Singapore’s message to cyber crooks: Do not use us as a launchpad – Commentary

In some quarters, there is a persistent narrative that Singapore’s authorities are oblivious to the risks that come with the Republic’s global hub status – in finance, technology and other fields.

Taken to the extreme, this view presupposes that the law enforcement ecosystem and even the national media are sedate and ineffectual – thumb-twiddling and looking away as foreign bad actors exploit Singapore’s openness and proliferate without restraint.

Even a cursory look at reality shows how false that depiction is.

The conviction and jailing this week of three Chinese nationals for their roles in a global cybercrime ring, following a major 2024 operation that led to their arrests and those of others, is one data point that should give confidence that the system is largely working as designed in keeping the proverbial flies away.

Other investigations and convictions – including the now well-known billion-dollar money laundering case, and the ongoing probe into Cambodian conglomerate Prince Group and its founder Chen Zhi – already show that Singapore is not a passive bystander to such threats.

The latest cybercrime case lays bare the risks that come with hub status. It also shows the scale of work by investigators, prosecutors and, finally, the courts to safeguard Singapore’s reputation as a secure digital hub.

The three men – Yan Peijian, Liu Yuqi and Huang Qin Zheng, all with roots in China’s Henan province – were enticed to Singapore to do hacking work under the cover story that they were here for legitimate jobs.

They were housed in plush accommodation and had their daily needs taken care of, with moonlighting cooks and cleaners on hand. They were paid a total of US$3 million (S$3.9 million) in cryptocurrency by a fourth man, Vanuatu citizen Xu Liangbiao, who left Singapore 13 months before they were arrested. Court documents said Xu, named as an “involved party”, left Singapore on Aug 14, 2023, a day before the authorities arrested 10 individuals in the billion-dollar money laundering case.

Sentencing the men on Nov 5 (two years, four months and four weeks’ jail for Liu, and two years, four months and one week for Huang and Yan) after each had pleaded guilty to four charges, including misusing a computer system and one linked to organised crime, District Judge Sharmila Sripathy-Shanaz noted their activities’ potential to erode confidence in Singapore’s reputation as a secure hub in the global digital ecosystem.

The sentences seek to send a “clear and unequivocal message that those who seek to establish or conduct transnational criminal operations within our borders will face firm sanctions”, the judge said.

State-linked malware

Details in the court documents give a sense of the complexity of what the authorities have to deal with in the cyber domain. A couple of things stand out.

First, the tools used. Devices seized from each of the three men were found, in different ways, to be linked to a piece of malware – a remote-access Trojan, or RAT, called PlugX, which can be used to spy on and control other machines. Liu’s devices were also found to have RATs associated with the Shadow Brokers, a known elite hacking group.

Cybersecurity experts here in Asia and elsewhere have long said that PlugX is associated with Chinese state-sponsored hacking groups, even though it has also spread to non-state criminal actors. Court documents stated that the three men “disclaimed knowledge of or association” with state-sponsored groups, also known as advanced persistent threats (APTs). One example of an APT is UNC3886, a cyber threat group named earlier in 2025 by Singapore for its attacks on critical infrastructure operators here, although it is not mentioned in this case.

Second, there were the apparent areas of interest in the trio’s operations. As part of their job, they gathered information on domain and sub-domain names linked to target organisations or websites – including gambling portals – that were given to them by Xu, the Vanuatu citizen. Yan’s laptop contained messages discussing vulnerable domains, including five Australian, Argentine and Vietnamese government domains.

Liu’s laptop contained a confidential e-mail between officers of Kazakhstan’s Ministry of Foreign Affairs and Ministry of Industry and Infrastructure Development. The documents stated that the men knew that their “actions were wrongful, and refrained from targeting Singaporean websites as they felt it was not right to do so while in Singapore” – a revealing line that suggests a mental red line about not hitting the host, while treating foreign government systems as fair game.

Reasonable question

To be clear, neither the court nor prosecutors made any remark on whether there was an espionage element here. It is, nonetheless, a reasonable question to ask.

Cybersecurity experts who spoke to this columnist said that, on the publicly available facts and especially because of the mention of PlugX and foreign government domains, links to “China nexus groups” cannot be ruled out.

At the same time, because attribution requires more than just the appearance of a tool or a list of domains, they stressed that the evidence was too tenuous to make that connection authoritatively – which could explain why the authorities have not publicly gone there.

The malware PlugX’s most high-profile recent mention was by the United States Department of Justice and Federal Bureau of Investigation, which in January said they had worked with international partners to delete it from thousands of computers worldwide.

As Mr Nandakishore Harikumar, founder of the India-based cybersecurity firm FalconFeeds.io, said to this columnist, “finding PlugX-related RATs on a hacker’s machine is a signal worth paying attention to, but it isn’t enough on its own to claim a state nexus”.

Echoing this point was Mr Ismael Valenzuela, vice-president, labs for threat research and intelligence, at Arctic Wolf Networks, a US-based cybersecurity company. Mr Valenzuela said in an e-mail that the “China nexus ecosystem is complex and some of the contractors used by government or military agencies can reuse those tools against multiple campaigns”.

Ms Munira Mustaffa, the executive director of Malaysia-based security consultancy Chasseur Group, meanwhile said it was important to avoid false binaries and instead take a perspective that considers “grey zone” tactics, where the line between financially motivated cybercrime and state-backed espionage gets blurry.

“What makes this case interesting is the government data from four countries found on their devices, even though they claimed to avoid official targets,” said Ms Munira, who specialises in covert state actions and is a senior fellow with the Verve Research think-tank.

She added: “That suggests either mission creep or dual-use tasking. When infrastructure, tools and intelligence can flow between criminal and state actors, you can’t draw clean distinctions and attribution becomes ambiguous”.

Rigorous fly-swatting

Whether this particular operation was espionage or high-end criminality, the conclusion for Singapore is the same. The fly-swatting – or weeding, if one prefers that metaphor – has to be rigorous, well coordinated and sustained, with public support.

Evidence so far suggests that this is the posture.

When the raid that netted these three men and three others took place on Sept 9, 2024, it involved about 160 officers, not just from the Singapore Police Force but also from the Internal Security Department, the agency tasked with counter-espionage operations.

That scale of mobilisation is a reminder that the authorities are not sitting on their hands when they suspect that Singapore is being used as a staging point.

As one cybersecurity insider suggested to this columnist, in the world of malicious cyber actors Singapore has to operate at an elite “Olympic” level – it is not enough to be a SEA Games gold medallist.

In practice, that means being able to go up against some of the biggest, best-resourced and most sophisticated entities in the world, and still hold its own despite its small size.

Seen in that light, this week’s sentencing – together with action in other areas against money launderers and dubious corporate players – should give Singaporeans confidence that the authorities will not allow the island to become a refuge for high-level perpetrators of malicious activity, whether their targets are overseas or at home.

For those contemplating such misuse of Singapore’s openness and pristine global reputation, the message ought to be loud and clear.

Source: The Straits Times © SPH Media Limited. Permission required for reproduction.

ADV: Family Law Masterclass for the Advanced Practitioner International commercial court networks can help spot cross-border legal trends, says Singapore chief justice