- UPDATED 8.15PM | Malaysia agrees to extradite the suspects.
The two Malaysians charged in an alleged international hacking scandal are directors in an established online game store operating out of Perak.
International newswire Reuters reported today that the US Department of Justice (DOJ) charged Wong Ong Hua, 46, and Ling Yang Ching, 32, for conspiring with hackers from China.
The duo allegedly worked with hackers to “profit from computer intrusions” targeting video game firms in the US, France, Japan, Singapore and South Korea.
In a New York Times report on the indictment, hackers were said to have worked with the Malaysians to “steal and launder money” through the video game industry.
Both reports stated that the duo have been arrested.
Federal police headquarters Bukit Aman has stated that Criminal Investigation Department director Huzir Mohamed said the Attorney-General’s Chambers have agreed to the extradition under the Extradition Act 1992 and an extradition treaty between Malaysian and the US.
This came after the extradition request was received from US authorities on Sept 3, and the Kuala Lumpur Magistrate’s Court had issued a provisional warrant of arrest on both suspects on Sept 11.
“The Magistrate’s Court has allowed at 60-day remand under Section 16(1) of the Extradition Act 1992 and Article 11(4) of the extradition treaty between the governments of Malaysia and the US.
“Both suspects are being detained under remand at Sungai Buloh Prison, Selangor,” he said in a statement today.
He said the forensics officers have also seized evidence and related documents at the duo’s company premises.
The DOJ, meanwhile, noted that the arrests in Sitiawan were made by Malaysian authorities pursuant to a provisional arrest request by the US.
Wong is the founder of online video game store SEA Gamer Mall Sdn Bhd while Ling is its chief product officer. According to company records, both serve as directors of the 13-year-old company.
Headquartered in Sitiawan, Perak, its website lists offices in China, Thailand, and Indonesia.
Listed for sale on the SEA Gamer Mall website includes “top-up cards” for popular online games like PUBG and Mobile Legends, digital gift cards, as well as prepaid mobile credits.
According to company records, it made RM386.4 million in revenue and RM11.6 million in profit in 2019.
Speaking to The Star, SEA Gamer Mall Chief Operating Officer Tommy Chieng said the company was “looking at” the US DOJ papers.
“All I can say is that we are looking at the indictment papers.
“Our lawyers are working on it. Have no other comments,” he was quoted as saying.
SEA Gamer Mall has since placed the duo on leave.
Among SEA Gamer Mall’s five directors are Nerine and Chryseis Tan, the daughters of Berjaya Corporation Bhd founder Vincent Tan.
Vincent is also the major shareholder in the company through Cyberventures Sdn Bhd.
Cyberventures is owned by Vecc-Men Holdings Sdn Bhd, where Vincent has a stake.
Berjaya Corporation has yet to respond to Malaysiakini’s request for a comment on the charges.
Along with Wong and Ling, the US DOJ charged five China residents - Zhang Haoran, Tan Dailin, Jiang Lizhi, Qian Chuan, and Fu Qiang - for hacking into “more than 100 companies” inside and outside the US.
The companies included software development companies, computer manufacturers, telecommunications providers, social media companies, gaming firms, non-profit organisations, universities, and think-tanks.
Targets also included foreign governments as well as pro-democracy politicians and civil society figures in Hong Kong.
In his press conference on the indictment, US Deputy Attorney General Jeffrey Rosen said Chinese authorities had “chosen” to not enforce the law against the alleged hackers.
“The Chinese government has made a deliberate choice to allow its citizens to commit computer intrusions and attacks around the world because these actors will also help the People’s Republic of China,” he said.
As for the 23 charges Wong and Ling face, the DOJ lists them as follows:
- One count of racketeering conspiracy, which carries a maximum sentence of 20 years in prison;
- One count of racketeering, which carries a maximum sentence of 20 years in prison;
- Three counts of intentional damage to a protected computer, which carries a maximum sentence of 10 years in prison;
- Five counts of unauthorised access to a protected computer, which carries a maximum sentence of five years in prison;
- Five counts of furthering fraud by unauthorised access to a protected computer, which carries a maximum sentence of five years in prison;
- Two counts of access device fraud, which carries a maximum sentence of 10 years in prison;
- Two counts of identity theft, which carries a maximum sentence of five years in prison;
- One count of aggravated identity theft, which carries a mandatory sentence of two years in prison;
- Three counts of money laundering, which carries a maximum sentence of 20 years in prison.
"The indictment also alleges false registration of domain names, which would increase the maximum sentence of imprisonment for money laundering to 27 years; the maximum sentence of imprisonment for unlawful access to a protected computer to 10 years instead of five years; the maximum sentence of imprisonment for intentional damage to a protected computer to 17 years instead of 10 years; and the mandatory sentence of imprisonment for aggravated identity theft to four years instead of two years," it said.