41 Hongkongers lose HK$12 million in malware scam involving Singapore and Malaysia
- Police say Malaysia-based syndicate suspected to have scammed more than 4,000 people in region since 2023
Forty-one Hongkongers have lost more than HK$12 million (US$1.54 million) in a regional scam involving the use of malware to steal bank information, according to the city’s police who collaborated with Malaysia and Singapore counterparts on the case.
The force said on Friday it believed a Malaysia-based syndicate had scammed more than 4,000 people in the region since 2023, with the first report linked to the case in Hong Kong filed in September last year.
“This is actually the first malware scam case [of this kind] that we have discovered in Hong Kong,” said Dicken Ko Tik, who is a superintendent of police for the force’s cyber security and technology crime bureau.
The superintendent said the force had received reports of 41 such cases in Hong Kong between September last year and April, involving more than HK$12 million. The single-largest case involved an 88-year-old man, who lost about HK$6 million.
Ko said scammers tricked victims by using fake online store pages on different social media platforms, where they claimed to sell various products and services.
After users reached out to these stores, scammers would contact them and insist they install an online shopping application through non-official links.
Victims would then be directed to fake websites, where they would enter their online banking information to pay for shipping fees.
“These applications are actually Trojan horse applications … allowing scammers to remotely monitor the phones of residents. When residents use their phones to enter their online banking login information and password on these fake websites, scammers can then get this information,” Ko said.
“They will then log into their online banking accounts when they are unaware and transfer their savings away.”
Chief Inspector Lau Ngo-chung added that scammers would also install an app disguised as a map application, enabling them to intercept one-time password notifications sent by their banks and leaving victims unaware that their accounts had been compromised.
Cheng Chak-yan, another chief inspector from the bureau, said police conducted a joint investigation with counterparts from Singapore and Malaysia, eventually discovering that a cross-border fraud syndicate in Malaysia was behind the scams.
Police from the three jurisdictions later launched a joint arrest operation in Malaysia and Hong Kong on June 12 and 13, where Malaysian police arrested two men who were believed to be key members of the criminal organisation.
In Hong Kong, the force arrested 10 men and four women aged between 19 to 61 over conspiracy to defraud and money laundering, with police noting that they were the owners of puppet accounts used for money laundering.
Ko highlighted two main challenges in the investigation: the syndicate using servers located across at least three places, and their use of cryptocurrency to pay for these servers in an effort to avoid detection.
He added that the police’s arrest operation was still continuing, noting that there were still members of the syndicate on the run.
According to Cheng, the Singaporean police force had also arrested more than 140 people suspected to be involved in the fraud in 2023, when about 1,899 people in the city state were scammed.
