Cybercriminals do not always act willingly. Human trafficking rings often kidnap innocent people, lock them inside overseas scam centers, and force them to distribute dangerous software. Security researchers at Infoblox Threat Intel and the Vietnamese non-profit group Chong Lua Dao recently exposed one of these massive operations. They noticed a sudden spike in unusual internet traffic on their networks and traced it directly to a previously hidden malware distribution platform operating out of Southeast Asia.
The investigation led experts straight to K99 Triumph City, a heavily guarded compound located in Sihanoukville, Cambodia. This facility runs a massive global operation targeting victims across four continents. The scam network registers about 35 new fake website domains every single month. These malicious sites currently infect mobile phones in at least 21 different countries, including Indonesia, Thailand, Spain, and Turkey. The operation generates massive profits, prompting Thai authorities to recently seize over $400 million in bank assets linked to the suspected ringleaders.
The attackers use clever tricks to steal from their victims. They build custom websites that perfectly copy legitimate government portals and popular banking platforms. When a user downloads the fake Android software, the app forces them to complete a standard identity verification process. During this step, the scammers secretly harvest personal information, sensitive financial details, and even facial biometrics from the user.
Once the victim installs the malicious app, the attackers gain complete control over the infected smartphone. The software hides in the background and quietly intercepts incoming text messages. This allows the criminals to steal one-time security passcodes sent by banks. The operators then open the actual banking applications on the phone and wire the victim’s life savings directly into offshore accounts. In one tragic case, a single victim lost over 1 million pesos to this exact scam.
While the malware drains bank accounts, the people actually running the computers suffer terrible physical abuse. Late last year, several captive workers inside K99 Triumph City managed to contact Chong Lua Dao using hidden phones. They desperately begged for an immediate rescue from the facility. The United Nations previously flagged this exact location for running large-scale fraud operations using forced slave labor. The trapped workers reported enduring severe beatings and electric shocks whenever they failed to meet their daily theft quotas.
Rescue teams eventually managed to pull several victims out of the fortified compound. Once safe, these survivors handed over crucial evidence to the cyber investigators. They shared private chat logs, internal computer screenshots, and network data. This hard evidence finally proved that the K99 compound directly operated the specific malware platform. The internal records perfectly matched the 35 fake domains the security researchers originally tracked from the outside.
Exposing the operation also revealed the powerful people protecting it. Corporate records show that the K99 Group, a massive Cambodian casino and property conglomerate, owns the Triumph City compound. A wealthy tycoon named Rithy Raksmei chairs the organization. Investigators found that a small, exclusive group of politically connected elites tightly controls exactly who enters and leaves the facility, keeping local police away from the front gates.
These political connections stretch to the very top of the Cambodian government. Raksmei has close family ties to Senator Kok An, one of the wealthiest politicians in the country. The senator holds massive influence over the casino and real estate markets in Sihanoukville. Multiple international reports link his name directly to the city’s organized crime networks. These deep political ties explain exactly how these massive scam centers avoid police raids and continue to operate in plain sight.
