UN expert warns of a new fast-spreading scam: rapid infection of millions of devices following a phone call

Ambar Nigrum, 52, an accountant for several charities in Yogyakarta, Indonesia, was scammed out of all her money after a message that appeared to come from a tax authority officer. She later learned the link she clicked led to spyware, underscoring how quickly criminals’ capabilities are advancing.

Early last year, Nigrum received a message asking her to update information. The sender included her personal and business details and asked her to confirm whether anything was incorrect. Unsure what to do, she replied that she would check with a friend to verify the information. About an hour later, the “tax officer” called, urged her to act quickly, and sent a link.

How the scam unfolded

After clicking the link, Nigrum downloaded a counterfeit government tax filing application. She created an account using two passwords, including one the “officer” advised should be her birthdate, which she found unusual. The installation took nearly half an hour.

She did not realize the software collected biometric data and accessed her bank account as well as her cameras, photos, microphone, contacts, and notes. When she remembered a friend who works at the tax agency, she sent the link. The friend immediately warned her: “Don’t open, it’s a scam.”

Once she checked her accounts, she found two had already been drained and a third was still being drained. Because she manages accounts for NGOs, more than 450 million rupiah (about $26,500) had been stolen—equivalent to the electricity, internet, and salaries for 10 employees for a year.

Technology shifts fraud from slow schemes to fast network attacks

For years, online fraud often relied on slower, labor-intensive approaches such as investment scams, romance scams, or pig-butchering schemes, where victims are kept engaged for weeks or months before money is taken.

In Nigrum’s case, spyware changed the speed and scale of the attack. Jeremy Douglas, a specialist at the United Nations Office on Drugs and Crime, said this is “much faster than traditional fraud,” adding that infecting large numbers of devices is feasible.

Malware-as-a-service and rapid scaling

The spyware used in Nigrum’s case is linked to a global “malware-as-a-service” ecosystem active since at least 2023. Under this model, criminals do not necessarily develop the malware themselves; instead, they purchase it through messaging platforms such as Telegram.

In March 2025, cybersecurity firm Infoblox detected unusual internet traffic tied to a cluster of software that targeted Nigrum. Infoblox said it identified hundreds of domains targeting users in more than 20 countries.

The firm reported that malicious queries targeting Infoblox customers rose from 400,000 in March to at least 1.8 million within a single month.

Expanding targeting and growing criminal “businesses”

Infoblox said the spyware is continually updated to work more effectively and evade antivirus tools. It also reported that language lists, targeted countries, and impersonated organizations are expanding.

These operations are described as large-scale online “businesses,” often based in industrial zones protected by high walls, cameras, barbed wire, and armed guards. The activities are estimated to generate more than $500 billion in annual revenue.

Data theft, extortion, and broader impersonation

Infoblox’s Renée Burton said the new spyware could enable “Scam Inc” to grow further, noting that criminals can steal photos or chats to extort victims. Stolen data can also be sold or traded on the dark web, potentially leading to additional attacks on people in the victim’s contacts.

Beyond impersonating the Indonesian Tax Authority, criminals also impersonate immigration officers in South Korea, police in South Africa, or judges in India’s Supreme Court. Turkey and Thailand were also identified as hotspots.

Outlook for Europe and next-generation spyware

Infoblox said Americans and Western countries have been relatively safer due to stronger banking security systems and better internet providers, but warned this could change. The firm detected signs of integrating AI chatbots, deepfake voice technology, and tests to defeat facial recognition, suggesting future spyware may be harder to detect and more convincing.

Douglas said that as criminals perfect the technology, they are likely to target more complex markets, adding that he expects many EU countries to appear on the map of attacks in the coming year.