A coordinated international operation involving U.S. and Chinese authorities has arrested at least 276 suspects and shut down nine scam centers used for cryptocurrency investment fraud schemes targeting Americans, resulting in millions of dollars in losses.
The crackdown was led by the Dubai Police, under the United Arab Emirates (UAE) Ministry of Interior, in partnership with the U.S. Federal Bureau of Investigation (FBI) and the Chinese Ministry of Public Security. Among those arrested are individuals from Burma and Indonesia, who were apprehended by authorities from Dubai and Thailand.
Thet Min Nyi, 27, Wiliang Awang, 23, Andreas Chandra, 29, Lisa Mariam, 29, and two fugitive co-conspirators have been charged with federal fraud and money laundering charges in the U.S.
"Fraudsters who target Americans from overseas cannot operate with impunity, no matter where in the world they reside," Assistant Attorney General A. Tysen Duva of the Justice Department's (DoJ) Criminal Division said. "Scam center organizers and fraudsters who defraud Americans and others will face justice in American courts and in courts around the world. In contemporary society, fraud is borderless, and law enforcement activity to combat it and eliminate it is as well."
According to the indictment, the defendants are alleged to have managed, worked for, and recruited others to work at three different companies named Ko Thet Company, Sanduo Group, and Giant Company that allegedly operated several scam centers. Thet Min Nyi is believed to be the manager and recruiter for the Ko Thet Company.
The scams involved tricking users into parting with their money through bogus cryptocurrency investments after building trust over time, often by entering into friendly or romantic relationships, a long-running scheme known as pig butchering or romance baiting. The illicit operation is closely intertwined with human trafficking, where foreign nationals are coerced into running the scams under slave-like conditions after being recruited with false offers of high-paying jobs.
"After that, the scammers promoted investments in cryptocurrencies and assisted victims in setting up accounts and transferring cryptocurrency to investment platforms that, unbeknownst to the victims, were false," the DoJ said. "The alleged scammers touted their own successes and returns in cryptocurrency investments and encouraged their victims to invest more. They also encouraged their victims to borrow money from friends and family and take out loans, to be able to 'invest' more."
But as soon as the funds were transferred to the platforms, the assets were laundered to other cryptocurrency accounts, including some belonging to the fraudsters.
The DoJ said the FBI has notified almost 9,000 victims and saved victims an estimated $562 million as of April 2026 following the launch of an initiative called Operation Level Up, which began in January 2024 as a way to proactively identify and alert victims of cryptocurrency investment fraud schemes.
Two Chinese Nationals Charged for Crypto Scams
News of the indictment comes days after the DoJ charged two Chinese nationals – Jiang Wen Jie (aka Jiang Nan) and Huang Xingshan (aka Ah Zhe and Huang Xing Saan) – for their role in a major cryptocurrency investment fraud operation and for allegedly running the Shunda scam compound in Min Let Pan, Myanmar. The defendants have also been accused of planning to open a second scam center in Cambodia after Burmese authorities seized the first in November 2025.
Huang is assessed to have worked at Shunda as a high-level manager and personally participated in the physical punishment of trafficked compound workers, while Jiang served as a team leader overseeing workers who specifically targeted American victims in these schemes. They were arrested by Thai authorities in early 2026 while en route to Burma from Cambodia.
"The compound used scam websites and mobile applications disguised as legitimate investment platforms to defraud victims, including Americans," the DoJ said. "Workers within the compound were trafficked individuals who were held against their will and forced to defraud victims under the threat of violence and torture."
In addition, the crackdown has led to the seizure of a Telegram channel (@pogojobhiring2023) with more than 6,500 followers used to recruit human trafficking victims to a scam compound in Cambodia in order to work a law enforcement impersonation scam and a cluster of 503 fake investment websites used to defraud U.S. victims. The actions, led by a U.S. government Scam Center Strike Force, have also restrained more than $701 million in cryptocurrency alleged to be tied to money laundering from cryptocurrency scams.
Treasury Sanctions Cambodian Senator
Coinciding with these efforts, the U.S. Treasury Department has sanctioned a Cambodian senator behind a network of cyber scam compounds, and the State Department announced rewards of up to $10 million for information leading to the seizure or recovery of proceeds related to the Tai Chang scam center in Burma.
The sanctions target Cambodian Senator Kok An, Cambodian businessman Rithy Raksmei, their associates, and respective business operations, including holding companies like K99 Group for scam center operations. Kok An is assumed to have fled Thailand, with authorities issuing an arrest warrant for him and his children last July.
"Kok An and his affiliates' network of scam centers, operating out of casinos and office parks retrofitted for fraudulent activity, launder victims' funds and provide a base to target U.S. citizens and commit human rights abuses with impunity," the Office of Foreign Assets Control (OFAC) said.
Kok An is the second Cambodian senator to be sanctioned by the U.S. Treasury after Ly Yong Phat, who was implicated in September 2024 for his alleged role in trafficking people into forced labor at online scam centers.
The proliferating industrial-scale fraud operations have prompted Cambodia's parliament to pass the first law dedicated to targeting scam centres operating in the country. The law, which seeks to prevent scam centers from resurfacing after takedowns, will see those convicted of scams sentenced to anywhere between five and 10 years in prison and fined as much as $250,000.
Cambodian Scam Compound Linked to Android MaaS
What's more, an Android banking trojan has been uncovered, likely operating from multiple locations, including the K99 Triumph City compound owned by Cambodia's K99 Group, that's capable of facilitating real-time surveillance, credential theft, data exfiltration, as well as financial fraud. The banking trojan is said to have been used since at least 2023.
The sophisticated malware-as-a-service (MaaS) platform shares infrastructure and behavioral overlaps with activity previously attributed to threat actors tracked as Vigorish Viper and Vault Viper, per a joint report from Infoblox and Vietnamese non-profit Chong Lua Dao.
"The operation remains active, registering around 35 new domains per month -- both registered domain generation algorithm (RDGA) domains and lookalike domains -- that impersonate legitimate organizations and government services to distribute the malware," researchers said.
"The domains are designed to spoof banks, pension funds, social security organizations, utility providers, and various revenue, immigration, telecom, and law enforcement agencies. More recently, the scope of the scam has expanded, both geographically and contextually, to include lures targeting airlines and e-commerce platforms, as well as countries in Africa and Latin America."
In all, 400 targeted lure domains are said to have been registered in 2025 and used to deceive and infect victims as part of what's assessed to be a coordinated operation. The attack chain is as follows -
- Malicious URLs are distributed to users through SMS messages or emails that appear to come from government officials.
- Victims visit a fake Google Play Store app listing page or a government service website.
- Once the APK is installed and launched, it escalates permissions to facilitate persistence.
- The malware connects to an external server and enables the operator to remotely keep tabs on the victim device and harvest data.
- Attackers inject bogus overlay screens on top of online banking apps to capture credentials and then use the access to transfer funds to accounts under their control.
"The activity associated with this infrastructure continues to adapt and expand, sustaining large-scale campaigns targeting countries such as Thailand, Indonesia, the Philippines, and Vietnam, while increasingly diversifying into Africa and Latin America," Infoblox and Chong Lua Dao noted.
"With access to large multilingual labor pools, growing technical capability, and sky-high profits, they are not only adopting but adapting and commoditizing malware, infrastructure, and social engineering techniques into versatile and scalable attack models. What emerges is an ecosystem that is agile, experimental, and commercially driven – one where tools are continuously repurposed, refined, and redeployed to maximize reach and profit."
Operation Atlantic Seizes $12M
The developments unfold against the backdrop of Operation Atlantic, which has successfully frozen approximately $12 million from a cybercrime operation targeting cryptocurrency and investment scammers using a technique called "approval phishing" to gain access to crypto-wallets and empty their funds.
Approval phishing refers to a form of cryptocurrency fraud in which victims are deceived into signing a blockchain transaction that grants a scammer complete control over their wallet, allowing them to drain all their assets. According to TRM Labs, these phishing attacks are "often wrapped inside investment scams or romance fraud."
"This tactic is often used in online investment fraud, often referred to as pig butchering, to lure victims into handing over ever-increasing amounts to scammers," the U.S. Secret Service said in a statement.
More than 20,000 victims have been identified across 30 countries, including Canada, the U.K., and the U.S. Authorities have also confiscated more than 120 domains used by the threat actors behind the scheme for phishing, and identified an additional $33 million in funds that are believed to be linked to investment fraud schemes globally.
In early April, the Treasury Department's Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) announced a new information-sharing initiative to strengthen cybersecurity across the digital asset industry. As part of the effort, U.S. digital asset firms and industry organizations that meet the Treasury's criteria will be eligible to receive actionable cybersecurity information at no extra cost.
"The initiative will provide timely, actionable cybersecurity information to eligible U.S. digital asset firms and industry organizations, helping them better identify, prevent, and respond to cyber threats targeting their customers and networks," the Treasury Department said.
