A highly coordinated cyber fraud campaign targeting Indonesia’s official Coretax tax system has resulted in estimated nationwide losses ranging between $1.5 million and $2 million.
Security firm Group-IB revealed that the scheme first surfaced in July 2025 and escalated sharply in January 2026, coinciding with the country’s peak tax filing season. Cybercriminals posed as the Coretax web portal to deceive users into installing malicious mobile applications.
Although Coretax is accessible strictly through its official website and does not offer a mobile application, attackers used this limitation to their advantage. The fraud operation combined cloned phishing websites, WhatsApp accounts impersonating tax officials, and voice phishing (vishing) calls to create a convincing attack chain.
Victims were instructed to download fraudulent APK files, unknowingly granting attackers remote control of their smartphones. This access enabled unauthorized banking transactions and financial theft.
Investigators traced the campaign to the GoldFactory threat cluster, which utilized several malware variants, including Gigabud.RAT and MMRat. During the probe, Group-IB uncovered 228 previously unidentified malware samples.
The infrastructure supporting the operation was also found to be repurposed to mimic more than 16 reputable brands across sectors such as government services, aviation, pension funds, and energy.
According to the report, approximately 67 million Indonesian taxpayers were considered potential targets. However, among financial institutions secured by Group-IB, the fraud success rate was restricted to 0.027% of infected devices due to advanced predictive detection tools.
Researchers estimated a broader device compromise rate of 0.025% — roughly 2.5 out of every 1,000 banking users. When extrapolated to Indonesia’s population of 287 million individuals exposed to the impersonated brands, the cumulative financial losses and associated operational expenses were calculated between $1.5 million and $2 million.
The investigation further identified 996 phishing URLs generated through a centralized system, pointing to a malware-as-a-service (MaaS) framework with the capacity to scale internationally. Potential expansion targets include Thailand, Vietnam, the Philippines, and South Africa.
The fraud followed a structured, multi-phase approach:
- Distribution of phishing links via fake WhatsApp tax representatives
- Installation of malicious applications that locked devices and extracted sensitive data
- Vishing calls pressuring victims to settle alleged tax dues
- Screen recording to capture banking credentials and one-time passwords (OTPs)
- Remote account takeover (ATO) and fund transfers through mule accounts
Group-IB noted that a layered security strategy combining signature-based detection, behavioral analytics, and contextual threat intelligence significantly mitigated losses among its clients. By analyzing infrastructure patterns and anticipating brand impersonation trends, the company reported stopping most fraudulent transactions before funds could be withdrawn.
The case underscores the growing sophistication of coordinated malware campaigns and the risks they pose to public confidence in digital government services, particularly when critical platforms like national tax systems are targeted.