Phantom Casino
How gambling operators turned Malaysia's government domains into a casino funnelTLDR;
For nearly three years, gambling pages have been hiding inside Malaysian government and university websites. Search for a casino brand and real .gov.my and .edu.my links appear, each one a hijacked page rigged to rank for gambling.
We call the campaign Tundra. We call the operator behind the Malaysian doorways Golden Wheel.
We have confirmed 83 compromised government and university hosts across 43 organisations, 34 government agencies and 7 universities, from our own evidence, and 17 were still live at our last check. This is not the full picture. New ones keep surfacing as we scan.
The doorways are not the business. They are a funnel. Golden Wheel earns only when a visitor follows the redirect chain and deposits at a gambling wallet. We walked one chain all the way to its end and recovered the receipts: a doorway, an operator mirror, and two affiliate codes that bind the traffic to two wallet domains, axas888[.]net and cikgu88[.]com, on one shared platform.
Those two wallets are the tip of an iceberg. They sit on a much larger multi-tenant gambling platform. But a large casino platform is not the same as a campaign against Malaysia. The Malaysia targeting looks like one operator's own doing, not the whole platform's.
Cleaning doorways does not stop the campaign. The operator re-drops faster than agencies remediate. The leverage is at the wallet layer. This post introduces the campaign and follows the money; later posts go deeper.
What Tundra is
Tundra is an SEO-poisoning campaign that has run against Malaysian government and university domains since at least August 2023. The method is consistent: break into a legitimate .gov.my or .edu.my site, plant pages tuned to rank in search engines for gambling keywords, and redirect anyone who arrives from search onward to an online casino.
The trick works because the pages sit on the real government host. They inherit its search ranking and its trust. A visitor sees a familiar domain; the search engine sees gambling content; the operator collects the click.
We use two names through this series. Tundra is the campaign, the pattern of poisoned Malaysian domains. Golden Wheel is the operator we tie to the doorways and the wallet layer they feed. Tundra is the what; Golden Wheel is the who, as far as the evidence takes us. We do not put a person behind that name. Our analysis is passive and stops at the infrastructure.
Tracing the chain to the wallet
We walked these chains end to end, live, to confirm how the mechanism works. Here is what one looks like. Take one of the compromised hosts, a subdomain of a Malaysian government social-assistance system. The same address behaves in two different ways depending on who asks:
A normal visitor gets the site's real page, a small 7-kilobyte portal that looks completely legitimate.
A search engine crawler gets a different page entirely: a 1.4-megabyte gambling page titled "MEGA888: Akses Download APK Android & iOS Rasmi". This is what gets indexed and ranked.
That hidden gambling page forwards the visitor to an operator mirror on Cloudflare Pages, a throwaway page whose only job is to pass the click on.
The mirror carries two affiliate codes and uses them to hand the visitor to a wallet, where a deposit can be made.
Those affiliate codes are the key piece. An affiliate code is the tag a gambling platform uses to track who sent it a customer, so it can pay that referrer a cut. Here the codes are baked into the attacker's own page: RF377A97633 ties the traffic to the wallet axas888[.]net, and RFA0628235A ties it to cikgu88[.]com. They are fixed, they are embedded in attacker-served HTML, and they are what links a poisoned government page to a specific payout account.
The codes read like receipts: they are how the operator gets credited, which is consistent with the doorways earning a per-referral cut. We recovered the same two codes and wallets on other operator mirrors too, so this is the pattern, not a one-off: the same two wallets, bound by the same fixed codes, behind them the same single operator. We have not yet traced the payout mechanism beyond the wallet.
Who got hit
The campaign did not target obscure corners of the Malaysian web. It targeted public trust: a customs vehicle-clearance system, fire and rescue department subdomains, a federal treasury budget portal, municipal and district councils, and a long list of public universities.
We confirmed 83 compromised hosts across 43 organisations, 34 government agencies and 7 universities, from our own first-party evidence. For each host that meant one of:
a search result we captured ourselves, showing the gambling page on the government domain;
a page we fetched that served gambling content directly;
a server that showed one page to a normal visitor and a gambling page to a search engine crawler.
The split between government and university hosts matters, because the readers do too.
This is not the full picture
What we confirmed is a floor, not a ceiling. We add hosts every time we scan. Some are freshly compromised; some have been poisoned for months and we simply had not reached them yet. Beyond the 83 we hold evidence for, dozens more are in the queue as leads we have not finished verifying.
So treat the numbers as "at least this many", never "only this many". The honest framing of Tundra is a campaign whose true footprint is still being uncovered, by us and by others.
What the public already knew
We are not the first to notice. Pieces of Tundra have been public for years.
A federal Islamic-affairs portal was reported redirecting to a gambling page as far back as August 2023, the earliest public instance we found. A customs vehicle-clearance system was posted, full doorway path included, in a developer forum in March 2025, where commenters correctly diagnosed a planted webshell with user-agent cloaking. A consumer-tech site published a list of 32 named .gov.my subdomains in September 2024.
That public list is a useful mirror for our own data. Of the 49 hosts that have appeared on public lists, only 12 were still poisoned when we checked them ourselves. The rest had been cleaned, or could not be reproduced. Meanwhile 71 of our 83 confirmed hosts never appeared on any public list at all. The public saw a sliver, mostly old and mostly since cleaned. The live problem is larger and quieter.
The hosts are not all compromised the same way, and that variety is part of why they survive:
on some, the gambling content is injected straight into a page;
on others, a parameter or a planted script does the work;
the most deliberate ones cloak, showing a clean page to a normal visitor and the gambling page only to a search engine crawler (the case we walked above).
We keep the detail of how at a high level here; the operator's tradecraft is its own post.
Named, with leftovers
Being named in public did not fully fix these sites. We checked all 32 subdomains from the September 2024 list against our own tracking, nineteen months on.
Of the 32:
22 were remediated;
7 were only partly remediated;
2 we could not determine;
1 was still actively serving gambling content.
So roughly a third of a public, named list was not cleanly remediated a year and a half after disclosure. And several agencies that had one subdomain named in 2024 had picked up additional compromised subdomains by 2026. The access persisted and spread.
"Partly remediated" is the tell. It means we still saw gambling traces on the host after the cleanup. In practice that took one of a few forms:
some doorway pages removed, but others still live;
the pages gone from one search engine, but still indexed on another;
the visible pages cleared, but the planted file that generates them left in place.
In each case the surface was tidied but the underlying compromise was not fully removed, so it came back or never entirely left.
A note on "remediated". When we call a host remediated, we mean its gambling pages no longer appear in search. That is what we can see from the outside. It does not mean the underlying access is gone. We learned first-hand from a victim that the actor gets in through a vulnerable web application and drops a webshell, then uses that webshell to plant the pages. Clearing the pages from search does not remove the webshell. Remediated is a search-visibility status, not a clean bill of health.
How the chain is built
The campaign runs in layers, and each one passes the visitor down toward a deposit.
A poisoned .gov.my page ranks in a search engine for a gambling keyword. The click hits a doorway that redirects to an operator mirror. The mirror carries an affiliate code and forwards to a wallet, where the deposit happens. On some sites we also saw a final support layer, a bio-link page and a WhatsApp agent, though that was only on a handful of hosts we inspected by hand.
Each layer has a different lifespan. The victim page is borrowed, valuable for its search ranking. The doorways and mirrors are disposable and rotate often. The wallet is the fixed point. Everything above it exists to feed it, and that is the layer worth attacking.
Two wallets, one server
The chain ends at axas888[.]net and cikgu88[.]com . They look like two competing casinos. They are one operation wearing two brands.
The evidence converges. Both resolve to the same two Alibaba Cloud Singapore IPs, fronted by Cloudflare. Both run the same rented wallet platform, a ready-made casino back-end that one provider operates and many brands pay to put their own name on, on the same build. The only real difference between them is a merchant ID, the account number the platform assigns each brand it hosts.
They also share one Facebook Business Manager: the same advertising pixel IDs appear on both, which is the strongest single sign that one operator runs the pair.
The tip of the iceberg
Those two account numbers tell a second story. They sit almost ten thousand apart. If a platform numbers its clients in sequence, that spread hints at how many accounts it has issued in total. A gap that size points to a platform with many tenants, not a two-brand operation.
So axas888 and cikgu88 are not the empire. They are two tenants on a large gambling platform that hosts many brands, some of which have nothing to do with Malaysia. This is the distinction that matters, and the one easiest to get wrong: a big casino platform existing offshore is not the same as a campaign against Malaysian government domains.
Our read is that the Malaysia targeting is one operator's own doing, Golden Wheel renting space on a shared platform and pointing a poisoning campaign at .gov.my, not the platform itself running that campaign. We tie Golden Wheel to the doorways and these two wallets. We do not claim the wider platform is targeting Malaysia, and we do not tie any of it to a named person. The passive trail stops at the infrastructure.
Break the payout
The campaign has one structural weakness. Everything funnels to a small wallet layer.
Cleaning doorways does not work, as the 2024 named list shows. The operator re-drops faster than agencies remediate. But the wallet platform, its CDN, and its registrar are shared, few, and reachable through abuse process. Attack those once and the funnel has nowhere to pay out.
We assess that disrupting the wallet layer makes a successful breach worthless, regardless of how many doorways remain indexed. We have not tested takedown efficacy. That is the next step, and it needs reach we do not have alone.
For different readers
The same finding asks something different of each reader. Where you sit decides what to do with it.
For Malaysian agencies: per-host cleanup has not held. A page leaving search is a starting point, not proof the access is gone. Assume the webshell outlives the search-visibility fix, and check the application that let the attacker in, not just the pages they planted. The structural fix is at the payout layer, which is bigger than any one agency.
For universities: the .edu.my footprint is a cluster of its own, often on student and journal subdomains that nobody owns day to day. Those are exactly the hosts that get poisoned and stay poisoned. The same caveats apply, and the same payout layer is the fix.
For threat-intel teams: the indicators below are live starting points. The shared advertising pixel IDs are the strongest pivot; they will surface other operator brands that the wallet domains alone do not.
For hosting providers and registrars: the wallet platform is multi-tenant and offshore, but its registrar and CDN are not. Those are the choke points, and they are reachable through ordinary abuse process.
The doorways will keep coming back for as long as the payout works. The cheapest place to break this is the part that is shared, small, and reachable.
Questions and answers
-
Yes. At our most recent checks, some compromised hosts were still serving gambling content and the wallet infrastructure was still live. The earliest public sign of the campaign dates to August 2023, so it has run for nearly three years.
-
Genuinely compromised. The gambling pages are served from the real government host, which is why they rank in search and carry the domain's trust. Nobody is spoofing a .gov.my address from elsewhere.
-
The compromise is engineered to be hard to see. The poisoned pages are tuned for search and for visitors arriving from search, while a direct visit can look normal. An agency spot-checking its own site can get a false all-clear.
-
We can describe the operation but not the people. Our analysis is passive and stops at the infrastructure, so we do not name individuals. Two signals point to an Indonesian nexus: the language and authorship marks left in the intrusion tooling, and a victim-side network signal we observed first-hand. Together they let us assess, with medium confidence, an Indonesian-nexus operator. That is a region, not a person, and we hold it there. Naming a person would need subscriber data only law enforcement can pull.
What we cannot yet settle is the relationship between the gambling operator and whoever did the hacking. Two readings fit the evidence about equally. (1) The operator hired the SEO intrusion work out, an arrangement consistent with the Indonesian-nexus tooling. (2) The operator and the intruder are the same outfit. We have no clear winner between them, and we have no evidence tying any other gambling operator into the Malaysian campaign, so we do not.
-
The doorways advertise Mega888 and many other brands. That does not prove who operates them. We distinguish the brand names from the wallet that collects the money from the operator that runs the campaign. Sorting those layers out is ongoing.
-
No. Those are the two we have walked end to end, from a poisoned government page all the way to the payout account, so they are the ones we are confident naming. They are not the whole story. While tracing the funnels we have already seen poisoned hosts redirecting to other wallet and brand domains as well. We have not yet completed the same full-chain verification for those, so we are holding them back rather than name them on partial evidence. The honest position is that axas888 and cikgu88 are the firmest two ends of a wider set we are still mapping.
-
We have confirmed 83 from our own evidence, across 43 organisations (34 government agencies and 7 universities), and the true number is higher. New hosts surface as we scan, and the footprint changes as some are cleaned and others are hit.
-
To help the people who can act on it. To ensure the findings reach the parties best positioned to take action, we have shared the relevant intelligence with NACSA. While this report highlights key observations, we withheld certain operational and technical details to avoid compromising ongoing investigative efforts, tipping off the threat actors, or enabling them to alter their tactics before appropriate action can be taken.
-
Later posts go deeper: where the money lands and how the payout works, how the attack is carried out, and what the wider gambling-platform economy behind it looks like.
Indicators of Compromise (IoC)
Wallet and platform:
| Type | Indicator | Note |
|---|---|---|
| Domain | axas888[.]net | wallet, merchant 50703 |
| Domain | axas888[.]com | second axas888 domain |
| Domain | cikgu88[.]com | wallet, merchant 60569 |
| Domain | cdn.vefrop[.]com | operator-controlled CDN serving the wallet platform |
| IP | 47.84.198[.]177 | Alibaba Cloud SG, AS45102 |
| IP | 47.237.119[.]71 | Alibaba Cloud SG, AS45102 |
| CDN | BunnyCDN pullzone 5140431 | shared media for all brand fronts |
| Registrar | NameCheap (IANA 1068) | all operator domains |
Funnel and doorway. The operator mirrors rotate often; those below are representative, not exhaustive.
| Type | Indicator | Note |
|---|---|---|
| Domain | max-cv4.pages[.]dev | Cloudflare Pages mirror (one of many, rotates) |
| Domain | hljnx[.]com | cloaking gate (now dead) |
| Affiliate | RF377A97633 | binds to axas888 |
| Affiliate | RFA0628235A | binds to cikgu88 |
Operator contact:
| Type | Indicator | Note |
|---|---|---|
| Bio-link | linkmy[.]pro/mega888 | operator bio-link, 301s to the WhatsApp agent |
| +60 16 267 70XX | masked, Malaysian mobile | |
| Telegram | Axas888Cuci | customer channel |
References
Prior public reporting we drew on or verified against. We list only coverage of the .gov.my and .edu.my gambling-redirect compromise itself.
Pokde.NET, August 2023, the earliest public report we found of a Malaysian government portal redirecting to a gambling page (the federal halal portal). Also covered by SoyaCincau, December 2023.
WebCare.co (Edwin Masripan), September 2024, a list of 32 named .gov.my subdomains serving gambling content. We re-checked all 32 against our own tracking nineteen months later.
A Developer Kaki group post, March 2025 on a compromised Malaysia Customs subdomain, where commenters correctly diagnosed a planted webshell with user-agent cloaking.
Public discussion on r/malaysia: "Malaysian Gov Websites Hacked" (2024) and "I found a .gov.my link that is redirecting to sport gaming site" (2025).
Our own victim confirmations, evidence tiers, and the wallet-convergence analysis are held internally and were shared with NACSA and the affected agencies ahead of publication.