A massive fraud campaign abusing Indonesia’s official Coretax tax platform has siphoned off an estimated 1.5–2 million dollars in losses nationwide, highlighting how cybercriminals now weaponize public digital services at industrial scale.
Launched around July 2025 and ramped up ahead of the 2026 tax filing season, the operation preyed on taxpayers who believed they were interacting with legitimate Coretax channels. Although Coretax is only available as a web service, victims were deceived into thinking an official mobile app existed, turning their smartphones into entry points for financial theft. This gap between user perception and the platform’s real distribution model became the core social engineering hook.
According to Group-IB, the attackers built a multi-stage attack chain that blended classic phishing with modern mobile malware techniques. It started with phishing websites that visually mimicked the Coretax portal and other trusted brands, then continued via WhatsApp messages and calls from impostors posing as tax officials. These contacts pushed users to download Android application packages (APKs) masquerading as Coretax tools for filing or synchronizing tax data. Once installed, the malicious apps granted remote access, allowing fraudsters to control infected devices, freeze screens, and intercept sensitive data.
The campaign has been linked to the GoldFactory threat cluster, known for deploying advanced Android remote access trojans such as Gigabud.RAT and MMRat. Investigators uncovered 228 new malware samples tied to the operation, underlining the industrialized nature of the scheme. Beyond Coretax, the same infrastructure impersonated more than 16 reputable brands, including government services, airlines, pension funds, and energy providers, significantly widening the pool of potential victims. This brand-hopping strategy enabled attackers to reuse tooling while constantly refreshing lures.
At its peak, the operation aimed at roughly 67 million Indonesian taxpayers and, more broadly, at 287 million individuals exposed to abused brands across the country. While the overall compromise rate remained relatively low—around 0.025% of users—the scale of the population meant financial losses and associated costs still reached between 1.5 and 2 million dollars. Among financial institutions protected by Group-IB, predictive detection and layered defenses limited successful fraud to just 0.027% of malware-compromised devices. This illustrates how early detection and behavioral analysis can sharply reduce downstream financial impact.
Researchers warn that the operation appears to follow a malware-as-a-service model, supported by a centralized framework that has already generated nearly a thousand phishing URLs. The same toolkit could easily be repurposed against taxpayers and banking customers in other countries, with Thailand, Vietnam, the Philippines, and South Africa cited as likely next targets. For Indonesian users, the key defense is to remember that Coretax does not have a mobile app and is only accessible via official government websites. Verifying domains, refusing APK installations sent over messaging apps, and questioning unsolicited “tax officer” calls are now critical to staying safe during tax season.