An international operation involving the US, China, and the UAE led to the arrest of at least 276 people, the shutdown of nine cryptocurrency scam centers, and the freezing of more than $700 million in cryptoassets, while simultaneously exposing the tight connection between pig butchering schemes, human trafficking, politically protected scam compounds in Southeast Asia, and the spread of a new Android banking trojan; for businesses and private investors this is a signal to urgently reassess protections for crypto transactions, mobile devices, and counterparty due diligence processes.
Technical details and scope of the operations
Dismantling the offline infrastructure of scam centers
The law‑enforcement effort was coordinated by Dubai Police with the participation of the UAE Ministry of Interior, the FBI, and China’s Ministry of Public Security. According to US court filings, the suspects operated and worked within Ko Thet Company, Sanduo Group, and Giant Company, which ran several scam centers used for fraudulent crypto investments.
- At least 276 suspects have been detained, including citizens of Myanmar and Indonesia.
- Nine centers targeting foreign victims were shut down, focused primarily on US residents.
- Defendants in the US have been charged with fraud and money laundering.
The schemes were built around the pig butchering format (also known as romance baiting): scammers spend a long time cultivating trust — often romantic relationships — and then gradually steer the victim toward “lucrative” cryptocurrency investments. They help open crypto wallets and transfer funds to fake investment platforms; as soon as the money hits these platforms, it is immediately laundered through other wallets, including those controlled by the scammers themselves.
A critical element is forced labor. People from other countries are recruited with promises of high salaries and then held in “compounds” in conditions close to slavery, with threats of violence and torture if they refuse to participate in the schemes. Similar cases have previously been described in detail in US Department of Justice statements on international online fraud cases (official website of the U.S. Department of Justice).
Operation Level Up: proactive victim outreach
Since January 2024 the FBI has been running an initiative called Operation Level Up, aimed at proactively identifying victims of crypto investment fraud and notifying them. As of April 2026:
- around 9,000 victims have been identified and notified;
- prevented losses are estimated at roughly $562 million.
From a defensive standpoint this is an important shift: law‑enforcement agencies are not waiting for victims to file complaints but are using blockchain and transaction analytics to independently identify victims and protect them.
Shunda, Tai Chang and recruitment via Telegram
A separate indictment was filed against two Chinese nationals linked to the large scam compound Shunda in Myanmar and plans to open a second center in Cambodia. One of them served as a senior manager who personally took part in physically punishing trafficked workers; the other was the team lead of a group specifically targeting US citizens.
As part of the same wave of actions:
- the Telegram channel @pogojobhiring2023 (over 6,500 subscribers) was seized; it had been used to recruit human trafficking victims into a Cambodian scam compound under the guise of legitimate employment;
- a cluster of 503 fake investment websites targeting US residents was discovered and blocked;
- more than $701 million in cryptocurrencies linked to laundering proceeds from crypto fraud was restricted.
Scaling approval phishing: Operation Atlantic
In parallel, Operation Atlantic is targeting approval phishing schemes — tricking victims into signing a blockchain transaction that gives the attacker full control over a Web3 wallet. Once such an approval is signed, the attacker can drain all assets without having to compromise the wallet itself.
- around $12 million connected to this scheme has been frozen;
- more than 20,000 victims have been identified across 30 countries (including the US, Canada, and the UK);
- over 120 domains used for phishing have been seized;
- an additional approximately $33 million has been identified as presumably linked to global investment fraud schemes.
According to analysts at TRM Labs and statements from the U.S. Secret Service (U.S. Secret Service), approval phishing is often “packaged” inside pig butchering investment and romance schemes as the final step to siphon off the maximum possible amount.
New Android banking trojan as a service
Against the backdrop of the crackdown on physical scam centers, researchers from Infoblox and the Vietnamese nonprofit organization Chong Lua Dao discovered a new Android trojan operating under a malware‑as‑a‑service (MaaS) model and likely linked to the K99 Triumph City compound owned by the Cambodian group K99 Group.
Key characteristics of the trojan:
- real‑time monitoring of user actions on the device;
- theft of credentials and data from applications;
- withdrawal of funds using stolen data;
- in use since at least 2023.
Campaign infrastructure:
- registration of about 35 new domains per month (using both a domain generation algorithm and look‑alike registrations);
- about 400 lure domains registered in 2025 alone;
- impersonation of banks, pension and social funds, utility providers, revenue and migration authorities, telecom operators, and law‑enforcement agencies;
- expansion of lures to cover airlines and marketplaces, as well as geographic expansion beyond Southeast Asia into Africa and Latin America.
The researchers note overlaps in infrastructure and behavior with activity attributed to groups tracked as Vigorish Viper and Vault Viper, indicating the emergence of a full‑fledged commercial ecosystem of fraud tools. Additional methodological context on social engineering and malware techniques can be mapped against the MITRE ATT&CK taxonomy.
Threat context: cyber fraud, human trafficking, and political protection
A key feature of the current law‑enforcement campaign is that it deliberately targets the combined chain of “cybercrime + human trafficking + corrupt elites.”
- The US Department of the Treasury, through OFAC, imposed sanctions on Cambodian senator Kok An, businessman Rithy Raksmei, and their businesses (including K99 Group), citing a network of scam centers operating out of casinos and office complexes and involved in human rights abuses. See general information on sanctions and financial measures on the U.S. Treasury website (U.S. Department of the Treasury).
- This is the second Cambodian senator sanctioned by the US for involvement in forced labor in online scam centers — Ly Yong Phat had been designated earlier.
- In response to the “industrial‑scale” fraud, Cambodia’s parliament passed its first dedicated law against scam centers, prescribing 5–10 years of imprisonment and fines of up to $250,000.
As a result, countering pig butchering is no longer just a cyber operation; it is shifting into the realms of financial sanctions, criminal law, and the fight against human trafficking. For companies, this means that interaction — even indirect — with such business structures can have sanctions and legal consequences, not just reputational risks.
Impact assessment for different categories
Highest risk for:
- Cryptocurrency platforms and brokers — they are the key bottleneck for moving funds into and out of pig butchering and approval phishing schemes.
- Banks and fintech companies — the Android trojan is designed to steal banking and financial data from customers, including mobile banking.
- Telecom operators, utility providers, and government agencies — their brands are being massively impersonated in lure domains, undermining trust in their customer communication channels.
- Organizations with staff in Southeast Asia (especially Cambodia, Myanmar, Thailand) — there is a growing risk of unintentional links to sanctioned entities and of employees being drawn into forced‑labor schemes.
- Private investors and dating service users — due to the combination of romance scams, investment schemes, and exploitation of Web3 functionality.
If no action is taken, potential consequences include:
- direct financial losses for customers and companies (account freezes, theft of assets from Web3 wallets and mobile banking);
- legal consequences due to potential violations of OFAC sanctions regimes and anti‑money‑laundering requirements;
- loss of trust in digital channels (especially if the organization’s brand has been impersonated in domains or trojanized apps);
- increased regulatory pressure around partner and supply‑chain due diligence.
Practical recommendations
For crypto platforms, brokers, and fintech companies
- Enhance blockchain transaction analytics with pig butchering and approval phishing patterns in mind: chains of transfers to newly created wallets, bulk transfers to addresses named in investigations, unusual large transactions after long periods of “passive” customer behavior.
- Integrate law‑enforcement data (from Operations Level Up and Atlantic) and analytics from organizations such as TRM Labs into transaction monitoring systems and sanctions screening.
- Implement strict controls over smart contract approvals: warn users when they are granting “unlimited spend approval” to an unknown contract and, where possible, gate such operations with additional verification.
- Separately monitor high‑risk customers (activity on dating services, abrupt changes in investment profiles, large‑scale borrowing for crypto investments) and introduce soft interventions such as alerts and calls from security teams.
For corporate security teams and SOCs
- Filter lure domains: block new and low‑reputation domains that mimic banks, government agencies, social funds, airlines, and major marketplaces, especially for employees with access to financial systems.
- Mobile security: prohibit installation of apps from outside official stores, implement device integrity controls, and monitor suspicious app permissions (access to SMS, notifications, accessibility services).
- Update staff training scenarios to include:
- signs of pig butchering (prolonged chatting, moving the conversation to messengers, “exclusive” investment offers);
- the risks of any Web3 transaction signature and the mechanics of approval phishing;
- the danger of installing “bank/government” apps via links from messages.
- Use external guidance from regulators (for example, CISA recommendations and tactic descriptions on MITRE ATT&CK) when tuning correlation rules and detections.
For private investors and users
- Never transfer large sums in cryptocurrency based on advice from online acquaintances or “consultants” you have never met in person and have not independently vetted.
- Treat every Web3 transaction signature as an irrevocable power of attorney: read the approval text, use hardware wallets, and separate wallets for investments and day‑to‑day operations.
- Do not install financial apps via links from messengers or SMS, even if they look like messages from a bank or government agency; always locate the app yourself in the official store.
- If you suspect fraud, contact your bank/exchange and law‑enforcement agencies as quickly as possible: the earlier an investigation starts, the higher the chance of freezing assets before they are laundered (see general contacts and explanations on the U.S. Department of Justice website and national law‑enforcement portals).
The current wave of actions — from Level Up and Atlantic to OFAC sanctions and Cambodia’s new legislation — shows that governments have moved from targeting isolated “romance scammers” to attacking the entire pig butchering infrastructure: compounds, cash‑out networks, political patrons, and developers of malicious services. To avoid becoming the next link in this chain, organizations need to start integrating law‑enforcement signals now, tighten controls over Web3 transactions and mobile devices, and update employee training to reflect new social‑pressure techniques and approval phishing.
