How Bangladesh's govt websites became a playground for cybercriminals

A number of "gov.bd" domains of government websites in Bangladesh are being used for advertising pornography, adult contents, gambling, and leaked OnlyFans videos.

Even a blog post on Shikkhok Batayon" the government's teachers' educational portal, run under the Ministry of Education" had been injected with explicit pornographic texts and direct links to external adult sites.

These are not the work of a sophisticated state-sponsored hacking collective. No zero-day exploit was deployed. No classified system was breached. The individuals behind these insertions required, in most cases, little more than a web browser, a basic understanding of how search engines index content, and the knowledge that Bangladesh's government websites were" and in many cases remain" entirely unguarded.

A detailed digital investigation published on June 2, 2026, by The Dissent, Bangladesh's independent investigative outlet, documented the full extent of this crisis.

Their research identified at least 10 government domains and subdomains compromised by adult spam, gambling advertisements, malicious APK promotions, and phishing traps" all operating beneath the trusted umbrella of the .gov.bd domain.

The findings demand examination not merely as a cybersecurity story, but as a story about governance, institutional accountability, and the social contract between the state and its citizens in the digital age.

The most urgent takeaway from The Dissent's investigation is one that security professionals will find simultaneously obvious and maddening: the exploits being carried out against Bangladesh's government infrastructure are elementary. They do not require “elite hacking” skills.

The investigation identified four principal attack methods in use across the compromised domains.

1. SEO Poisoning

This is the campaign's most visible layer. Cybercriminals inject contents into government web pages optimised for specific adult or gambling-related search keywords. Because Google's algorithm assigns high trust and authority to .gov.bd domains, this injected content ranks quickly and prominently in search results. A Bangladeshi user searching for certain terms is served a government-branded link that redirects them to a phishing page, a fraudulent survey, or a malware download.

The technique is well-documented globally and requires no coding expertise beyond basic HTML knowledge. Free SEO tools, widely available keyword research platforms, and automated scripts handle the heavy lifting.

2. Stored HTML Injection and Cross-Site Scripting (XSS)

The Dissent found that a blog post on Shikkhok Batayon, the government's teachers' educational portal, run under the Ministry of Education, had been injected with explicit pornographic texts and direct links to external adult sites. The article in question was ostensibly about Abraham Lincoln. The injected content sat in plain view within the article body.

This attack succeeds because the website's content management system accepts user-submitted text without running it through adequate sanitisation filters. In cybersecurity terms, this is classified as Stored HTML Injection or, in more interactive contexts, Cross-Site Scripting (XSS). It is among the most well-documented vulnerability classes in existence. The Open Web Application Security Project (OWASP) has listed injection attacks in its Top 10 vulnerability list consistently for over a decade.

A person with an afternoon's worth of self-teaching from freely available online resources could identify and exploit an unsanitised input field. This is not advanced. It is basic.

3. Malicious File Upload Injection

On the Grievance Redress System (GRS) portal, the government's citizen complaint platform, automated scripts were used to upload adult-linked PDF files directly to the government server. The file upload mechanism lacked the filters necessary to reject non-compliant or malicious contents.

Similarly, on the Bangladesh Meteorological Department website and the Payra-Kuakata Project portal, text files containing gambling advertisements were generated in server directories because system administrators had failed to properly configure file permission settings.

4. Subdomain Hijacking and Directory Compromise

Perhaps the most structurally alarming finding concerns the Cumilla Education Board, where at least four subdomains were found to host online gambling links. This indicates a higher level of access, the attacker has gained server-level control and inserted casino scripts directly into the site's database or file directories. This is consistent with exploitation of outdated server software, default credentials, or unpatched content management system vulnerabilities.

The Dissent also documented a fifth, commercially deceptive tactic: fake Google Play Store interface pages hosted on government domains, presenting malware-laden APK files for gambling apps and pirated software as though they were legitimate Google listings. This is social engineering built on borrowed institutional credibility.

Each of the attack types documented by The Dissent corresponds to a failure at a specific, identifiable point in the web development and deployment process. These are not obscure vulnerabilities that emerged from novel attack research. They are textbook weaknesses with textbook remedies.

Input Sanitisation and Output Encoding

Every web form, text editor, and file upload field that accepts user input must validate and sanitise that input before processing or storing it. This means stripping or encoding HTML tags, script elements, and executable code. It means enforcing strict file type and size restrictions on upload mechanisms. It means rejecting inputs that do not conform to defined patterns.

Frameworks for achieving this exist in every major programming language. The fact that a blog post field on a government education portal was able to accept and display external hyperlinks is evidence that this fundamental step was either skipped or implemented inadequately.

File Permission Configuration

Web servers should operate on the principle of least privilege: each component of the system should have access to only the directories and files it requires, and no more. The fact that automated bots were able to write files into government server directories indicates that read/write permissions were left in a permissive, often default, configuration. Hardening these settings is a standard deployment step.

Security QA and Penetration Testing Before Deployment

The cumulative picture painted by The Dissent's investigation is of government websites deployed without any meaningful security quality assurance process. A pre-deployment penetration test- even a basic one conducted against OWASP's Top 10 checklist- would have identified unsanitised input fields, misconfigured file permissions, and open directory listings as immediate high-priority vulnerabilities.

Bangladesh's government, as the procuring entity for these websites, should bear direct responsibility for the seemingly absence of mandatory security testing standards in its procurement and deployment specifications. A website that handles citizen data, public services, or official communications should not be launched without a documented and independent security assessment.

Patch Management and Software Currency

Many of the compromised sites appear to be running outdated versions of content management systems and server software. Attackers maintain continuously updated databases of known vulnerabilities in popular platforms. An unpatched CMS is a standing invitation. Regular, scheduled patch management is non-negotiable infrastructure hygiene.

Central Monitoring and Real-Time Threat Detection

The Dissent's investigation makes explicit what should concern government administrators most: Thai, Indonesian, and Turkish-language casino advertisements were actively indexed on government servers, and no one noticed. The investigation was conducted by a newsroom, not by a government security team.

The absence of a centralised web monitoring system- one capable of flagging anomalous content changes, unusual file writes, or unexpected metadata in government web pages- represents a foundational failure. Real-time threat detection does not require cutting-edge resources. Web application firewalls (WAFs), automated content integrity checks, and log monitoring tools are established, widely deployed technologies.

The damage inflicted by this campaign extends well beyond the technical. It reaches into the daily lives of ordinary citizens and carries measurable economic consequences for the country.

Citizen Harm: Phishing, Malware, and Financial Fraud

Every compromised government link is a potential trap for an unsuspecting citizen. The phishing pages to which users are redirected frequently request credit card information under the pretext of accessing adult content. Users who comply expose themselves to financial fraud. Others are prompted to download APK files- presented as legitimate apps- that install data-stealing trojans or ransomware on their devices.

These are not theoretical risks. They are the documented endpoints of the redirect chains catalogued by The Dissent. A citizen who clicks on what appears to be a Bangladesh government link and ends up on a fraudulent payment page has been victimised by an infrastructure that exists to protect them.

Exploitation of Children's Spaces

The appearance of adult content and gambling advertisements indexed against the Child Social Protection Portal is not merely an embarrassment. It represents a specific and serious safeguarding failure.

The association of explicit content with a platform designated for child welfare, in the search results of any user who encounters it, is an outcome that no regulatory framework or ethical standard can excuse.

Legal Exposure and Regulatory Breach

Bangladesh's Cybersecurity Act 2026 and the Pornography Control Act 2012 both prohibit the distribution of pornographic content and gambling-related material through digital platforms accessible to Bangladeshi users. The Dissent makes clear that the active presence of this content on government servers constitutes an explicit violation of both statutes. While the government is, in this case, the victim of the intrusion rather than the author of the content, the prolonged failure to detect and remove the material raises questions of institutional culpability.

Economic Costs: CPA Fraud and Advertising Harm

The OnlyFans-related spam documented by The Dissent falls into the category of Cost-Per-Action (CPA) fraud" a form of advertising fraud in which criminal actors generate false clicks or engagement to siphon money from legitimate marketing budgets. Brands and advertising networks that are unwittingly associated with this traffic suffer both financial losses and reputational contamination. At scale, CPA fraud represents a significant drain on the digital advertising ecosystem.

Deterrent to Foreign Investment and Digital Trust

Bangladesh is actively positioning itself as a destination for digital investment and as a participant in the global digital economy. The spectacle of government websites indexing gambling advertisements in Vietnamese and pornographic content in Arabic- discoverable by any researcher or investor conducting basic due diligence- is antithetical to that positioning. Digital trust is a prerequisite for digital commerce, and it is not rebuilt quickly once lost.

Government websites occupy a special position in the information ecosystem. They are, by definition, the authoritative voice of the state in digital space. When citizens access a .gov.bd domain, they extend to it a presumption of legitimacy, accuracy, and safety that they do not extend to other websites. This presumption is the foundation of digital public service delivery.

The compromises documented by The Dissent shatter that presumption across more than 10 domains. They include, in the list of affected sites: the Judiciary Portal, the National Board of Revenue, the Bangladesh Computer Council, the Child Social Protection Portal, and the Grievance Redress System- institutions whose core function is the administration of justice, revenue, digital infrastructure, child welfare, and citizen redress respectively.

The reputational harm is compounded by the nature of the content involved. It is not merely that these websites were defaced or that their servers were used for spam. Adult content and gambling promotions are categories that carry significant social and cultural weight in Bangladesh, where they are both legally prohibited and widely considered socially offensive. Their association with official government platforms is not a neutral security incident. It is a visceral affront to the institutions they represent.

More damaging still is what the incident reveals about the quality of government procurement and project management in the digital sphere. The Dissent's investigation strongly implies that the compromised websites were deployed without adequate security testing" that the trivial, well-documented vulnerabilities exploited by these actors were present from the moment the sites went live.

This is a governance failure that precedes the security failure. Government agencies that commission digital infrastructure without mandating security quality assurance testing, without specifying patch management obligations in contracts, and without establishing post-deployment monitoring requirements are not merely negligent in a technical sense. They are negligent toward the citizens whose data and trust they hold.

It is also worth noting the international dimension of the attackers. The content injected into these sites includes Indonesian, Thai, Vietnamese, Turkish, and Arabic material- indicating that Bangladesh's government domains have been catalogued and are actively targeted by international syndicate networks that specialise in exploiting low-security government infrastructure in developing countries. Bangladesh is not uniquely targeted; it is a target of opportunity. The remedies are equally available.

The path to remediation is well-established. What follows is not a speculative wish list. It is a set of baseline security standards that any competent digital infrastructure programme should already have in place.

Immediate Actions

Conduct an emergency audit of all active .gov.bd domains and subdomains to identify and remove injected content, malicious files, and compromised directories.

Engage the Bangladesh Computer Council (BCC) and the National Cybersecurity Agency to establish a rapid-response incident team with the authority and technical capacity to act across government domains.

Temporarily suspend or sandbox sites with confirmed directory write vulnerabilities or subdomain hijacking until remediation is verified.

Mandatory Pre-Deployment Security Standards

All government websites must undergo a documented penetration test against, at minimum, the OWASP Top 10 checklist before going live. Results must be signed off by an independent assessor.

Procurement contracts for digital infrastructure must include explicit security specifications: input sanitisation requirements, file permission standards, encryption mandates, and post-launch patch management schedules.

Security Software Quality Assurance must be treated as a mandatory deliverable, not an optional enhancement, in every government digital project.

Ongoing Operational Security

Deploy a centralised Web Application Firewall (WAF) across government domains to filter malicious input before it reaches application layers.

Implement automated content integrity monitoring- systems that flag anomalous changes to page content, unexpected file writes, or new directory entries- with alerts routed to a dedicated operations team.

Establish a mandatory software and CMS patch cycle with a maximum permitted lag between patch release and deployment across government infrastructure.

Configure server file permissions on the principle of least privilege. No web-facing service should have write access to directories beyond its operational requirement.

Structural and Institutional Reforms

Establish a government web security standard, a binding set of minimum security requirements that all government web projects must certify compliance with before procurement approval.

Create a government bug bounty programme or responsible disclosure channel to allow security researchers to report vulnerabilities in government infrastructure without fear of legal consequences under existing cybercrime statutes.

Mandate regular (at minimum, annual) third-party security audits of all active government websites, with public disclosure of findings and remediation timelines.

Develop and enforce a clear incident response protocol for government web compromises, including mandatory public notification when citizen-facing services are affected.

There is a temptation, in the reporting of cybersecurity incidents, to reach for the language of warfare and espionage. That language is occasionally earned. In this case, it would be misleading.

What The Dissent has documented is not a sophisticated attack. It is a systematic exploitation of negligence. The attackers did not break down the doors of Bangladesh's government websites. They walked through doors that had been left open, in some cases since the day the sites were built.

SOURCE:Original investigation by Suhanur Rahman, The Dissent | thedissent.news | Published June 2, 2026