The Surprising Role Malaysia Plays In Cybercrime

Espionage, money laundering, criminal conspiracies – cyberspace is fast becoming the next gangsta’s paradise.
Monday 15 October 2018
In cyberspace, anonymity is a currency all on its own. Photo: Getty Images

US$750 million in 5 minutes. That’s how much ‘HB’ tokens – the latest cryptocurrency for gamblers backed by a notorious triad boss – reportedly raised in what would be the gaming industry’s single biggest initial coin offering (ICO) in 2018.

An ICO is similar to an initial public offering with a digital twist to the usual stock market fundraising mechanism. Instead of selling shares, startups pitch new projects to investors who buy the value of underlying crypto tokens – like HB – using digital currencies like bitcoin or ethereum.

In this instance, the ICO is for a series of poker and chess tournaments with US$1.5 million prize money awarded in HB tokens and cold, hard cash. Ex-triad boss Wan Kuok-koi aka ‘Broken Tooth’, one of China’s fiercest gangsters in modern history, was released in December 2012 after a 14-year jail sentence at Coloane maximum security prison.

wan-kuok-koi-apple-daily-AFP - cybercrime
Macau triad boss Wan Kuok-koi sits in the back of a police vehicle outside the supreme court in Macau in November 1999. Photo: Apple Daily/AFP

Charges include illegal gambling, loansharking, turf wars, conspiracy to import military-grade weapons, and planting a car bomb in an attempt to murder the police chief who caught him. He’s also connected with disgraced political data firm Cambridge Analytica via a previous ICO called Dragon Coin, its issuance to purportedly construct the Dragon Pearl Casino Hotel, the world’s first floating cryptocurrency casino. That’s 1,600 sqm of unbridled gambling for a project that’s touted as a lower-fee alternative for Chinese high-rollers frequenting Macau’s cavernous casinos.

Under China’s ‘one country, two systems’ policy, gaming and gambling are illegal in the mainland. In the semi-autonomous region of Macau, however, gambling turnover outstrips Las Vegas by at least five times and is a favourite jaunt for Chinese VIP high-rollers. But before they can flash their chips, Chinese gamers need to get around the communist state’s strict capital control rules.

Punters currently sidestep how much money they can bring with them through licensed junket operators who provide gambling credit at a 5% fee. Switching to virtual currencies cut out junkets, making cross-border transfers virtual, save gamers the usual 5% to 7% repatriation cost and, most importantly, provide anonymity, which is currency in itself.

Wan’s latest venture sees him teaming up with a Chinese firm with whirlwind fundraising launches in Cambodia, Thailand, the Philippines and Malaysia. The series of gaming tournaments is slated to commence October this year in Hainan. But the HB affair raises red flags with many questioning its opaque operations. Established virtual currencies like bitcoin or ethereum trade at the fringe of the financial system proper but are encrypted with an identifier and logged onto a central registry, or blockchain, to regulate how much is issued and verify the transfer of funds. So although there is no central bank for cryptocurrencies, there is a self-regulating mechanism that traces it back to its source.

blockchain-monument-slovenia-jure-makovec-AFP - cybercrime
The world’s first Blockchain Monument in the city centre of Kranj, Slovenia. Photo: Jure Makovec/AFP

In HB’s case, no information is disclosed to investors on its source code, leaving it unregulated and traded on a little-known exchange called, listed as an electronics store on Google. This prompts suspicion that it is part of a racket to legitimise illegal gains.

The cryptocurrency’s public affiliation with China has fanned suspicions that HB tokens, issued through an opaque network of operating entities across China, Russia and other countries, is partly state-owned. That might explain how HB tokens have ‘slipped’ through the regulatory net. Last September, authorities outlawed ICOs and direct trading between renminbi (RMB) and cryptocurrency, which it deems ‘illegal public finance’. The state also imposed travels bans on employees from two of its largest cryptocurrency exchanges.

As a result, bitcoin trading in RMB plummeted from 90% to under 1% of the global total. There are reasons why the regulatory move may be more than just coincidence. If it is true that the entity is partly state owned, outlawing direct RMB-cryptocurrency trading hints of possible collusion. Also, what of the October games to be held in Hainan, China – isn’t gambling illegal in the mainland?

Although there were reports in April 2018 that China’s cabinet had approved reforms to legalise horse racing and lotteries, nothing seems to have been finalised. To top it off, doubts abound as to the HB tokens’ provenance. A swirl of shady arrangements which smacks of collusive behaviour.

This case is just the tip of the iceberg in the net of illicit digital activity. Cyberspace is fast becoming the playground for criminal masterminds and the weapon of choice for money launderers, terrorism financiers and cyberspies. At its apex is cyber espionage and China has successfully created “the largest domestic espionage machine ever seen in human history,” according to Prof Greg Austin at the University of New South Wales. From real-time facial recognition software to surveillance applications of artificial intelligence, Professor Austin writes: “For China, cyber monitoring of people of interest is a far higher priority than stealing Western technology secrets by any form of espionage.”

Mikko Hyppönen, a global authority on cybersecurity, proffers in an email interview with UNRESERVED from Helsinki: “Mainland China is a major source for both online crime and governmental espionage activity. Such attacks make a lot of sense for Chinese intelligence agencies; they are effective, affordable and deniable.” When asked on specific Southeast Asian (SEA) organisations targeted by Chinese intelligence, he replied: “All governmental organisations in SEA are targets of this espionage.”

Hyppönen is chief research officer at F-Secure Corporation, one of the largest Nasdaq Helsinki-listed security firms in the world. Its recent 2017 State of Cyber Security documents revealed at least one instance of digital espionage by a state actor targeting organisations involved in the territorial dispute between China and the Philippines in the South China Sea.

lee-hsien-loong-xi-jinping-getty-images-1 - cybercrime
Frenemies? Singapore Prime Minister Lee Hsien Loong and Chinese President Xi Jinping. Photo: Getty Images

Closer to home, Singapore Prime Minister Lee Hsien Loong’s personal medical records were hacked on 4 July 2018, as the database for Singapore Health Services (SingHealth), the city-state’s largest public healthcare network, was breached. Hackers “specifically and repeatedly” targeted Premier Lee’s medication data together with 1.5 million other Singaporeans’ dispensed medication and personal details.

Analysis of the still-unnamed source’s tactics, techniques and procedures point to espionage by a nation-state actor. Sensitive or embarrassing medical data, including health-related vulnerabilities, of powerful personalities are frequently exploited for ransom or coercion. It took 16 days before the premier made a synchronised announcement on his official Facebook with the Health Ministry. That’s a fairly decent time lag, given the high-level nature of the breach and in comparison to corporations like Equifax and Deloitte which took months to detect and declare.

But on the Internet, every second counts like dog years. The SingHealth hack is particularly embarrassing. Just a year earlier, the city-state ranked No. 1 in the United Nation’s 2017 Global Cybersecurity Index (GCI) that measures the commitment of countries to digital security. In the same GCI index, Malaysia ranked 3rd.

mikko-hypponen-1 - cybercrime
Hyppönen, Foreign Policy’s Global 100 Thinkers, warns “All governmental organisations in SEA are targets of this espionage.”

Yet, Hyppönen himself regularly locates Malaysian cybercriminals or international cybercriminals operating in Malaysia. “Malaysia continues to be a hotspot of online criminal activity,” he says. “For example, we regularly spot malicious websites, such as phishing sites, being hosted at Malaysian hosting companies.” The country is also base for several bulletproof hosting companies – guarantees that your site will not be taken down even if the hosting provider gets complaints – to host illegal content.

In light of this, we must question if the current legislation, law enforcement and regulatory approach is the best strategy to protect countries, corporations, and citizens from cybercrime. “You can either try to fight hackers or you can try to work with hackers,” states Hyppönen, who advocates the world fight cybercrime but keep the net free and harness for good the innovative spirit that drives hackers.

Not all hacks are criminal in nature. At the core of the hacking culture is disruption, collaboration and unorthodoxy – traits that conventional law enforcers and regulators are short of, resulting in an endless game of play ‘catch up’ with the underground… that’s if they’re not sponsoring it.

google-silicon-valley-istock - cybercrime
Google is taking this bug bounty thing seriously. Photo: iStock

Hackers, bug bounty hunters play a key role in the cybersecurity ecosystem, ferreting out vulnerabilities before these are exploited with far more deadly consequences. Bug bounties – where corporations give hackers permission to break their systems provided they share how they did it – attract serious talent and money. Google’s bug bounty programme in 2017 alone doled out US$2.9 million; its biggest single payout was US$112,500 to expert bug hunter Guang Gong who tracked down a vulnerability in Pixel mobile phones that allowed attackers to inject arbitrary code via the phone’s Chrome browser. Even the Pentagon has run bug bounties because no system is perfect.

On the Asian horizon, Hyppönen expects more companies starting up bug bounties, getting the hackers on their side and securing systems better. Hackathons – large-scale events where hackers engage in collaborative computer programming – are also increasingly de rigueur and touted as the skill of the future.

It isn’t just about cracking security but about innovation, inventing new solutions on limited time and resources. Already, tickets to some of the world’s biggest hackathon’s like AngelHack are sold out months in advance throughout venues in Jakarta, Singapore, Malaysia and sponsored by Fortune 500 companies. One of the finest examples of how you ‘set a thief to catch a thief’ in order to make the world helluva lot safer.

Related: The Biggest Ever Art Heist Has Now Been Made Into a Podcast