Inside the Global “MaaS” Engine of the K99 Scam Compound

For three years, a phantom has been haunting the digital landscape of Southeast Asia, leaving a trail of emptied bank accounts and compromised identities. But new research from Infoblox Threat Intel has finally pulled back the curtain, revealing a sophisticated industrial-scale operation that bridges the gap between high-tech malware and the grim reality of human trafficking.

While “incidents of malware-enabled fraud and remote access scams have been on the rise against the backdrop of proliferating industrial-scale scam operations in Southeast Asia,” specific technical links to the notorious guarded compounds where these scams originate have remained elusive.

That changed when Infoblox, in collaboration with the Vietnamese non-profit Chong Lua Dao, uncovered an Android banking trojan directly tied to the K99 Triumph City compound in Sihanoukville, Cambodia. This conclusion is backed by a grim combination of “technical analysis, testimony from an escapee, and evidence taken from the facility by the human trafficking victim”.

The heart of the operation is a sophisticated Malware-as-a-Service (MaaS) platform. This isn’t a small-time operation; it is a “sophisticated malware-as-a-service (MaaS) platform capable of facilitating real-time surveillance, credential theft, data exfiltration—including biometrics—and financial fraud”.

• Massive Scale: Researchers are tracking approximately 35 new domains registered every month to support the campaign.
• Global Reach: The infrastructure supports an “expansive, multilingual scam targeting victims in at least 21 countries across four continents”.
• Targeting Hotspots: While global, the highest volume of malicious queries is associated with customers in Indonesia, Thailand, Spain, and Türkiye.
• Government Spoofing: The actors have “discovered hundreds of domains used to target victims, many of which are crafted to look like government institutions” to build false trust.

The K99 compound is far from a standard tech office. It has been “widely reported by the United Nations and other organizations as a scam center with connections to high-ranking political elites and the use of forced labor to run extensive malicious text, voice, and email campaigns”.

Testimony from escapees describes a brutal environment where workers are “beaten and electrocuted for missing performance targets”. One heart-wrenching message from a captive worker pleaded: “I’m afraid I won’t make it in time because if the customer (victim) doesn’t top up their phone… they’ll lock me in a private room and electrocute me for three days”.

The attack chain is a masterclass in social engineering and technical intrusion:

1. The Lure: A “targeted lure (URL) is distributed to the victim through SMS, phone calls, emails and social media, often impersonating government officials”.
2. The Installation: Victims are directed to fake government service websites and “subsequently instructed to install the malicious APK”.
3. Silent Takeover: Once installed, the malware escalates permissions, enabling persistent access as it runs silently in the background without the user’s knowledge.
4. Biometric Hijacking: In its most invasive stage, “the victim is shown a spoofed digital verification or know-your-customer (KYC) overlay while the attacker simultaneously triggers biometric capture in the background”. This facial recognition data is then used to “authenticate into the victim’s online banking application without their knowledge”.

Despite ongoing crackdowns, the infrastructure remains “active and highly resilient”. The “MaaS administrator uses unique subdomain names… for C2 and various Android application management panels,” allowing them to rotate domains and repurpose lures rapidly.

As Infoblox concludes, “what emerges is an ecosystem that is agile, experimental, and commercially driven—one where tools are continuously repurposed, refined, and redeployed to maximize reach and profit”. In this environment, technical innovation is no longer a barrier for criminals—it is their baseline.