Cyberwar in Southeast Asia: The Cyber Clashes Between Cambodia and Thailand and Their Global Ramifications

The conflict between Cambodia and Thailand, which escalated in May 2025 with border clashes and mutual accusations, quickly spilled over into cyberspace. Hacktivist groups like AnonSecKh launched massive DDoS attacks and disinformation campaigns, including the spread of AI-generated fake news. Tensions were exacerbated by allegations of North Korean hacker involvement and links to money laundering networks like the Huione Group. This "cyberwar" eroded bilateral trust and hindered cybersecurity cooperation, posing a significant challenge to ASEAN regional stability. The crisis attracted international attention, with the US President launching diplomatic efforts for a ceasefire on July 26, threatening trade retaliation if the situation failed to resolve

In an era where conflicts are no longer fought solely on traditional battlefields but extend virulently into the digital domain, the recent statement by the President of the United States, issued on July 26, 2025, resonates as a global warning. As tensions between Cambodia and Thailand continue to claim lives and destabilize the region, the call for a ceasefire and the threat of trade repercussions underscore the gravity of a crisis with deep roots and complex ramifications. The President announced that he had initiated diplomatic efforts to halt the conflict between Cambodia and Thailand, reporting that he had spoken with the Prime Minister of Cambodia and was in the process of contacting the Acting Prime Minister of Thailand to request a ceasefire and an end to the ongoing war. He clarified that the United States, while having trade relations with both countries, would not conclude any deals as long as hostilities persisted, a position already communicated to both nations. He described the situation as complex but expressed hope for a resolution, comparing it to the successful halt of the conflict between Pakistan and India, and emphasized his concern for the numerous casualties. This is not merely a border dispute; it is a hybrid conflict, where landmines and artillery exchanges intertwine with cyberattacks, disinformation campaigns, and allegations of money laundering, severely testing the stability of Southeast Asia.

This article aims to unravel the complex web of this "cyberwar," which began with a significant escalation in May 2025. We will explore the historical origins of the territorial disputes that triggered the physical clashes, then delve into the heart of the digital battle. We will analyze the key players, such as the Cambodian hacktivist group AnonSecKh and the alleged "BlackEye-Thai," examining their tactics, from massive DDoS attacks to the dissemination of AI-generated fake news. We will delve into the controversial accusations of North Korean hacker involvement and the troubling connections to money laundering networks. Finally, we will assess the impact of this crisis on bilateral trust, cybersecurity cooperation, and the broader implications for the Association of Southeast Asian Nations (ASEAN), highlighting how cyberspace has become a new and dangerous front of conflict.

Introduction: The Dual Nature of the Conflict

Relations between Cambodia and Thailand have historically been marked by territorial disputes, particularly concerning border areas that host ancient temples like Ta Muen and Ta Moan Thom. These long-standing claims form the foundation of recurring tensions between the two nations.

Overview of the Cambodia-Thailand Border Dispute (May 2025)

The escalation in May 2025 was triggered by a landmine explosion that wounded five Thai soldiers. The ensuing mutual accusations, with Thailand claiming newly planted Russian-made mines and Cambodia attributing the incident to unexploded ordnance remnants from past wars, highlighted the deep distrust and conflicting narratives between the two countries.

The first direct physical clashes began on May 28, 2025, near the disputed temples, with both sides accusing each other of initiating hostilities. This date proved to be a crucial moment, marking the beginning of the direct military confrontation that immediately preceded and triggered the cyber dimension of the conflict. Tensions further escalated, culminating in open conflict on July 24, 2025, with exchanges of gunfire and airstrikes.

The Emergence of Cyberspace as a New Battlefield

Following the May 28 border clash, bilateral tensions quickly extended into cyberspace. This development indicates a contemporary evolution in geopolitical conflict, where digital infrastructure becomes a strategic target and a new arena for expressing national claims. Both Cambodia and Thailand engaged in a cycle of mutual accusations, which included cyberattacks, the spread of disinformation, and alleged complicity in cross-border cybercrime, particularly online scams. This demonstrates a multi-front digital engagement that goes beyond simple hacking.

The direct and immediate spread of physical conflict into the cyber domain confirms that cyberspace is increasingly serving as an "escalation ladder" or a "release valve" in geopolitical disputes. This allows states to continue their contention without necessarily resorting to full-scale armed conflict. However, this dynamic inherently compromises long-term digital trust and cooperation, which are fundamental for regional stability and collective security within ASEAN.

Cyber clashes are not isolated incidents but rather a modern manifestation of historically rooted and deeply felt border disputes. This suggests that digital tensions are likely to persist and re-emerge as long as the underlying physical territorial claims remain unresolved, indicating a long-term challenge for digital stability in the region.

To provide a clear chronological overview of the interconnected events, the following table summarizes the key moments of the conflict between May and July 2025:

Table 1: Timeline of Key Events (May-July 2025)

Table 1: Timeline of Key Events (May-July 2025)

The Physical Trigger Point: Border Clashes and Diplomatic Repercussions

The physical conflict between Cambodia and Thailand in May 2025 represented a significant escalation of a long-standing territorial dispute, with immediate consequences on both the battlefield and in diplomatic relations.

Escalation at the Disputed Temples (May 28, 2025)

Clashes erupted on the morning of Thursday, May 28, 2025, in the areas around the Ta Muen and Ta Moan Thom temples, sites long claimed by both countries. These temples are not only places of cultural significance but also strategic points that have historically triggered friction. Accounts of the start of hostilities were conflicting: the Thai army reported that Cambodian troops opened fire first after spotting a drone and six armed soldiers, while Cambodia maintained that its troops were defending national territory against a Thai "armed assault." This discrepancy in narratives underscores the deep distrust and entrenched positions of each side. The May 28 clash was a prelude to open conflict that further intensified by July 24, 2025, with exchanges of gunfire and airstrikes.

Casualties, Landmines, and Mutual Accusations

Thai authorities reported a significant number of casualties, including nine Thai civilians killed and three injured, including a five-year-old child, due to Cambodian artillery fire. Seven Thai soldiers were also wounded. The Thai army accused Cambodian forces of firing BM-21 rockets into Surin's Kap Choeng district, hitting civilian areas.

In response, the Cambodian Ministry of National Defense accused Thailand of "brutal and illegal military aggression," claiming Thai jets dropped bombs on Cambodian territory and used heavy weaponry. A Cambodian spokesperson stated that such actions "violated international law" and ASEAN norms.

A particularly serious accusation from the Thai side concerns the alleged Cambodian artillery attack on Phanom Dong Rak Hospital in Surin province. Although details remained limited, this alleged strike on a medical facility raised fears of intentional civilian targeting, leading Thailand to issue evacuation warnings and bolster border defenses in affected areas.

The immediate trigger for the latest escalation was a landmine explosion that wounded five Thai soldiers. Thailand claimed these were newly planted Russian-made mines, in violation of a previous agreement designating the area as safe. Cambodia denied the accusation, calling it "baseless" and insisting the explosion occurred on its side of the border due to unexploded ordnance remnants from past wars. This dispute over landmines further fueled mutual accusations regarding adherence to international treaties like the Ottawa Treaty.

Accusations of targeting a hospital and the dispute over newly planted landmines suggest a potential disregard for international humanitarian law (e.g., the Geneva Conventions) and existing international agreements (e.g., the Ottawa Treaty). This indicates a willingness to escalate tactics beyond accepted norms of armed conflict, with broader implications for regional stability and adherence to international legal frameworks.

Rapid Deterioration of Diplomatic Ties and Economic Measures

In a rapid diplomatic breakdown, both countries expelled each other's ambassadors within 48 hours, and Cambodia downgraded diplomatic ties to their "lowest level," recalling most staff from its Bangkok embassy. This move severely hampered official communication channels.

Thailand responded by closing all border checkpoints with Cambodia and advising Thai citizens to evacuate Cambodia if possible. This had immediate implications for cross-border movement and trade. The conflict also extended to the economic and digital domains: Cambodia imposed bans on imports of Thai fruits, vegetables, electricity, internet, and cultural content, including Thai dramas. Thailand retaliated by restricting land crossings into Cambodia, blocking tourist travel for gambling, and suspending internet services used by Cambodian authorities. These measures illustrate a comprehensive approach to exerting pressure that goes beyond military means.

The imposition of extensive economic and digital restrictions by both nations demonstrates a deliberate strategy to leverage economic interdependence and digital infrastructure as tools of statecraft. This indicates a shift towards a more comprehensive, multi-domain approach to conflict, where pressure is exerted not only militarily but also through economic sanctions and digital blockades, impacting civilian life and regional connectivity.

Internal Political Repercussions in Thailand

The border dispute had a significant impact on Thailand's internal politics, leading to the suspension of Prime Minister Paetongtarn Shinawatra from her post due to an ethics investigation related to her handling of the crisis.

A leaked phone call between Prime Minister Shinawatra and former Cambodian leader Hun Sen, in which she referred to him as "uncle" and dismissed a Thai commander as someone who "just wanted to look cool," deepened internal divisions and sparked public outrage, leading to calls for her resignation and the withdrawal of a key coalition partner. This incident highlights the vulnerability of political leadership to information leaks during crises.

The significant political fallout in Thailand, triggered by the leaked phone call involving Prime Minister Paetongtarn Shinawatra, underscores the profound vulnerability of political leadership to information warfare tactics and the exacerbation of internal divisions during external crises. This event demonstrates how seemingly informal communications can be instrumentalized to directly undermine a nation's political stability and public trust.

The Cyber Offensive: Actors, Tactics, and Objectives

The cyber dimension of the Cambodia-Thailand conflict saw the emergence of distinct actors, tactics, and objectives, reflecting the growing complexity of modern warfare.

Cambodian Hacktivism: The AnonSecKh Campaign

Motivation and Operational Profile of AnonSecKh (ANON-KH, Bl4ckCyb3r):

AnonSecKh, also known as ANON-KH or Bl4ckCyb3r, is a prominent pro-Cambodian hacktivist group.3 Its operations are explicitly "politically motivated," primarily targeting countries perceived as harmful to Cambodia. The group communicates and claims responsibility for attacks via Telegram channels, often providing "proof-of-impact reports" to validate its claims.8 This indicates a degree of operational sophistication and a deliberate strategy to publicize its actions to maximize political effect. AnonSecKh's activity is "tightly linked to political incidents" and shows a "reactive pattern," serving as a form of "digital retaliation."8 This confirms the direct correlation between real-world geopolitical events and their cyber responses.

Timeline and Volume of Attacks (May 28 - June 10, 2025):

AnonSecKh began its campaign earlier, on March 23, 2025, initially targeting Thai government websites before expanding its scope. This demonstrates a pre-existing capability and a gradual escalation of activity. A "significant escalation" in AnonSecKh's activity was observed immediately after the May 28, 2025, border incident.8 This date marks the critical turning point for the cyber offensive.

Quantitatively, between May 1 and May 27, only 20 attack claims targeting Thailand were recorded; however, between May 28 and June 10, this number "jumped to a staggering 64." Radware specifically reported 73 attacks against Thai organizations in the period from May 28 to June 10. These data highlight the intense and concentrated nature of the cyber offensive. Although there was a temporary slowdown in early June, AnonSecKh resumed and intensified its attacks following a strong public statement from the Thai military on June 6. This indicates the group's reactive and adaptive operational pace, directly linked to real-world events.

The precise timing and sharp escalation of AnonSecKh's attacks immediately following the May 28 border incident indicate a clear strategy of reactive, politically motivated "digital retaliation." This underscores the growing role of hacktivism as a potential deniable proxy for geopolitical disputes at the state level, allowing nations to exert pressure and react without directly engaging in openly state-sponsored cyber warfare, thereby maintaining a degree of plausible deniability.

Primary Attack Vector: Distributed Denial of Service (DDoS):

The predominant attack method employed by AnonSecKh was Distributed Denial of Service (DDoS). These attacks aim to overwhelm target servers with traffic, causing disruptions or paralysis of online services. The group also reportedly carried out website defacements, a common hacktivism tactic for making visible political statements.

Target Sectors: Government, Military, Manufacturing, Financial, and Academic:

Attacks strategically focused on critical sectors: government websites accounted for nearly 30% of claimed targets, closely followed by military institutions at almost 26%. This indicates a clear intent to disrupt state functions and defense capabilities. Beyond core government and military targets, the manufacturing (approximately 15%) and financial (more than 7%) sectors were also hit. This broader targeting suggests an aim to cause economic disruption and erode public trust in essential services. Specific targets included the Ministry of Defense, Ministry of Foreign Affairs, and the Bangkok Metropolitan Administration 9, as well as academic and commercial websites.

The following table summarizes key data related to AnonSecKh's attacks during the period of peak intensity:

Table 2: Summary of AnonSecKh Attacks (May 28 - June 10, 2025)

Allegations of State-Sponsored Cyber Activities

Cambodian Claims of Thai Hackers ("BlackEye-Thai"):

The Cambodian government reported that a Thai hacktivist group, "BlackEye-Thai," had been targeting Cambodian government institutions since mid-June 2025. This suggests a reciprocal cyber offensive, indicative of a "tit-for-tat" dynamic in the digital realm. Information on "BlackEye-Thai" is less detailed in the provided documents compared to AnonSecKh, but their mention is significant for the overall picture.

Accusations of North Korean Involvement in Cambodian Cyber Operations:

Thai media alleged that Cambodia was using North Korean hackers to conduct cyberattacks against Thai institutions. Cambodia vehemently denied such links, retorting that Thailand was attempting to damage its international reputation.4 This is a significant and controversial accusation, pointing to potential state-sponsored cyber warfare capabilities and the challenges of attribution.

North Korea's Cyber Footprint and Money Laundering Networks in Southeast Asia (e.g., Huione Group):

North Korea has a documented history of establishing long-term presences in the digital infrastructure of Southeast Asian countries, including Cambodia, Thailand, and Indonesia, through the distribution of malware and unauthorized access tools. This pre-existing presence lends some plausibility to the accusations of their involvement, even if denied. North Korea actively exploits Southeast Asia's vulnerable financial environment and its links to regional criminal networks to launder illicit cyber proceeds. Casinos and cryptocurrency exchanges in countries like Myanmar, Thailand, Laos, and Cambodia serve as key nodes for these money laundering operations. This highlights a worrying convergence between state-sponsored cybercrime and geopolitical objectives.

In May 2025, the U.S. Financial Crimes Enforcement Network (FinCEN) designated the Cambodia-based Huione Group as a primary money laundering concern, reporting that approximately $37.6 million in cryptocurrency linked to North Korea had been laundered through Huione between 2021 and 2025. It is crucial to note that the Huione Group is reportedly linked to the family of the President of the Cambodian Senate, Hun Sen. This direct link between a Cambodian commercial entity, illicit North Korean financing, and a high-ranking political family adds a complex layer of alleged state complicity or negligence. Further intertwining cybercrime with high-level politics, the Thai government initiated legal action against Hun Sen on July 14, 2025, for alleged cybercrime acts of political interference through social media.

Allegations of North Korean involvement in Cambodian cyber operations, coupled with the U.S. FinCEN's designation of the Cambodia-based Huione Group for North Korean money laundering and its alleged ties to Hun Sen's family, reveal a complex and troubling nexus. This suggests the possibility that state-sponsored cyber capabilities are intertwined with illicit financing and high-level political corruption, significantly complicating regional cybersecurity efforts and raising questions about Cambodia's adherence to international sanctions and norms.

Information Warfare and Cybercrime as Dimensions of the Conflict

The Role of Disinformation and AI-Generated Fake News:

Cyberattacks were accompanied by active disinformation campaigns from both sides. The Thai government issued warnings to its citizens about online fake news, including fabricated stories claiming that Thailand would seize or invade Cambodia. Notably, some of this fake news was reportedly generated using Artificial Intelligence (AI) and impersonated Cambodian institutions and the voices of Cambodian leaders.4 This indicates a sophisticated level of information manipulation, leveraging advanced technology to sow discord and influence public perception. The Cambodian government also warned its citizens about fake news originating from foreign sources.

The explicit mention of AI-generated fake news as part of disinformation campaigns demonstrates a significant advancement in information warfare tactics. This poses a profound threat to public trust and national cohesion, as it enables the rapid creation and dissemination of highly convincing, albeit false, narratives. This, coupled with the impact of the leaked phone call on Thai internal politics, illustrates how sophisticated information manipulation can directly destabilize a nation's political landscape and public trust.

Interference with Cross-Border Anti-Scam Operations:

The escalation of bilateral tensions severely strained cross-border law enforcement cooperation aimed at combating transnational criminal syndicates, particularly online scams.4 This demonstrates how geopolitical conflict can inadvertently create a more permissive environment for criminal enterprises. The Thai government reported significant difficulties cooperating with Cambodia to investigate online scam centers due to hampered communication and information sharing. Mutual accusations of complicity in cybercrime further complicated cooperation: Hun Sen accused Thailand of supplying electricity and internet to scam centers, while Thailand initiated legal action against him.

The politicization of cross-border anti-scam operations is a worrying development. It indicates that geopolitical tensions can directly impede critical international law enforcement efforts against transnational organized crime. This inadvertently creates safe havens for cybercriminals and exacerbates the global online scam problem, demonstrating how state-level disputes can have cascading detrimental effects on broader security issues.

The following table provides an overview of alleged cyber actors and their roles in the conflict:

Table 3: Alleged Cyber Actors and Their Roles

Impact and Regional Implications

The cyber clashes between Cambodia and Thailand in May 2025 generated far-reaching consequences, affecting bilateral trust, cybersecurity cooperation, and setting a worrying precedent for regional stability.

Erosion of Trust and Hindrance to Cybersecurity Cooperation

A significant and concerning outcome of the conflict is the marked "decline" in bilateral trust in cyberspace between Cambodia and Thailand. This erosion of trust represents a critical long-term consequence, directly impacting future collaboration. This diminished trust is set to hamper cybersecurity and digital defense cooperation between the two neighboring countries, particularly when political tensions influence operational-level engagements. This constitutes a strategic vulnerability for both nations and the broader region. The practical challenges faced by Thailand in cooperating with Cambodia on online scam investigations, due to strained bilateral relations, serve as a concrete example of this hindrance.

The significant erosion of "digital trust" is a critical long-term consequence, as it fundamentally undermines the basis for collective cybersecurity efforts in an increasingly interconnected digital infrastructure-dependent region. This distrust could lead to a fragmented regional cyber defense landscape, making all member states, not just the directly involved parties, more vulnerable to a wider range of external and internal cyber threats.

Precedent for Cyber Contestation within ASEAN

The persistence of bilateral tensions in cyberspace "could signal the start of open or discreet cyber contestation between ASEAN member states arising from disputes over sovereignty that involved a military confrontation." This is an important warning, as it suggests a new and potentially destabilizing mode of conflict resolution (or perpetuation) within the regional bloc. ASEAN's "perceived institutional silence" regarding the conflict, perhaps attributable to its traditional practice of quiet diplomacy, raises concerns about the bloc's ability to effectively mediate or contain such digital disputes among its members.

The possibility that the conflict "signals the start of open or discreet cyber contestation between ASEAN member states," coupled with ASEAN's "perceived institutional silence," highlights a significant governance gap. This implies an urgent need for ASEAN to evolve its traditional "quiet diplomacy" approach to explicitly include robust mechanisms for cyber conflict resolution and cooperation, or risk internal digital fragmentation and a diminished capacity to maintain regional peace and stability in the digital age.

Assessment of Thailand's Cyber Vulnerabilities

Thailand has experienced a significant increase in cyberattacks in recent years, culminating in a sharp escalation in both frequency and sophistication in 2025, with over 1,000 cyber incidents recorded between January and May alone. This indicates a pre-existing systemic vulnerability that was likely exploited during the conflict.

It is alarming to note that over 63% of Thai organizations reported experiencing data breaches, and more than half admitted to paying ransoms. These statistics underscore the urgent and pervasive threat to Thailand's national digital infrastructure and highlight systemic weaknesses in its cybersecurity posture. Past high-profile incidents, such as the 2023 9near hack (which leaked the personal data of 55 million citizens) and the 2022 TCAS breach (which exposed data of over 23,000 students), further demonstrate widespread vulnerabilities stemming from outdated systems, insecure cloud storage, or poor encryption standards. This historical context suggests that the May 2025 attacks were not isolated, but indicative of a broader, ongoing national cybersecurity challenge for Thailand.

Thailand's documented history of extensive cyber vulnerabilities and attacks suggests that the May 2025 incidents were not merely a reactive response from Cambodia but an exploitation of known systemic weaknesses. This implies that Thailand's current national cybersecurity posture is a significant strategic liability, making it a persistent and attractive target in any future digital conflict and necessitating a fundamental, long-term overhaul of its digital defenses.

International Diplomatic Intervention

On July 26, 2025, in a significant diplomatic development, the former President of the United States issued a statement regarding his efforts to mediate the conflict. He stated that he had spoken with the Prime Minister of Cambodia to stop the war with Thailand and was in the process of calling the Acting Prime Minister of Thailand to request a ceasefire and an end to the ongoing conflict. He emphasized that the United States is dealing commercially with both countries but does not intend to make any deals if they are fighting, a position he communicated to both parties. He also mentioned that the situation, though complex, reminds him of the conflict between Pakistan and India, which was successfully halted, and expressed concern for the many lives being lost.

Conclusion

The conflict between Cambodia and Thailand in May 2025 serves as a significant case study illustrating the unprecedented and intrinsically interconnected nature of physical and cyber conflicts in the modern era. This dispute rapidly transcended traditional boundaries, evolving into a full-spectrum cyber confrontation that integrated hacktivism, alleged state-sponsored activities, sophisticated disinformation campaigns, and the exploitation of cybercrime networks.

The strategic use of cyberspace as a domain for "digital retaliation" offers a new avenue for conflict expression. While this may potentially mitigate immediate military escalation, it severely erodes digital trust and cooperation, which are essential for cybersecurity and regional stability. The controversial accusations of North Korean involvement and the intertwining of illicit financing with state-linked entities add a critical layer of complexity, highlighting profound challenges in attribution, the pervasive nature of state-sponsored cyber threats, and the potential for political corruption to facilitate illicit activities.

Thailand's pre-existing and systemic cyber vulnerabilities were significantly exposed during the conflict, underscoring an urgent and ongoing need for robust national cybersecurity strategies and investments across the region. The conflict represents a critical test for ASEAN's traditional mechanisms in managing internal disputes, potentially setting a precedent for future cyber contestation among member states and necessitating an evolution in digital diplomacy and regional security frameworks.

The Cambodia-Thailand dispute serves as a compelling microcosm of the hybrid nature of modern geopolitical warfare. Traditional territorial disputes are no longer confined to physical battlefields but are amplified, complicated, and extended into the digital domain. This demands a fundamental shift in diplomatic, security, and defense paradigms, requiring integrated and holistic responses that simultaneously address both the kinetic and cyber aspects of conflict.

The apparent lack of effective regional mechanisms within ASEAN to address intra-bloc cyber disputes, as implied by the "perceived institutional silence," highlights a significant and urgent governance gap. This suggests that ASEAN must proactively evolve its "quiet diplomacy" approach to explicitly incorporate robust frameworks for cyber conflict resolution, attribution, and cooperation, or risk internal digital fragmentation that could undermine its collective security and economic integration goals.