Editor’s Note: Singapore’s landmark sentencing of a malware instructor underscores a growing shift in cybercrime law: prosecuting not just the perpetrators, but the educators. This article is crucial for cybersecurity, information governance, and eDiscovery professionals, as it explores how knowledge transfer—once a gray zone—is now clearly within the scope of criminal liability. The technical breakdown of the Spymax Remote Access Trojan (RAT) reveals the critical weaknesses in mobile device security and two-factor authentication, while the case itself illustrates how digital evidence (video tutorials, logs, and cross-border digital trails) plays a pivotal role in modern prosecutions. As Crime-as-a-Service continues to evolve, this ruling signals that the enablers—regardless of their physical proximity to the crime—are firmly in the legal crosshairs. Professionals in legal, compliance, and risk roles should pay close attention: this case may shape the way liability is assigned in future fraud and breach investigations.
Industry News – Cybersecurity Beat
The Professor of Theft: Singapore Jails Malware Tutor in Historic Ruling
ComplexDiscovery Staff
In a precedent-setting ruling in Singapore’s cybercrime enforcement, a court has sentenced a Malaysian national to five-and-a-half years in prison not for hacking a bank or stealing data himself, but for teaching a criminal syndicate how to do it. The conviction of Cheoh Hai Beng serves as a stark warning to the global cybercrime ecosystem: the architects of digital weaponization can now face penalties comparable to those who pull the trigger.
A Syllabus of Fraud
The case centers on Cheoh’s role as a technical instructor for a transnational syndicate. Unlike typical foot soldiers who execute phishing scams, Cheoh’s contribution was intellectual and structural. Prosecutors detailed how he recorded at least 20 tutorial videos between February and May 2023, first from the Dominican Republic between February and April, and later from Malaysia in May. These tutorials effectively created a curriculum for cyber-fraud, providing step-by-step guidance on deploying Spymax, a potent Remote Access Trojan (RAT).
The origins of this partnership date back to 2008, when Cheoh met Lee Rong Teng, a Taiwanese national who would later recruit him, in a South Korean prison. This relationship evolved from cellmates to criminal accomplices, with Lee later inviting Cheoh to relocate to the Dominican Republic in March 2022. Cheoh lived there for just over a year, eventually learning to operate Spymax and recording the tutorial videos that professionalized the syndicate’s operations targeting Singapore.
Deconstructing Spymax: The Tool of the Trade
The weapon of choice, Spymax, represents a sophisticated tier of Android malware designed to bypass standard Android security controls and give attackers extensive remote access. Once installed—often via deceptively benign apps—the RAT grants attackers near-total control over the infected device. Technical analyses and CERT advisories show that Spymax does not simply log keystrokes; it can hijack the camera for real-time surveillance, exfiltrate GPS location data, and intercept One-Time Passwords (OTPs) sent via SMS.
This interception capability is particularly dangerous because it neutralizes the two-factor authentication (2FA) protocols that banks rely on for security. By taking control of mobile banking apps and intercepting SMS messages, Spymax-style campaigns can defeat two-factor authentication, sometimes by overlaying fake login pages or by initiating transactions directly on compromised devices. The instructional videos Cheoh produced were instrumental in teaching syndicate members how to manipulate these features to drain victims’ accounts before they even realized a breach had occurred.
The Human Cost and Legal Response
The efficacy of Cheoh’s tutorials was reflected in the sheer scale of the financial damage. Between June 2023 and June 2024, at least 129 victims in Singapore lost approximately S$3.2 million to the syndicate’s operations. The victims saw their life savings vanish in unauthorized transactions facilitated by the very techniques Cheoh had codified.
Singapore’s Technology Crime Investigation Bureau, recognizing the threat’s sophisticated nature, launched a cross-border operation that culminated in Cheoh’s arrest in Penang, Malaysia, in June 2024. His extradition and subsequent guilty plea to charges of abetment and membership in an organized criminal group resulted in a prison term and a S$3,608 fine. Prosecutors said, and local reports echoed, that this is believed to be the first case in Singapore in which a person has been prosecuted specifically for teaching others to use malware.
Even though Cheoh stopped producing videos around April or May 2023, the court found that the tutorials continued to enable scams long after his active involvement ended. This perspective aligns with a growing industry view that legal frameworks must expand to capture the entire supply chain of “Crime-as-a-Service,” rather than just the endpoint attackers.
Defending Against the Invisible Class
For cybersecurity and information governance professionals, this case underscores the urgent need to look beyond perimeter defenses and consider the human element of malware distribution. Security awareness training must evolve from generic “don’t click links” advice to specific behavioral conditioning. Users should be trained to verify the source of every application, understanding that even functional apps can harbor malicious code.
Industry experts also recommend that organizations implement behavioral biometrics that can detect the subtle anomalies of a remote access session—such as impossible mouse movements or superhuman typing speeds—that standard 2FA cannot catch. The fight against such syndicates demands a cultural shift in how we view mobile device security. Treating a smartphone with the same rigor as a corporate endpoint is no longer optional; it is a mandatory baseline for digital hygiene.
A Warning Shot to the Shadow Economy
As digital threats mutate, the legal system is finally catching up to the reality of modern cyber warfare, where code is a weapon and instruction is a form of ammunition. The imprisonment of Cheoh Hai Beng sends a message that jurisdiction shopping and compartmentalized roles offer no immunity against determined international law enforcement.
Yet, as one instructor is removed from the board, the question remains: in an age where AI can generate malware code and deepfakes can automate social engineering, are we prepared for a future where the “teacher” is not a human, but an algorithm?
News Sources
- Singapore jails man for teaching malware use (SC Media)
- Man gets jail for filming malware tutorials for syndicate (Channel News Asia)
- Man jailed for teaching criminals how to use malware (Bitdefender)
- SpyMax Android Malware Technical Alert (Cyber Swachhta Kendra)
- Computer Misuse Act 1993 – Singapore Statutes (Singapore Statutes Online)
Assisted by GAI and LLM Technologies
Additional Reading
- Beyond Headcount: Why the Cybersecurity Skills Gap Now Defines Risk and Readiness
- Kinetic Cybercrime: The Terrifying Shift from Hacking Code to Hacking People
- Europe’s Ransomware Crisis: Converging Criminal and Nation-State Threats Redefine the Risk Landscape
- Infostealer Logs Expose 183M Credentials: Strategic Implications for Cybersecurity
- When Anonymity Becomes a Weapon: Inside the Takedown of Europe’s Largest SIM Farm Operation
- When the Sky Falls Silent: Europe’s New Hybrid Threat Landscape
Source: ComplexDiscovery OÜ
The post The Professor of Theft: Singapore Jails Malware Tutor in Historic Ruling appeared first on ComplexDiscovery.