KUALA LUMPUR: To buy a vape online in Malaysia today, a credit card is no longer enough. You need a referral.
Despite a sweeping nationwide ban on the online sale of e-cigarettes and vaping products under the Control of Smoking Products for Public Health Act (Act 852), the market hasn’t disappeared.
Instead, it has morphed into an underground network of digital speakeasies-invite-only e-commerce platforms that operate entirely out of the view of regulators.
To access one of a growing number of underground vape stores operating in Malaysia, a prospective buyer must first obtain a referral from an existing customer.
Their application is then reviewed by an administrator, who verifies the referrer’s identity before approving a profile to grant access to the platform’s full catalogue of vaping products – many of which fall outside the country’s regulatory framework.
The platforms, which are invisible to casual browsers and inaccessible without prior vetting, are selling vapes with as much as 32,000 puffs per device. This is way above the regulations which cap the puff limit at 3,000 puffs due to capacity limits under Act 852.
Hundreds of vape devices, pods, and e-liquids – many in flavors and packaging explicitly banned under the new regulations – were available for immediate purchase.
ALSO READ: Shadowy vape rings risk public health by evading detection
While authorities have successfully pressured public platforms like Shopee and Lazada to scrub vape listings, they are largely powerless against closed-loop, encrypted networks.
Cybersecurity experts warn that traditional enforcement methods – such as blocking websites – are largely ineffective against this new wave of digital black markets.
Cybersecurity experts who examined the model say the illicit vape trade has grown far more sophisticated than most people realise.
LGMS Bhd chief executive officer Fong Choong Fook said sellers have long since moved past conventional e-commerce.
“It is difficult to police because they don’t even need to set up websites anymore. They operate over forums, chat groups, and Telegram groups. In fact, having a dedicated website is no longer common – they typically operate under social media chat groups,” he said.
While the MCMC has the technical capability to block illicit websites, Fong warned this amounted to little more than a temporary fix. “Technically, it is very easy to block a website. The only problem is that they can spawn a new site every now and then, so it doesn’t solve the problem from the root,” he said.
The challenge deepens significantly when sellers migrate to encrypted platforms.
“If they are operating groups on Telegram or WhatsApp, it is very hard to take action. I have seen Telegram groups selling contraband and smuggled goods. These groups are difficult to abolish because it requires cooperation from the social media platform providers to help block them. This takes a long time and involves complex processes and cross-border legal jurisdictions,” Fong explained.
Tracking the financial trail of
these operations is possible, but rarely conclusive.
Fong said if sellers rely on e-wallets such as Touch ‘n Go or direct bank transfers, there are avenues for investigators to pursue – though the trail often hits a wall.
“You will very likely trace it back to a mule account, not the actual seller. One thing leads to another, and authorities have to investigate the mules to eventually lead them back to the actual syndicate,” he said.
Fong called for a more transparent public reporting mechanism, including financial rewards for tip-offs, and stressed that lawmakers must introduce stiffer penalties – particularly to deter sellers from targeting minors online.
Universiti Sains Malaysia Cybersecurity Research Centre director Prof Dr M. Selvakumar said it is difficult but not impossible for Malaysian authorities to act against invite-only social media communities selling unregulated vape products.
“End-to-end encryption reduces visibility into message content, but investigations rarely depend only on reading messages.
“Authorities typically combine complaints, undercover access, device seizures, account attribution, metadata obtained through lawful process and financial investigation.”
The speed and scale at which groups can be recreated rapidly and move across channels are among operational challenges, said Selvakumar.
He said e-wallet and QR transactions are generally more traceable than they appear.
“Licensed payment providers maintain transaction records and apply anti-money-laundering controls, so even small payments can contribute to an investigative trail.
“The main challenge is not invisibility but fragmentation as payments may spread across multiple wallets, mule accounts, and intermediaries,” he said.
The Star reached out to the Health Ministry for comment on the issue, but it had not responded at the time of publication.
