a global infrastructure for criminal services, with listings available in local Southeast Asian languages, English, Russian, and other popular global languages.

Over 20% of global cyberattacks in 2024 targeted the Asia-Pacific region. The most affected countries include Indonesia, Malaysia, Vietnam, Thailand, the Philippines, and Singapore, with Indonesia and Malaysia ranking highest in incident reports on dark web forums and stolen data marketplaces. High activity levels in these countries highlight both their cybersecurity challenges and the growing interest they attract from cybercriminals.

The primary drivers of increasing cyberthreats in Southeast Asia are rapid digitalization, the growing number of internet users and online services, and geopolitical tensions between certain nations, including their involvement in economic and political alliances. Over the past two years, 67% of reported cybersecurity incidents in Southeast Asia occurred in 2024, driven by the rapid shift of businesses and government services online without adequate cybersecurity measures. This transformation has made the region increasingly attractive to financially motivated attackers.

The region's rapid development has not gone unnoticed by neighboring states, which also have economic interests in Southeast Asia. APT attacks in the region rose by 58% from 2023 to 2024, largely due to cyberespionage and sabotage linked to regional conflicts. A wide variety of cybercriminal groups are targeting Southeast Asia, ranging from those focused on stealing crypto assets[SK1] [AB2]  to advanced APT groups conducting cyberespionage.

Local hacktivist groups such as R00TK1T, ETHERSEC TEAM CYBER, and RipperSec have carried out DDoS attacks, defaced government websites, and leaked sensitive data. Their targets include both domestic institutions and foreign organizations tied to geopolitical adversaries. For example, a Telegram post from R00TK1T contained threats of cyberattacks against Malaysian citizens and the government (see screenshot).

Cybercrime in Southeast Asia predominantly targets financial institutions and government agencies. According to Positive Technologies, 92% of attacks in the region focus on organizations, while just 8% affect individuals. The most impacted sectors are manufacturing (20% of attacks), the public sector (19%), and financial institutions (13%). Attack trends differ by country. In Indonesia, financial services and online retail were the primary targets, while in Malaysia, the banking sector was hit hardest. Government agencies across the region are also frequently targeted. Data from dark web forums shows that in 2024, government entities were the most mentioned victims in posts related to Southeast Asia (12.4%). Over the last six months, the situation has shifted slightly: while government agencies remain among the top targets (13.1%), financial services (18.5%) and education (14.7%) have taken the lead in mentions on dark web forums.

Two-thirds of cyberattacks in the region result in the theft of sensitive data. Personal data (34% of dark web posts) and commercial information (26%) are the most targeted.

Cybercriminals are mainly financially motivated, profiting from the sale of stolen data, fraud, or blackmail. Dark web listings often advertise stolen user data, including personal details, photos, scanned documents, and screenshots. For instance, data from a breached Thai travel agency was offered for sale, complete with document scans (see Figure 7 below). Some listings, however, are not for profit—hackers or hacktivists sometimes distribute stolen databases for free, making them accessible to other malicious actors.

The cybercrime ecosystem in Southeast Asia is a dynamic network of illegal goods and services. Dark web marketplaces operate like legitimate e-commerce platforms, offering network access, phishing tools, and exploits. These platforms feature rating systems, transaction guarantees, and even technical support.

The demand for illegal digital assets remains high due to the increasing digitization of businesses. RDP access, VPN credentials, and administrator accounts are particularly sought after and frequently used in attacks. Analysis of pricing, seller geography, and product specialization shows that cybercriminal markets adapt to threats faster than many security defenses. Advanced Persistent Threat (APT) groups, in particular, clearly demonstrate this adaptability, as demonstrated by recent attacks. Companies struggled to adapt their defenses to the evolving tools of cybercriminals, while multilayered, targeted attacks disrupted the operations of some cybersecurity departments.

Understanding the structure and dynamics of these markets is essential for developing effective cybersecurity strategies, predicting threats, and identifying vulnerabilities in organizational infrastructures.

Key dark web segments in Southeast Asia:

• Sale of malware and infostealers
• Data breaches and sales of stolen data
• Access sales and hacking services

Analysis of these segments revealed that they are closely interconnected, forming a cohesive cybercriminal ecosystem both within and beyond dark web forums.

Each segment has a direct or indirect role in advancing the cybercriminal supply chain of illegally acquiring, selling, and exploiting confidential information.

Below is an analysis of each segment, detailing the frequency and scale of incidents, approximate pricing, key platforms, as well as profiles of actors and emerging threats.

The sale and distribution of malware on the dark web is global, with cybercriminals in Southeast Asia typically using the same forums and marketplaces as their counterparts worldwide. The region has not seen any notable cases of locally developed malware for sale. While major APT groups active in Southeast Asia may create their own tools for attacks, these are rarely offered on public forums. Instead, independent cybercriminals heavily rely on widely available tools, with infostealers and banking trojans being the most common, targeting credentials and financial data.

Dark web advertisements often feature malicious software for sale, such as malware source codes, ransomware variants, and exploit kits. For example, an ad for selling RidgeBot malware includes a detailed description of its functionality (see Figure 9 below). However, most transactions in this segment are service-based (Malware-as-a-Service, or MaaS), offering services like malware deployment, botnet rentals, and more. According to Positive Technologies, malware-related posts on Southeast Asian underground forums are relatively rare, with stolen data and access sales dominating. Access credentials, often obtained through malware, are then sold as standalone products.

The Figure below shows the percentage distribution of mentions of the most popular malware tools in forum posts. The most frequently used infostealers in the region are RedLine, META, and Raccoon.

1. RedLine

Type: infostealer

• Description: one of the most popular infostealers distributed via the MaaS model. Collects browser passwords, cookies, cryptocurrency wallet addresses, autofill data, and OS information.
• Features: easily integrated, customizable, and widely used in phishing campaigns.

2. META Stealer

Type: infostealer

• Description: a modern tool often used to steal data from browsers, Telegram, Discord, and cryptocurrency wallets.
• Features: compact and easily embedded in fake PDF and EXE files, frequently advertised on MaaS forums.

3. Raccoon Stealer

Type: infostealer

• Description: steals data from browsers, FTP servers, VPNs, wallets, and local files.
• Features: automatically sends logs to command-and-control (C2) servers and supports multiple languages.

4. XClient Stealer

Type: infostealer

• Description: used by the CoralRaider group, targets social media and online service users.
• Features: customized for the Asian market, focusing on financial platforms and payment systems.

5. NodeStealer

Type: infostealer

• Description: built with JavaScript and Node.js, it collects session data, passwords, and cookies.
• Features: highly effective against business accounts and often disguised as legitimate software.

Infostealers and remote access trojans (RATs) are widely used in cyberattacks across Southeast Asia. These tools enable the theft of employee credentials, leading to further compromise of corporate resources. Cybercriminals in the region typically focus on using widely available malware rather than developing unique local tools. As a result, malware often serves as a means to an end, with stolen data and access credentials being sold on forums. The distribution of malware campaigns in Southeast Asia is diverse. Alongside global cybercriminal groups operating internationally, local groups often target neighboring countries. Such activities are often classified as APT attacks but remain deeply tied to the dark web ecosystem. For example, stolen cryptocurrency is laundered through mixers—services that obscure illegal cryptocurrency transactions by blending them with legitimate ones. Similarly, compromised accounts and access credentials are sold on underground markets, often through large initial access brokers who offer such listings worldwide. One such broker, for instance, provides a wide selection of countries to choose from, with a particular focus on the Philippines.

Malware in Southeast Asia's dark web ecosystem serves as a foundation for other types of cybercrime. The effective use of infostealers and RATs directly contributes to data leaks and access sales. In the following sections, we will examine these two interconnected segments in greater detail.

Another significant segment of Southeast Asia's underground forums is the market for access and associated cybercriminal services. In 2024, about 14% of corporate network access listings for sale globally were tied to the Asia-Pacific region. These listings include access to compromised accounts and systems, offers to hack specific targets for a fee, botnet rentals for DDoS attacks, phishing services, and more. In recent years, Initial Access Brokers (IABs) have played a pivotal role in the cybercrime ecosystem. These brokers breach organizations or exploit stolen credentials, then sell access (doe example, accounts, VPN and RDP credentials, or web shells) to other cybercriminals on forums.

The buyers are typically financially motivated groups or ransomware operators seeking to infiltrate victims' networks. Research shows that in 2024, at least 96 active access brokers were selling credentials to compromised organizations worldwide. On certain local forums in Southeast Asia, hackers offer services like email account breaches, social media hacks, and attacks on competitors. These services are often paid for in local currencies. However, for major cybercriminal operations, these platforms are secondary. Most transactions occur on international forums, where payments are made in cryptocurrency.

Listings on dark web forums offer nearly every type of access originating from Southeast Asia, including:

• User credentials: logins and passwords for corporate email accounts, ERP/CRM systems, and cloud services
• RDP or VPN access: hack or compromise of accounts used to remotely access corporate networks
• Web shells and backdoors: persistent access to web servers installed by attackers
• Access to cloud storage and databases: includes API keys and administrator credentials for database systems
• Privileged access: the most valuable type of access, granting full control over a victim's IT infrastructure. Such access is sold at a significantly higher price and is often offered as a standalone item.

In many cases, access is sold to companies located in Indonesia, Malaysia, Vietnam, and Thailand.

During the analyzed period, RDP access was the most commonly advertised type of access on the dark web, overtaking VPN access, which had previously been dominant during a similar period. Interestingly, domain email accounts in Vietnam nearly entered the top three, reflecting a growing focus of attackers on multipurpose accounts linked to numerous services.

The sale of access primarily takes place on specialized English-language forums—many of which are closed to new users—or within private chat groups. Brokers list items such as: "VPN access to Company X (Malaysia), domain admin, price $2,000." One listing featured VPN access to a small unknown Malaysian company (see Figure 13 below).

Another listing on the same forum offered administrator-level access to an Indonesian financial organization with annual revenues exceeding $80 million. The criminals provided GlobalProtect client access, and the cost of the listing was notably low compared to the company's revenue. Since attackers often use a company's revenue to determine ransom demands, the potential profit from the attack would far exceed its initial cost.

Listings offering RDP and VPN access span all sectors and vary widely in price. Sellers often include additional details about the compromised systems and sometimes offer multiple types of access simultaneously. The listing below sells RDP access to a Philippine insurance company, noting that the system was running outdated antivirus software with an expired license. This highlights how some companies in the region fail to update their software and security systems (see Figure 15). Another listing featured RDP and VPN access to the network of a Singaporean transportation company (see Figure 16).

Dark web forums are used by local hackers, hacktivists, and APT groups interested in purchasing access to systems. The connection between local cybercriminals and prominent APT groups is often simple: local actors obtain initial access and sell it to interested parties. In analyzed listings, frequent mentions were made of groups such as APT32, Lazarus, APT41, DarkHydrus, and Kimsuky, all of which are active in Southeast Asia.

Another trend is the hiring of hackers for targeted attacks. On local forums in Malaysia and Indonesia, listings such as "Will hack an account, price negotiable" are common. However, more sophisticated operations, such as industrial espionage, are usually conducted through closed channels or intermediaries. These services indicate the rise of hacker-for-hire teams in the region. Often, these are former cybersecurity professionals who have turned to illegal activities. Their expertise makes them harder to track, but the results of their work are evident—whether in the form of rare data appearing on the dark web or highly targeted attacks that remain undisclosed because they were commissioned and the stolen information was not publicly released.

In 2025, the number of access listings is expected to grow further. Dozens of cases have already been recorded in the first quarter. For Indonesia, the Philippines, and Malaysia, which lead in the number of incidents, this means that more local companies' data is likely to become merchandise on underground markets, and the demand in this market continues to grow.

The analysis of statistics and current trends allows for the following predictions in the near future:

• Continued growth in cyberattacks. If current trends persist, 2025 may set a new record for cyberincidents in Southeast Asia, surpassing 2024. The first months of 2025 already show high activity, such as a series of ransomware attacks in Indonesia. The growth rate of threats in the region is expected to be at least twice the global average due to their exponential nature.
• Increase in targeted APT attacks. Geopolitical tensions will likely drive a rise in cyberespionage in Southeast Asia, with attacks expected on foreign affairs ministries, defense agencies, and critical companies in 2025. Cybercriminal groups may use dark web infrastructure to purchase access credentials or hire local hackers, making attribution more challenging.
• Focus on fraudulent schemes. Phishing and online scams will remain widespread. Online fraud is expected to grow, as vulnerable groups look for quick ways to earn money. This will likely lead to new large-scale campaigns exploiting leaked personal data.
• Increased regulatory pressure and its consequences. New laws, such as Malaysia's mid-2025 requirement for companies to report data breaches within a specific timeframe, are positive developments. Other Southeast Asian countries are considering similar measures to improve transparency and encourage stronger security practices in order to avoid reputational damage. In the medium term (two to three years), this could slow the growth of data breaches as preventive security becomes a priority. However, in the short term (2025), significant changes are unlikely, and criminals will continue exploiting existing vulnerabilities.
• Evolving tactics among cybercriminals. The use of artificial intelligence is expected to expand, enabling automated target selection, generation of convincing phishing emails in local languages, and analysis of large data breaches to identify high-value targets. AI may also be used to develop new tools and malware or function as a hacking tool itself.

Without stronger defenses and international cooperation, Southeast Asia will remain a hotspot for cybercrime. The region's share of global cyberattacks is likely to exceed 25%, meaning one in four attacks worldwide will target Southeast Asia.

Southeast Asia is one of the world's most targeted regions for cybercrime. Based on the statistics above, Indonesia and Malaysia are at the forefront of this trend, frequently suffering from data breaches, ransomware, and cyberespionage. The region's threat landscape has several characteristics:

• Vast amounts of personal data. Large populations and centralized government registries make Southeast Asia highly attractive to data thieves. Breaches often involve tens of millions of records.
• A mix of advanced threats and local hackers. The region is home to both well-known APT groups and local cybercriminals. These actors often collaborate, with APT groups purchasing initial access provided by local hackers or local hackers using tools developed by more experienced groups.
• Growing regional language content on the dark web. While English dominates dark web marketplaces, content in local languages such as Indonesian and Malay is increasing. Regional closed forums are emerging, making it harder for international companies to monitor activities.
• Low attack costs with high returns. Weaker defenses make it easier to carry out successful attacks in Southeast Asia compared to other regions, while the potential profits are similar.
• Cross-border nature of cybercrime. Many attacks are carried out by international groups, requiring Southeast Asian nations to collaborate more effectively. Without such cooperation, cybercriminals will continue exploiting jurisdictional gaps.

 Current threats and trends: data breaches in the financial and government sectors will continue to grow. Financial institutions and government agencies remain prime targets, with incidents often hushed up, delaying detection. New breaches are likely to coincide with major events—elections, referendums, and summits—where leaked data could influence politics. Commercially, oversaturation may drive down the value of leaked data, such as repeatedly exposed Indonesian ID cards. As a result, hackers may shift focus to niche categories like medical records (including health histories and vaccination data) or biometric databases (such as fingerprints and passport photos). These types of data are already appearing on the dark web and are highly valued due to their rarity and potential for harm.

Organizations operating in Indonesia, Malaysia, and other Southeast Asian countries must implement comprehensive security measures. Below are practical recommendations tailored to the region's specific cyberthreat landscape:

1. Strengthen threat monitoring and intelligence, including on the dark web. Regularly monitor mentions of your organization, domains, and account breaches on underground forums and Telegram channels. Modern tools can automate this process and provide alerts if your data appears for sale, giving valuable time to respond—for example, by resetting passwords and informing customers to minimize damage. Up to 89% of breaches can be detected through dark web monitoring before they are discovered through other means. Following principles of result-driven cybersecurity is crucial for promptly identifying and preventing threats, reducing risks of breaches and disruptions, and building resilient defenses adapted to the evolving threat landscape.
   
    
2. Implement strict data protection and access control measures. Since personal data is a primary target for cybercriminals, organizations should:

• Ensure sensitive data is encrypted during storage and transmission.

• Deploy data loss prevention (DLP) systems.

• Limit employee access to data on a need-to-know basis.

• Regularly review access rights and disable unused accounts.

• Use multifactor authentication (MFA) for all external logins and critical internal systems.

3. Reinforce network perimeters and update infrastructure. Conduct audits of publicly accessible services (websites, VPN gateways, email servers) to identify known vulnerabilities. Disable or secure outdated protocols. Pay special attention to updating network boundary devices, such as routers and firewalls. Use network segmentation to isolate critical services from the office network and external access.

4. Be prepared for ransomware attacks. In addition to preventing infiltration, have a response plan in case of encryption:

• Regularly back up critical data and store backups in isolated environments.

• Monitor ransomware trends and patch vulnerabilities commonly exploited by attackers.

5. Train employees in cybersecurity practices. With phishing and social engineering being common attack vectors, train staff to recognize suspicious emails, messages, and calls.

6. Establish an incident response plan and notification protocol. Prepare a protocol for responding to data breaches, including whom to notify (regulators, customers) and when.

7. Collaborate with external experts and share information. Join industry cybersecurity alliances and share indicators of compromise (IOCs). Many attacks follow similar patterns, so learning from others in your industry can help close vulnerabilities in advance. INTERPOL and CERT ASEAN operate in the region—stay in touch with them for the latest warnings and updates.

8. Deploy advanced technologies:

• Implement IDS/IPS and a SIEM system to detect traffic anomalies.

• Use endpoint detection and response (EDR) tools to identify malware on endpoints, especially given the rise of infostealers.

• Enforce mandatory multifactor authentication for customers using online services.

9. Secure supply chains. Assess the cybersecurity of contractors, particularly those with access to your systems or data. Include cybersecurity requirements in contracts. Attacks via less secure partners are a real threat, as evidenced by recent cases.

10. Integrate cybersecurity into business processes. Company leaders must treat cyberrisks as key business risks. Develop a corporate cybersecurity policy and conduct a cyberrisk assessment to analyze the financial impact of potential attacks. Preventive investments in security are much cheaper than covering the damages caused by incidents.

Nearly every organization in Southeast Asia is a target for cybercriminals. Thorough preparation, proactive dark web monitoring, and rapid response are the foundation of effective cybersecurity. Implementing these recommendations can significantly reduce risks and protect both your company and your customers' data from ending up on the dark web.