ICS Exposes Indonesia’s Hacker-for-Hire Market

The Indonesian Cybercrime Squad (ICS) has exposed a sprawling underground market for hacker-for-hire services in the country, with investigators identifying at least 42 active groups offering ransomware, data breaches, and targeted attacks to clients ranging from corporate rivals to foreign governments. According to a June 17 report by Tempo.co, the ICS uncovered evidence linking these operations to at least 1,200 victims across Southeast Asia, with ransomware attacks alone generating an estimated $8 million in illicit payments over the past 18 months.

How the ICS traced Indonesia’s hacker-for-hire networks
The ICS’s investigation, codenamed Project Darknet, began in October 2025 after a surge in ransomware incidents targeting Indonesian banks and government agencies. Using dark web monitoring tools and undercover operatives, the squad traced payments to 17 known hacking collectives—including Phantom Syndicate and Silent Breach—operating through encrypted messaging apps and peer-to-peer networks. Tempo.co’s sources, including a leaked ICS internal briefing, revealed that these groups advertise services on forums like Exploit.in and HackerBazaar, with prices starting at $5,000 for basic data exfiltration and escalating to $500,000 for zero-day exploits.

One key finding: the majority of clients are Indonesian businesses seeking to undermine competitors, with a smaller but growing share of requests coming from foreign entities, including a confirmed case involving a Malaysian political campaign. “This isn’t just a local problem—it’s a regional cyber arms race,” said a senior ICS investigator, who requested anonymity. The squad has since frozen 12 bank accounts linked to the operations, though no arrests have been made pending further legal coordination with Interpol.

Why Indonesia has become a hub for digital mercenaries
Indonesia’s rise as a hub for hacker-for-hire services stems from three factors, according to cybersecurity firm Recorded Future: cheap internet access, weak cross-border law enforcement cooperation, and a culture of impunity for low-level cybercriminals. A 2025 report by the Asia-Pacific Cybersecurity Alliance noted that 68% of Southeast Asian cybercrime groups now operate from Indonesia, up from 32% in 2022. The ICS’s discovery also highlights a shift in tactics—traditional ransomware gangs are now outsourcing “initial access” to Indonesian hackers, who specialize in bypassing two-factor authentication systems widely used in the region.

What happens next: legal crackdowns and industry fallout
Indonesia’s Ministry of Communication and Information Technology has pledged to classify cyber mercenary activities as a national security threat, potentially subjecting offenders to up to 15 years in prison under revised Law No. 19/2016 on Electronic Information and Transactions. However, experts warn enforcement remains a challenge. “The dark web market will persist unless neighboring countries share intelligence and assets,” said Dr. Lina Chen, a cyber law professor at the University of Singapore, citing a 2024 ASEAN cybersecurity summit where only 40% of member states reported active cross-border investigations.

For businesses, the ICS’s findings underscore the need for proactive defenses. A survey by Mandiant released June 15 found that 72% of Indonesian firms had experienced at least one cyber intrusion in 2025, with 44% attributing the attacks to domestic hackers. The ICS has advised companies to adopt Zero Trust Architecture frameworks, though adoption remains low due to cost barriers.

How this compares to global trends
Indonesia’s hacker-for-hire ecosystem mirrors patterns seen in Eastern Europe and Latin America, where cybercrime-as-a-service markets have flourished in jurisdictions with lax cyber laws. Unlike Russia’s state-backed APT29 or China’s APT41, however, Indonesia’s operations appear decentralized—no single group controls the market, making disruption harder. The ICS’s investigation aligns with a May 2026 Interpol report identifying Southeast Asia as the fastest-growing region for cyber mercenary activity, ahead of Africa and the Middle East.

Key questions remaining

• Will Interpol’s new Cybercrime Fusion Centre in Singapore coordinate with Indonesian authorities to target these networks?
• How will revised Indonesian cyber laws impact dark web operations if enforcement remains localized?
• Are foreign governments secretly funding these attacks, or is this purely a commercial market?

The ICS has not ruled out further public disclosures as the investigation continues, though sources suggest additional arrests may take months. For now, the squad’s work serves as a rare glimpse into a shadow economy that has thrived in plain sight.