Market Fraud Wave Is a System Problem, Not a Software Bug

Key Takeaways

●	Fraud in Indonesia’s capital markets exploits system gaps at brokers, APIs, and investor accounts—not the exchange or regulator core.
●	Industry leaders argue that technology, regulation, and operational processes must evolve together to restore investor confidence.
●	High-speed surveillance and real-time risk controls are essential as Indonesia prepares for rising trading volumes.
●	OJK, IDX, and market participants agree that coordinated upgrades—not isolated fixes—are needed to build a safer, modern market.

JAKARTA, Investortrust.id — The cases landed like scenes from a financial thriller. Carefully engineered frauds slipped through the cracks of Indonesia’s market infrastructure, exposing vulnerabilities no regulator can ignore anymore.

A trader opens multiple brokerage accounts, buys near-worthless stocks at one rupiah, then arranges matched trades to sell them at 20,000. Clients wake up to find their online trading accounts emptied, blue-chip portfolios liquidated and replaced with illiquid junk. Brokers discover that transfer instructions to investor fund accounts have been hijacked mid-stream, sending hundreds of billions of rupiah into crypto wallets they never authorized.

On stage at the Investortrust Capital Market Forum 2025 on Thursday, Lily Widjaja, Executive Director of the Association of Securities Companies, put charts and diagrams to these cases. The room of regulators, exchange officials and industry executives was quiet.

But for Shuvam Misra, the technology architect behind many of India’s critical market systems, the most important detail was what did not happen in any of these cases.

“None of these episodes required breaking into IDX or OJK core systems,” the founder chairman of Remiges Technology said. “These are not classic software hacks against the exchange. They exploit weaknesses in the wider system—rules, member applications, investor behaviour, and connectivity.”

That distinction matters, because it determines the cure.

Three Cases, One Pattern: The Weakest Link Is Not the Exchange

On the stage, Lily grouped the recent incidents into three clusters.

In Case 1, a fraudster opens accounts at broker X and broker Y. At broker Y, the perpetrator buys illiquid stocks—call them ABCD—at one rupiah and simultaneously places sell orders at 20,000. At a counterparty broker, he places buy orders at 20,000. The orders match on the Indonesia Stock Exchange (IDX) at 20,000.

The trades clear through KPEI, the Indonesia Clearing and Guarantee Corporation, just like any other transaction. KPEI sends settlement funds to the selling broker. The selling broker, seeing a legitimate exchange trade, pays the client. The fraudster withdraws the cash and then simply fails to pay for the 20,000-rupiah buy at broker X. Broker X eats the loss.

In Case 2, criminals use phishing, malware or social engineering to gain unauthorised access to a client’s online trading account. They sell good, liquid holdings—blue-chip stocks—and use the cash to churn illiquid names, driving prices up through repeated trades. Once enough paper profit has been manufactured, they withdraw cash out of the client’s RDN (Rekening Dana Nasabah), the segregated investor fund account held at a bank.

The client is left with a portfolio of illiquid junk purchased at inflated prices.

In Case 3, brokers discover that high-frequency transfer instructions between their back-office systems and RDN banks have been altered at the API level. The brokers never sent orders to pay out to external fraudster accounts; yet the banks received payloads instructing them to do exactly that. Once funds left the RDN, they were quickly converted into cryptocurrency, making them hard to trace.

This last pattern hit some brokers with losses in the hundreds of billions of rupiah, Lily said, forcing self-regulatory organizations (SROs) to issue an emergency joint circular.

Harshad Mehta, Revisited

Misra has seen this movie before.

He compared Indonesia’s situation to India’s celebrated Harshad Mehta scandal in the early 1990s, when a star trader exploited loopholes between banks, brokers and the central bank to inflate stock prices. Mehta did not “hack” computers; he used the rulebook and the plumbing against itself.

Widget

“We should be very clear,” Misra said. “These Indonesian cases are happening without any weakness in the core market infrastructure. They are happening because smart people are exploiting gaps in margin rules, surveillance latency, member security, and investor awareness.”

He added a cultural note that drew laughs but made a serious point. “Our cultures in India and Indonesia are very similar. People are smart. Smartness works in both directions. New types of fraud will always appear.”

The conclusion, in his view, is unavoidable: Indonesia’s fraud problem cannot be solved by isolated patches to individual systems. It requires system transformation.

Latency: Risk Management at Market Speed

At the heart of Misra’s argument is latency—the time it takes for risk checks and surveillance systems to respond to trading activity.

When he built a real-time risk system for India’s National Stock Exchange 25 years ago, his team was required to stop one trade before the next one hit the engine. The budget was ten milliseconds per decision, at a time when the exchange expected about 1,000 trades per second.

Today, India’s spot market deals with tens of thousands of trades per second, and derivatives markets can hit volumes 20 to 50 times higher. In that environment, it is impossible to prevent abusive patterns or over-leverage unless risk engines can recalculate exposure and check margin after every trade, at the same speed.

For Indonesia, he argued, this means designing infrastructure for the volumes it wants—not the volumes it has today.

“If Indonesia wants to reach the number of trades and the value we see in India, you must prepare the infrastructure now,” he said. “You cannot wait for the volumes to come first and then upgrade.”

IDX’s Broto Endianto echoed this logic. The exchange already uses AI-based surveillance and “next-generation firewalls” to monitor for abnormal trading. But Broto said the real challenge lies in the broader network: 93 broker members, clearing and settlement houses, and custodian banks, all connected to the trading engine through various “doors” and potential back doors.

“We have dedicated lines to prevent attackers entering the trading engine,” he said. “But we still have many doors we need to protect. We now see that we must start regulating secure coding, multi-factor authentication, and other practices at the member level, not only at IDX.”

Broto said IDX aims to complete a major trading engine refresh by the end of 2026, bringing in newer technology and stronger infrastructure.

Regulation and Technology Must Co-Evolve

Misra is careful to stress that technology on its own will not save the market.

Some of Lily’s cases, particularly the account takeovers, can be mitigated through tighter margin and collateral rules. In India, he said, brokers cannot let traders take positions unless they have posted adequate margin. This protects the broker and allows risk systems to cut off exposure once limits are breached.

But brokers cannot enforce stricter margins if regulators do not clearly define and mandate them. Technology then becomes the tool that enforces those rules, not the origin of them.

“The regulatory framework may make markets slightly less ‘efficient’ in the short term,” Misra said, “but a lot safer. Technology’s job is to enforce regulation at the scale and speed of the market.”

Pepek Marsiah, Head of Public Company and Issuer Supervision at OJK, outlined what the regulator is already doing. OJK operates an electronic reporting system where listed companies file disclosures simultaneously to OJK and IDX, along with a whistleblowing platform for violations. The authority is preparing to launch a new incident-reporting system for exchanges, and is moving towards aligning sustainability and emissions reporting with international standards.

Pepek pointed to the 2023–2027 Capital Market Roadmap, which sets targets not only for the number of listed companies but also for market integrity and investor protection.

“We support market development, but we must hear market feedback,” she said. “Coordination between regulators, SROs and stakeholders is essential if we want to grow together—and hopefully, one day, grow larger than India.”

Hardening the Perimeter: RDN Banks, APIs and BSSN Guidelines

On the front lines, Lily said the damage from the compromised API transfers forced SROs to issue a joint circular in September, instructing RDN banks and brokers to strengthen cybersecurity. The circular carries a compliance deadline of 16 December, requiring tighter monitoring of host-to-host connections, anomaly detection, and controls on out-of-hours high-frequency transfers.

She also highlighted the role of the Indonesia Anti-Scam Center (IASC) in tracing stolen funds and the newly issued cybersecurity guidelines from BSSN (Badan Siber dan Sandi Negara). The BSSN manual gives brokers and banks a more accessible path towards good practice, rather than jumping straight into expensive ISO standards.

Misra sees these moves as part of the broader “people, process, technology” triad that Broto also referenced.

“Technology can only address part of the problem,” Broto said. “We need people, processes and technology to work together if we are to meet market expectations.”

Investor Education: The Missing Third Pillar

If regulation and infrastructure are the first two pillars, Misra argues that investor education is the third.

In many of the cases Lily described, he observed, clients were compromised because they clicked phishing links, reused passwords, or treated online trading accounts like casual apps rather than serious financial instruments.

Technology can help here as well, but in a different way: by distributing education and alerts at scale, pushing cyber-hygiene and risk awareness into smaller cities and rural areas, and reinforcing the idea that capital-market participation comes with responsibilities.

This aligns with a broader growth strategy outlined by fund managers. Ranju Parambi of UBS and Kartika Sutandi of Jarvis Asset Management, argued in the same forum that Indonesia’s long-term success depends on retail investors making money and feeling protected. Without that, there will be no sustainable liquidity, and without liquidity, neither foreign institutions nor domestic entrepreneurs will trust the market as a source of capital.

From Fraud Shock to System Upgrade

The temptation, when confronted with the kinds of fraud that shook Indonesian brokers in 2023–2025, is to treat each as an isolated aberration: a bad trader here, a rogue script there, a careless investor, an unlucky API.

Misra’s intervention in Jakarta was to insist on the opposite.

Indonesia, he argued, is not suffering from a few bad lines of code. It is experiencing the growing pains of a market that is trying to become bigger, faster and more inclusive without fully upgrading the rules, infrastructure and habits that govern it.

In that light, the current wave of fraud is not merely a threat. It is a stress test.

“Technology provides the vessel where the market can play with safety,” he said. “But the vessel must be designed for the journey you want to make, not the one you have already completed.”

If Indonesia treats these cases as a trigger for system-level reform—tighter margins, faster and smarter surveillance, secure member applications, hardened APIs, coordinated regulation and aggressive investor education—then the recent scandals may be remembered less as a crisis and more as the turning point when the market finally decided to grow up.

Widget