American technology companies and their infrastructure have become unwitting backbone of a sophisticated, increasingly industrialised scam ecosystem that operates across Southeast Asia and beyond, according to a joint investigation by the Associated Press and PBS Frontline. The findings paint a troubling picture of how tools designed for legitimate purposes are being repurposed by criminal networks to defraud hundreds of millions of people globally, with the scale and scope of this abuse far exceeding what public understanding has suggested.
While regulatory attention and public concern have traditionally focused on social media platforms as the visible front where victims encounter scams, the investigation demonstrates that the real infrastructure enabling these operations sits much deeper in the digital supply chain. Internet service providers, satellite communications networks, artificial intelligence platforms, and backend infrastructure companies have become critical nodes in the machinery of fraud. This upstream positioning means that intervention at these points could theoretically halt scam operations with far greater efficiency than efforts targeting the surface-level platforms where victims are recruited.
Watchdog organisations and cybersecurity experts emphasise that these technology providers possess the technical capability to substantially reduce scam activity through their networks. However, the current absence of strong legal mandates, regulatory frameworks, and commercial incentives has left these companies unmotivated to invest the necessary resources. The Federal Trade Commission estimates that fraud cost Americans nearly US$200 billion in 2024 alone, yet this enormous social cost has not translated into sufficient pressure on technology firms to police their infrastructure more aggressively.
The investigation identified two sophisticated software suites that scammers deployed from compounds across Southeast Asia, with OpenAI's ChatGPT and Google's Gemini forming the core of these toolkits. These AI systems, when integrated into custom platforms, enabled scam operators to work seamlessly across multiple languages, generate convincing automated responses, create believable persona profiles, and monitor team productivity. Analysis by security nonprofit C4ADS revealed that scammers using these tools accumulated tens of millions of dollars, based on blockchain tracing conducted by TRM Labs. Both OpenAI and Google stated they maintain comprehensive programmes to prevent their systems being abused for illegal purposes, and OpenAI indicated it had subsequently banned three accounts associated with scam operations after being informed by the AP of their activities.
The geographic footprint of this abuse demonstrates the particular vulnerability of the Myanmar region, where scam compounds operate with considerable impunity. Analysis of over 200,000 device connections from four scam compounds linked to sanctioned Myanmar-based entities revealed that approximately one in five connections passed through US-registered companies, a dominance unmatched by any other non-regional country. Major American technology firms including Cogent Communications, Oracle, AT&T and DigitalOcean carried significant traffic from these locations, whilst international companies such as Finland-based UpCloud and Canada-registered GlobalTeleHost also operated US-based servers that handled high-risk traffic from scam centres.
These companies uniformly defend their operations by noting that their network architecture employs "privacy by design"—a principle that prevents them from viewing the actual content flowing through their systems. This technical constraint, whilst protecting legitimate user privacy, simultaneously creates a blind spot that shields illicit activity from detection. All firms stated they respond to valid abuse reports and cooperate with law enforcement investigations, yet the investigation suggests that abuse notification mechanisms may operate too slowly or ineffectively to disrupt ongoing scam operations. Oracle indicated it was working diligently with law enforcement on the information shared by AP, whilst UpCloud said the AP's inquiries prompted a review of its risk assessment procedures.
Starlink, Elon Musk's satellite internet service, stands out as the dominant internet provider serving Myanmar scam centres, maintaining market dominance even following Congressional attention and a much-publicised operation in late 2025 in which the company claimed to have disabled 2,500 kits deployed near scam locations. However, satellite imagery and device data collected by the International Justice Mission, an anti-trafficking organisation, indicate that scam operations have continued with undiminished capability. Since that publicised crackdown, at least 25 new scam compound sites have been constructed within Myanmar, with device data confirming that at least 13 of these locations have connected to Starlink services. The true figure may be substantially higher, as the available data represents only a sample of overall activity.
Starlink declined to provide detailed responses to specific questions posed by the investigation but has previously stated that it cooperates with law enforcement agencies, including during a coordinated operation in May involving the Department of Justice's Scam Center Strike Force. The company has maintained that it remains committed to ensuring its service functions as a positive force. Yet the persistence of scam operations despite these stated commitments raises uncomfortable questions about the effectiveness of current enforcement mechanisms and whether voluntary cooperation represents a sufficient approach to the problem.
Technology companies possess enormous datasets that could, with significant investment in analysis and monitoring systems, be leveraged to substantially reduce scam activity flowing through their networks. However, according to cybersecurity analysts, this investment requires deliberate resource allocation and expenditure that companies currently lack motivation to undertake. Sascha Meinrath, Palmer Chair in Telecommunications at Penn State University, articulated this economic logic bluntly: without penalties for facilitating scams or rewards for preventing them, companies rationally choose to avoid bearing costs associated with detection and disruption. The current situation leaves an identifiable, addressable problem without the financial incentives necessary to drive corporate action.
Regulatory environments outside the United States have begun shifting this calculation. The United Kingdom, European Union, Australia and Singapore have all implemented regulatory frameworks requiring technology companies to take stronger action against scams or face financial penalties. These jurisdictions recognise that without mandatory obligations and enforcement mechanisms, voluntary corporate cooperation will remain insufficient to address the scale of the problem. In contrast, American policymakers and government officials have largely requested that technology companies cooperate voluntarily, relying on goodwill and partnership rather than regulation to drive compliance.
US Attorney Jeanine Pirro, who leads the newly established Scam Center Strike Force, has articulated the urgency of engaging industry partnerships, noting at a recent conference that the tragedy lies in criminals exploiting American infrastructure and that industry must be ready and willing to stop fraud when detected. Yet the investigation suggests that readiness and willingness alone may prove insufficient without either regulatory obligation or commercial incentive. The gap between what is technically possible to prevent and what companies currently invest in preventing remains substantial, and closing that gap may require moving beyond voluntary cooperation toward regulatory requirements that make scam prevention an unavoidable cost of doing business.
For Malaysia and Southeast Asian countries, the implications are particularly acute. The region has become a geographic hub for sophisticated scam operations that target victims across the world, generating revenue that flows into and circulates within the region's economy. Disrupting these operations requires not only regional law enforcement action but also meaningful pressure on the American technology infrastructure that enables them. The investigation demonstrates that effective action requires moving beyond public awareness and into the realm of regulatory obligation, economic incentive, and systematic enforcement—a shift that currently appears to lack sufficient political momentum in the United States despite the scale of global harm.
