Analysis of UNODC Latest Report on Transnational Organized Crime in Southeast Asia

SlowMist
16 min readOct 10, 2024

--

On October 7, 2024, the United Nations Office on Drugs and Crime (UNODC) released a report titled “Transnational Organized Crime and the Convergence of Cyber-Enabled Fraud, Underground Banking and Technological Innovation in Southeast Asia: A Shifting Threat Landscape.” You can access the full report here. The UNODC acknowledged the support from SlowMist in providing information, data, and analysis for the report, and also recognized our partner Bitrace.

This report builds on UNODC’s previous comprehensive analysis of transnational organized crime in Southeast Asia, published in 2019 under the title Transnational Organized Crime in Southeast Asia: Evolution, Growth, and Impact”. The new report focuses on three key areas: an overview of developments in the Southeast Asia region, underground banking and money laundering activities, and the role of technological innovation in facilitating criminal activities. It specifically examines the characteristics and evolution of organized crime in Southeast Asia, highlighting the links between drug trafficking, money laundering, casinos, and economic zones. The report provides an in-depth analysis of the challenges posed by the proliferation of casinos and the sophisticated money laundering techniques employed by organized crime groups, including how the rise of online gambling and electronic betting has transformed the underground banking and money laundering landscape.

Additionally, the report offers a set of recommendations aimed at helping governments and international partners better address the rapid growth of casinos and organized crime in Southeast Asia. This article will summarize the core content of the report, providing readers with a quick understanding of key insights and enhancing awareness and response strategies to these complex security threats.

Key Point 1: Overview of Development in Southeast Asia

Southeast Asia is currently facing unprecedented challenges from transnational organized crime and illicit economies. The rapid advancement of physical, technological, and digital infrastructure in the region has provided organized crime networks with more opportunities to expand their operations. These activities span across drug production and trafficking, illegal gambling, human trafficking for forced labor, prostitution, and money laundering. Locations like casinos, hotels, and special economic zones have become “hotbeds” for these illegal activities, further complicating governance in border areas.

1. Gambling and Criminal Activities

Over the past decade, the casino industry in Southeast Asia has experienced exponential growth, with more than 340 licensed and unlicensed casinos currently in operation. Although increased regulation in Macau, China, has led to the closure of some casinos, the gambling market in Southeast Asia remains robust, especially in the realm of online gambling. Most casinos in the lower Mekong countries are situated in border regions adjacent to China, Thailand, and Vietnam, where gambling activities often operate illegally.

Gambling intermediaries play a pivotal role in Southeast Asia’s gambling industry. However, the COVID-19 pandemic and heightened law enforcement efforts have challenged their profitability. Two of the world’s largest gambling intermediaries, Suncity and Tak Chun, have faced significant legal setbacks, with their founders sentenced to 18 and 14 years in prison, respectively. These cases represent some of the most serious incidents of money laundering and underground banking in recent years. The charges include hundreds of counts related to organized crime and illegal gambling, with over $100 billion laundered through casinos, online gambling platforms, and underground banking channels.

Despite increased enforcement efforts, online fraud remains rampant, with estimated economic losses from scams targeting victims in East and Southeast Asia ranging from $18 billion to $37 billion in 2023. As high-risk Virtual Asset Service Providers (VASPs) have emerged, cybercriminals increasingly use cryptocurrencies for money laundering. A common method is converting illicit proceeds into cash through over-the-counter (OTC) markets or into USDT as a stable intermediary currency. This practice involves large transaction volumes and is associated with various criminal activities, posing significant challenges to governments in regulating and combating money laundering.

One high-risk VASP located in the Mekong region reportedly handled $49 billion to $64 billion in total cryptocurrency transactions between 2021 and 2024, making it one of the largest providers of its kind in the Asia-Pacific region. It has also been found to have transactions with entities sanctioned by the Office of Foreign Assets Control (OFAC) and with wallets linked to the Lazarus Group, a notorious hacking organization. Lazarus Group plays a major role in cryptocurrency-related money laundering activities. According to analysis by SlowMist, the laundering techniques used by North Korean hackers, including those of the Lazarus Group, are sophisticated and constantly evolving. For more details, see SlowMist’s *2024 Mid-Year Blockchain Security and Anti-Money Laundering Report*

The report also highlights that in recent years, stablecoins have become increasingly popular not only among legitimate users but also among criminal groups, particularly those involved in cyber fraud. This trend aligns with findings from East Asian and Southeast Asian authorities, which indicate that stablecoins — especially Tether (USDT) on the TRON (TRX) blockchain — are the preferred choice for criminal organizations engaged in cyber fraud and money laundering activities.

2. Regional Cyber Fraud

In recent years, independent scam groups have been increasingly replaced by larger, more organized criminal networks. These groups often disguise themselves as industrial or tech parks, creating stable networks of fraudulent operations. For example, the KK Park in Myanmar’s Karen State began showing signs of development as early as 2020, and over the past four years, it has become one of the largest and most active hubs for criminal activities in the region.

The rise of cryptocurrencies has also facilitated cross-border transactions, allowing cyber fraud operations to expand globally. These criminal groups exploit the lack of understanding by law enforcement about their methods, engaging in activities such as “pig butchering” scams, investment fraud, job scams, and asset recovery scams. For more details, refer to the report analysis on the FBI’s *2023 Cryptocurrency Fraud Report*.

Scammers have been targeting an increasingly broad range of victims, focusing particularly on young people and Chinese communities. These fraudulent organizations often operate with a complex pyramid structure, including multiple departments for recruitment, finance, and operations, requiring collaboration across various roles to sustain their activities. Over the past year, the landscape of scams has shifted. Data shows that, so far this year, 43% of scam inflows have been directed to newly active wallets, a significant increase from 29.9% in 2022. This indicates a rapid rise in new types of scams.

From 2020 to the present, the average active duration of scam operations has significantly decreased, from an average of 271 days in 2020 to just 42 days in the first half of 2024.

This trend aligns with scammers shifting from elaborate Ponzi schemes to more targeted operations. It also reflects increased law enforcement efforts and the growing practice among stablecoin issuers of blacklisting scam-related addresses. For example, on May 14, MistTrack, an on-chain tracking and anti-money laundering platform, detected that Tether, the world’s largest stablecoin issuer, froze $5.2 million in USDT linked to phishing activities.

3. Human Trafficking and Forced Crime

Traffickers exploit victims through deception and coercion, forcing them into illegal activities for profit. After being trafficked, victims are often deprived of their freedom, with their passports confiscated, and face threats and violence. Although the nature of forced trafficking remains unchanged, the professionalization of the industry has blurred the lines between victims and those who participate voluntarily, creating a range of individuals involved in such activities.

In certain areas, especially in Myanmar, victims are often coerced into signing fraudulent contracts and forced to work to repay substantial “debts.” These contracts are typically illegal and serve to mask the traffickers’ criminal activities. Many victims continue to face legal risks even after escaping or being rescued, as they may be subjected to threats or legal charges.

4. Law Enforcement Actions

Despite efforts by various countries to combat these activities, online gambling and fraud remain widespread. The effectiveness and intensity of enforcement vary by country, with measures including arresting suspects, freezing accounts, and shutting down websites. Cross-border cooperation has enabled the seizure of some assets and an increase in convictions, especially with intensified raids on scam centers and gambling operators.

The table below compiles some of the most notable enforcement actions against illegal online gambling and cyber fraud websites since January 2023, based on statements from regional law enforcement agencies. These raids were led by local law enforcement, sometimes in collaboration with regional agencies. Chinese law enforcement has played a significant role in several of these actions.

According to the Ministry of Public Security of China, from January to November 2023, authorities solved 391,000 telecom and online fraud cases and apprehended 79,000 suspects, including 263 ringleaders. Over 50,000 individuals were prosecuted for telecom and online fraud in 2023. The *Anti-Telecom and Online Fraud Law*, enacted in 2022, places responsibilities on telecom, internet, and financial service providers, including raising customer awareness and monitoring, blocking, and reporting suspicious activities.

Throughout the past year, Chinese media extensively covered the legal proceedings of individuals involved in illegal online gambling and cyber fraud, both domestically and abroad. Prosecutorial agencies released several reports summarizing typical cases involving individuals voluntarily returning or being deported from Cambodia, the Philippines, Laos, Myanmar, Malaysia, and other countries. Chinese law enforcement has focused its actions on those supporting overseas criminal organizations, including individuals developing software, maintaining websites, providing technical support, and facilitating money transfers through underground banking networks. They also targeted those selling account information to money laundering groups as “mule” accounts, as well as gangs smuggling Chinese citizens across borders via land and sea routes.

Key Point 2: Underground Banking, Money Laundering, and the Rise of Crime-as-a-Service

Transnational organized crime groups in East and Southeast Asia have become market leaders in underground banking, informal cross-border transfer, and money laundering. These groups have grown increasingly sophisticated, adapting to political and business environment changes and leveraging technological innovations — particularly in the casino and online gambling sectors. They have developed complex underground money laundering networks by integrating information, financial systems, and blockchain technology.

Additionally, regulatory gaps and the rise of unauthorized Virtual Asset Service Providers (VASPs) have exacerbated the situation. Specifically, the surge of high-risk exchanges, over-the-counter (OTC) services, large-scale peer-to-peer (P2P) traders, and other operations controlled or facilitated by transnational organized crime has fundamentally reshaped the criminal landscape in Southeast Asia. This has expanded the scope of the illicit economy, attracting new service providers and business models. Large transnational crime syndicates, especially those based in Hong Kong, Macau, and Taiwan, have come to dominate the money laundering industry. These groups closely collaborate with intermediaries, using credit services provided by intermediaries to circumvent capital controls and relying on unregulated payment companies to move funds.

In recent years, law enforcement agencies in East and Southeast Asia have intensified monitoring of third-party payment providers. However, many cases still show that cyber fraud has a significant impact on this sector. In the online gambling industry, unregulated casinos and gambling intermediaries have become crucial infrastructure for money laundering. They use methods such as “custodial” transactions and “investments” to obscure the origins of funds, developing intricate money laundering strategies. The anonymity and non-face-to-face nature of online gambling make it extremely difficult to trace the flow of money, providing a convenient channel for organized crime.

Meanwhile, the offshore online gambling industry in Southeast Asia has grown rapidly, particularly in regions with relatively weak regulatory frameworks. Intermediaries have taken advantage of this trend, helping organized crime groups generate profits by laundering illicit funds, disguising them as legitimate earnings. Despite increasing regulatory and enforcement efforts, many online gambling platforms continue to thrive in the “gray” or “black” markets. Transnational organized crime groups have also begun integrating cryptocurrencies into their operations, a trend especially evident in high-risk exchanges and OTC markets. The lack of oversight on these platforms has made them ideal for money laundering, enabling criminal networks in East and Southeast Asia to evade regulation and further support their illegal activities.

Key Point 3: The Rise of Cyber Fraud and Technological Innovation

In recent years, cybercrime activity has surged across East and Southeast Asia, with transnational organized crime groups becoming increasingly active. These cybercriminals have adopted a business-like approach to developing and selling criminal services, embracing a “Crime-as-a-Service” (CaaS) model. This allows them to outsource various illicit activities, lowering the barriers to committing crimes.

1. Underground Data Markets and Information-Stealing Malware

Underground data markets have become a critical part of the cyber fraud ecosystem, providing a wealth of stolen data, including bank information, credit card details, and personal identification information. Know Your Customer (KYC) data is particularly valuable on these underground markets, as criminals use it for identity theft, business fraud, and money laundering.

Strong evidence suggests that these underground data markets are increasingly shifting to platforms like Telegram, driven by the booming criminal ecosystem in Southeast Asia. The rise of information-stealing malware and Underground Cloud Logging (UCL) services is central to this shift. The simplicity, availability, and low cost of information-stealing software make these services especially popular among criminals in the region. These tools are often accessed through a Malware-as-a-Service (MaaS) model, where developers license their software to others. This growing flow of data has created numerous new opportunities for transnational organized crime in the region, in turn fueling the diversification of strategies, techniques, targets, and groups involved in cyber fraud.

Data indicates a steady increase in the number of infected hosts with information-stealing malware across the Asia-Pacific region, reflecting the surge in cyber fraud incidents in the area. This trend is closely aligned with the rise in demand for stolen data on underground markets.

2. Search Engine Optimization and Fraudulent Advertising

While many online fraud schemes require detailed targeting and direct interaction between scammers and potential victims, some simpler scams can deceive victims with just an enticing ad, a fake webpage, or a phishing link. These criminals extensively use search engine optimization (SEO) poisoning and deceptive ads to achieve their goals. With the increasing global use of search engines and social media, both methods have proven effective. In terms of scale, Google alone blocked or removed 206.5 million ads in 2023 that violated its paid ad misrepresentation policy, including ads related to online scams and fraudulent activities — up from 142 million ads in 2022.

In March this year, the SlowMist security team and Rabby Wallet team exposed a phishing attack method that leveraged Google Ads. Specifically, the Rabby Wallet team did not purchase any Google ads; however, fake ads led users to the legitimate Rabby Wallet website. Analysis of keyword searches on Google revealed that the top two search results were phishing ads. However, the link in the first ad was peculiar: it displayed Rabby Wallet’s official website address, rabby[.]io. Upon further investigation, it was discovered that sometimes the phishing ad would redirect to the genuine website rabby[.]io, but after changing proxies and searching from different regions, it would redirect to a phishing site, rebby[.]io. This phishing link would continuously update and change. The analysis revealed that the key tactic involved using Google’s own Firebase short link service with a 302 redirect, tricking Google’s ad display. Similar phishing methods have been observed across various messaging apps. For example, on the Telegram messaging app, when a URL link is sent in a chat, Telegram’s backend retrieves the URL’s domain, title, and icon for a preview display, which can be manipulated to present misleading information.

Additionally, criminals use SEO poisoning techniques to increase the visibility of their malicious websites, making them appear more legitimate to unsuspecting users who trust the popularity rankings of search engines. They also employ various SEO manipulation methods, such as “typosquatting,” where they profit from users accidentally entering misspelled URLs or clicking on URLs with minor typographical errors. Social media platforms have become another battleground for these criminals, who disguise malicious ads as legitimate promotional content to deceive users. In September 2023, authorities in Singapore reported that at least 43 victims lost a total of $875,000 due to malware scams linked to social media advertisements.

3. AI-Driven Fraud

With the rise of generative artificial intelligence, the complexity of criminal activities has increased, posing new threats to national security, including identity theft and data privacy breaches. Criminal groups are leveraging AI to conduct phishing attacks, create fake identities, and execute personalized scams, significantly lowering the technical barriers to committing fraud and increasing the speed and scale of their operations. Deepfake technology has become a widely used tool in online scams, allowing criminals to create convincing fake videos and audio recordings, leading to a rise in sophisticated scams. Additionally, QR code-based fraud is on the rise, where victims are often tricked into visiting malicious websites or revealing sensitive information. Overall, the widespread use of AI has heightened the complexity and frequency of cybercrime.

4. Other Developments

While “pig butchering” scams remain prevalent, criminal groups have increasingly adopted more sophisticated strategies, such as phishing and malicious smart contracts, which enable them to efficiently steal victims’ funds and data.

One common tactic involves draining victims’ assets by tricking them into unknowingly connecting their cryptocurrency wallets to malicious contracts. This allows the criminals to transfer cryptocurrencies and NFTs directly to their own wallets. A notable example occurred in 2022, when scammers targeted users of the non-fungible token (NFT) marketplace OpenSea in a phishing attack, resulting in the theft of over 250 NFTs, valued at approximately $2 million. According to security researchers, the attackers exploited an OpenSea system upgrade, sending fake emails to lure users into taking actions that ultimately led to their assets being stolen.

In addition, a growing number of scammers are using “Drainer” smart contracts to target investors who lack knowledge of decentralized finance (DeFi). This scam usually involves luring victims to connect their wallets to fake liquidity mining pools, thereby depleting their funds. On underground markets and forums, various DeFi application suites are widely available, marketed as legitimate tools but in reality designed for scamming.

Liquidity mining scams exploit the complexities of DeFi trading platforms to deceive investors. Scammers often promise high returns through investments in “liquidity pools,” which involve lending cryptocurrencies to facilitate trading between different tokens. In reality, they set up fake pools, using smart contracts to gain access to users’ wallets. Sometimes, scammers may even deposit small amounts of cryptocurrency to create the illusion of profits, or use worthless tokens to make the pool appear active. The websites tied to these scams often display false daily earnings and profit growth. Eventually, scammers use the permissions granted by the smart contracts to drain the contents of the users’ wallets. Victims are typically told they need to reach a certain staking “threshold” to withdraw funds, but once they try to withdraw, their money becomes inaccessible. Any additional deposits made by the victims are also stolen in the same manner. SlowMist has previously exposed similar scams — interested readers can refer to the *Beginner Guide to Web3 Security: Avoiding Fake Mining Pool Scams* for more details.

The report also highlights the use of a type of malware called “clipper” by Southeast Asian criminal groups. This malware monitors the clipboard of infected systems, waiting for the opportunity to replace cryptocurrency addresses during transactions. When a victim unknowingly completes a transaction, the funds are redirected to the attacker’s address. Due to the lengthy nature of cryptocurrency wallet addresses, users often fail to notice changes in the recipient address, increasing the malware’s effectiveness.

Conclusion

Overall, the threat posed by transnational organized crime in Southeast Asia is becoming increasingly complex and elusive. To effectively address these challenges, law enforcement and regulatory agencies need to continually strengthen their capabilities. Southeast Asian countries should enhance coordination between governments, regulatory bodies, and law enforcement, formulating comprehensive policies and action plans while fostering stronger cooperation with other countries and regions. In the face of a rapidly evolving landscape of transnational organized crime, swift action is crucial. Close collaboration between Southeast Asian nations and their allies will be key to addressing this growing challenge and ensuring regional security and stability.

SlowMist has been deeply involved in the field of cryptocurrency anti-money laundering (AML) for many years, developing a comprehensive and effective solution that covers compliance, investigation, and auditing. This contributes to building a healthy crypto ecosystem and provides professional services to the Web3 industry, financial institutions, regulatory bodies, and compliance departments. MistTrack, one of its platforms, offers wallet address analysis, fund monitoring, and traceability investigations. It has accumulated over 300 million address tags, 1,000+ address entities, 500,000+ pieces of threat intelligence, and 90 million+ risk addresses, providing robust protection for digital assets and aiding in the fight against money laundering. For additional information, please visit https://aml.slowmist.com.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.