Indonesia’s banking sector is facing heightened scrutiny after authorities uncovered a large-scale cybercrime involving illegal fund transfers routed through the BI-FAST payment system. The incident, which affected several regional development banks, is estimated to have caused customer losses of up to USD 12.9 million, raising concerns about cybersecurity resilience in the country’s rapidly digitalizing financial system.

The Financial Services Authority (OJK) said the attack bears the hallmarks of organized, cross-border cybercrime, rather than isolated fraud. According to OJK’s Chief Executive for Banking Supervision, Dian Ediana Rae, stolen funds were swiftly converted into cryptocurrencies and transferred to global digital asset platforms, complicating efforts to trace and recover the money.

“OJK believes this is organized crime, not an individual offense. The crime is clearly structured,” Dian said in Jakarta (15/12/2025) as quoted by Detik.

He warned that once funds enter international crypto markets, regulators face major obstacles in freezing or tracking the transactions. “

Once the money is transferred to global crypto platforms, we effectively lose the trail,” he added.

The case has intensified debate within Indonesia’s financial industry over systemic cyber risks. Quoted from CNBC Indonesia, Indonesian Risk Professional Association (IRPA) Chairman Alan Yazid said cyber threats now pose a serious danger to financial stability.

“Large-scale cyber disruptions can halt critical services, erode customer trust, and even trigger liquidity stress,” he said, stressing the need for adaptive digital defenses that evolve as quickly as emerging threats.

A similar warning came from Muliaman Hadad, Deputy Chair of the Supervisory Board at sovereign investment body BPI Danantara. He said cyberattacks are no longer hypothetical risks for banks.

“Ten years ago, the threat was not that significant. Today, every bank will face cyberattacks. The only question is whether they are prepared or not,” he said.

Bank Indonesia (BI), which operates BI-FAST as a real-time retail payment infrastructure, emphasized that the system itself remains secure and compliant with international standards. However, BI acknowledged that vulnerabilities often emerge at the internal security level of participating banks, including third-party service providers.

BI’s Head of Communications, Ramdan Denny Prakoso, said banks involved in the case have been instructed to strengthen transaction security procedures.

“This process is crucial to ensure the incident does not disrupt payment system stability and that consumer protection is upheld,” he said.

Meanwhile, Dian underscored that Indonesia is pushing for stronger international cooperation to address the misuse of cryptocurrencies in cybercrime.

“This is not a domestic issue. Many countries are facing the same problem, and it cannot be tackled by one country alone,” he said, adding that OJK and BI are raising the issue in international forums to improve cross-border coordination.

Authorities also urged the public to remain vigilant by safeguarding PINs and one-time passwords, verifying transaction details, and using account notification features. While regulators stress that digital payments remain safe, the case underscores how cybercrime is evolving alongside financial innovation—often across borders and beyond the reach of a single regulator.

Source: Detik, CNBC Indonesia, Kompas

Photo Credit: Alexander Limbach/Zoonar/picture alliance via dw.com