Cambodia scam compounds linked to mobile banking fraud
Infoblox Threat Intel has linked a global wave of mobile banking fraud to scam compounds in Cambodia, affecting users in at least 21 countries.
Working with Vietnamese non-profit Chong Lua Dao, researchers identified an Android banking trojan likely operated from several locations, including the K99 Triumph City compound in Cambodia. The UN and others have previously linked that site to large-scale scams and forced labour.
The operation came to light after a rise in unusual DNS traffic across Infoblox customer networks led researchers to what they described as a previously undocumented malware-as-a-service platform. The service appears to register about 35 new domains each month to imitate banks, social security agencies, tax authorities, utilities and law enforcement bodies.
The infrastructure targeted users in at least 21 countries, with the heaviest activity in Indonesia, Thailand, Spain and Türkiye. The campaigns relied on fake mobile applications presented as official banking or government tools.
Once installed, the software gave operators control of the victim's device. It could capture facial-recognition data during fake know-your-customer checks, intercept SMS one-time passcodes and access mobile banking apps to move funds.
The findings add to growing evidence that criminal groups linked to large scam centres in Southeast Asia have moved beyond social engineering and romance fraud into more direct forms of financial theft. Governments across the region have issued warnings in recent years as remote-access scams and malware-linked fraud have spread alongside industrial-scale scam operations.
How it worked
The mechanism described by the researchers focused on undermining security steps that many banks and public bodies still use on mobile devices. By taking over a handset and collecting biometric and SMS-based authentication data, operators were able to turn those checks from a barrier into a tool for fraud.
That matters for financial institutions and government agencies because the fake domains and applications were designed to resemble trusted organisations. This made it easier to persuade users to download seemingly legitimate software, while giving criminals access to bank accounts and personal data.
"These aren't random one-off scams. They're factory lines. For years we knew these scam compounds existed, and suspected malware distribution at the sites, but this is a firm confirmation," said Dr. Renée Burton, VP of Infoblox Threat Intel.
"We now know that beyond the social engineering associated with so-called pig butchering scams, the compounds are being used to run sophisticated operations that steal banking credentials and allow threat actors to spy on victims," Burton said.
Wider risk
The direct link between mobile banking malware and Cambodian scam compounds is significant because investigators and security companies have often documented the fraud networks and labour abuses separately. Establishing a clearer operational connection could sharpen scrutiny of how organised scam centres support cross-border financial cybercrime.
The research also highlights a challenge for banks, fintech groups and public agencies that rely heavily on SMS codes and standard biometric checks to verify users. If an attacker controls the device itself, those protections may do little to prevent account takeover.
Banks, fintechs and governments should expect more coordinated cross-border attacks on customer accounts unless they strengthen Android and mobile security beyond basic biometrics and SMS-based verification, Infoblox warned. The research also suggests regulators may press institutions more closely on the resilience of their mobile fraud controls.
The use of around 35 newly registered spoofing domains each month points to a sustained, repeatable model rather than a single campaign. That scale, combined with the range of institutions imitated and the geographic spread of victims, suggests an organised fraud system tied to physical scam sites already associated with forced labour.