Listen to this Post

Introduction: When Teaching Cybercrime Becomes the Crime
For years, cybersecurity headlines have focused on hackers who build malware or criminals who deploy it against unsuspecting victims. This case shifts the spotlight to a quieter but equally dangerous role in the cybercrime economy: the instructor. In a landmark prosecution, Singaporean authorities have sent a clear message that teaching others how to carry out digital theft is no less criminal than committing the attack yourself. The case exposes how knowledge-sharing has become a force multiplier for cybercrime, turning technical tutorials into weapons.
Case Overview: A Trainer, Not a Hacker, in the Dock
This week, a Singapore court sentenced a 49-year-old Malaysian national, Cheoh Hai Beng, to five and a half years in prison and imposed a fine of S$3,608 after he admitted to helping a cybercrime gang by training its members. Cheoh did not personally scam victims or directly drain bank accounts. Instead, his crime lay in producing detailed instructional videos that taught criminals how to infect Android smartphones with spyware and covertly steal money, cryptocurrency, and sensitive personal data.
The Malware at the Center: Spymax and Its Capabilities
Cheoh’s tutorials focused on Spymax, a well-known Android remote access trojan that has circulated in underground forums for years. Spymax allows attackers to silently take control of infected smartphones, monitor communications, access banking and cryptocurrency applications, and perform fraudulent transactions without alerting victims. Once installed, the malware effectively turns a personal device into a live surveillance and theft platform under remote control.
The Role He Played: Instructor for a Cybercrime Gang
Rather than acting as a hands-on scammer, Cheoh was recruited specifically as a trainer. His task was to break down the technical barriers for less skilled gang members. Between February and May 2023, he recorded approximately 20 video tutorials explaining, step by step, how to deploy Spymax, configure its features, and exploit infected devices. These videos were shared within criminal networks, serving as a training library for fraud operations targeting Android users.
What the Tutorials Taught: From Infection to Exploitation
According to investigators, the videos showed how to trick victims into installing the spyware through phishing messages and fake download links disguised as legitimate apps or services. Once installed, the malware enabled criminals to access crypto wallets, capture passwords, hijack cameras, extract address books, intercept authentication codes, and track victims in real time using GPS. The training emphasized stealth, persistence, and monetization.
Spymax’s History: A Pandemic-Era Threat That Never Left
Spymax is not new. Reports of its use date back to at least 2019, but its popularity surged during the COVID-19 pandemic. Attackers exploited fear and uncertainty by distributing fake COVID tracker apps laced with spyware. Many users, desperate for information, installed these malicious apps without suspicion. That surge cemented Spymax as a reliable tool for financially motivated cybercrime, and it remains active today.
How Victims Were Targeted: Social Engineering at Scale
Authorities say the gang relied heavily on phishing and impersonation. Victims were lured with messages claiming to offer useful services, software updates, or trusted apps. Once the malware was installed, criminals could initiate fraudulent banking transactions in real time, often bypassing security checks by intercepting one-time passwords and notifications before victims even realized their phones were compromised.
The Legal Milestone: Teaching Malware as a Criminal Act
Singaporean prosecutors described this case as the country’s first prosecution aimed specifically at someone who taught others how to use malware. The ruling establishes that cybercrime liability extends beyond code writers and frontline scammers. Knowledge transfer itself, when done with criminal intent, is now firmly within the scope of serious offenses.
The Network Behind the Trainer: A Long Criminal Connection
Court documents reveal that Cheoh was introduced to spyware by an acquaintance, Taiwanese national Lee Rong Teng. The two reportedly met in 2008 while serving prison sentences in South Korea. Prosecutors allege that Lee supplied Cheoh with multiple versions of the spyware and asked him to study how they worked before turning that knowledge into instructional material for a wider criminal audience.
Charges and Guilty Plea: Conspiracy and Criminal Membership
Cheoh pleaded guilty to two charges: being a member of a criminal gang and conspiring with others to use server-hosted software to control Android phones in Singapore. His cooperation and admission of guilt were factors in the sentencing. His alleged accomplice, Lee Rong Teng, is believed to remain at large, highlighting the transnational nature of cybercrime networks.
the Original Case: A Trainer Who Enabled Digital Theft
The case centers on a Malaysian man jailed in Singapore not for hacking directly, but for teaching cybercriminals how to do it. Acting as an instructor, he produced around 20 detailed video tutorials between February and May 2023, showing how to deploy the Spymax Android spyware. These tutorials covered infection techniques, remote control features, and methods for stealing money, cryptocurrency, and personal data. Spymax, active since at least 2019 and popularized during the pandemic through fake COVID apps, allows attackers to spy on communications, hijack cameras, intercept banking credentials, and perform fraudulent transactions invisibly. Authorities found the videos shared within criminal networks, with victims typically tricked via phishing and fake download links. Singapore prosecutors described the case as the country’s first prosecution targeting someone for teaching malware use. Cheoh pleaded guilty to gang membership and conspiracy charges, while his alleged accomplice remains at large.
What Undercode Say: The Dangerous Power of Cybercrime Education
This case exposes a critical shift in how cybercrime scales globally. Malware alone is not the main threat. Knowledge distribution is. When criminals package complex attack techniques into easy-to-follow tutorials, they dramatically lower the barrier to entry for fraud. One skilled instructor can empower dozens, or hundreds, of attackers.
From an operational standpoint, trainers like Cheoh act as force multipliers. They reduce trial and error, standardize attack methods, and improve success rates. This mirrors legitimate technology ecosystems, where documentation and tutorials accelerate adoption. Cybercrime has adopted the same playbook.
The focus on Android devices is also telling. Smartphones now hold the keys to financial identity: banking apps, crypto wallets, authentication tokens, and private communications. A compromised phone is more valuable than a compromised laptop because it follows the victim everywhere and receives trusted notifications.
Spymax exemplifies the evolution of mobile malware into a full-service surveillance platform. Its ability to intercept one-time passwords and control devices in real time effectively neutralizes many traditional security controls. Teaching criminals how to exploit these features systematically turns isolated fraud into organized campaigns.
Legally, this prosecution sets an important precedent. By targeting instructors, authorities are attacking the supply chain of cybercrime expertise. This approach mirrors strategies used against organized crime, where leaders and facilitators are pursued alongside foot soldiers. It recognizes that intellectual contribution can be just as harmful as direct action.
There is also a geopolitical dimension. The connections spanning Malaysia, Taiwan, South Korea, and Singapore underline how cybercrime ignores borders. Training materials can be shared instantly, allowing attacks launched from one region to devastate victims in another. National laws are now being tested against a borderless criminal economy.
For defenders, this case highlights the need to monitor not just malware samples but also underground education channels. Forums, video platforms, and encrypted messaging groups have become classrooms for crime. Disrupting these knowledge hubs could slow the spread of new attack techniques.
Finally, this ruling sends a warning to technically skilled individuals flirting with the criminal underworld. Teaching, documenting, or explaining malware use is no longer a gray area. Courts are increasingly willing to treat such activity as active participation in crime, with severe consequences.
Fact Checker Results
✅ The sentencing and charges align with reported court outcomes in Singapore.
✅ Spymax’s capabilities and historical use are accurately described.
❌ The full scope of damage caused by trainees using these tutorials remains undisclosed.
Prediction
Cybercrime prosecutions will increasingly target trainers and facilitators, not just attackers 🔍
Mobile spyware cases will rise as smartphones remain prime financial targets 📱
Underground cybercrime education will migrate further into encrypted, invite-only spaces ⚠️
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bitdefender.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




