American technology infrastructure has become the backbone of an industrialised fraud operation that now spans the globe, according to a landmark investigation by the Associated Press and Frontline. The findings, compiled through extensive analysis of digital networks and device connections at scam compounds, paint a troubling picture of how innovations designed to connect the world are instead being weaponised by criminal enterprises operating with relative impunity from bases throughout Southeast Asia.
While public discourse about online scams typically fixates on social media platforms where victims are initially targeted, the investigation reveals that the actual machinery enabling fraud operates far upstream, embedded deep within the technical infrastructure that underpins the internet itself. This distinction matters enormously for policymakers and technology regulators seeking to address what has become one of the most lucrative forms of organised crime. The infrastructure layer—encompassing satellite internet providers, cloud hosting companies, and artificial intelligence platforms—represents the true vulnerability in the system, yet remains largely invisible to regulators and the general public.
Regulatory bodies and cybersecurity experts agree that satellite internet companies, artificial intelligence vendors, and internet infrastructure providers possess the technical capacity to substantially curtail fraudulent activity. However, the current absence of meaningful legal consequences, coupled with weak regulatory frameworks and misaligned business incentives, creates a situation where prevention remains optional. The Federal Trade Commission estimates that fraud cost Americans nearly US$200 billion in 2024 alone, a figure that pales in comparison to global losses when Southeast Asian and other regional victims are included in the calculation.
During the investigation, researchers working with the security nonprofit C4ADS identified multiple software suites actively deployed at scam compounds across Southeast Asia. These tools prominently featured OpenAI's ChatGPT alongside Google's Gemini, supplemented by various other artificial intelligence models. The software enables scammers to operate seamlessly across dozens of languages, generate personalised automated responses to victims, construct convincing false personas, and systematically monitor the performance of individual operators within their criminal networks. Blockchain analysis conducted by TRM Labs at the request of AP and Frontline demonstrated that operators purchasing these tools generated tens of millions of dollars in stolen funds.
While neither OpenAI nor Google has engaged in illegal conduct themselves, the investigation raises substantive questions about the vigour with which these companies enforce their published terms of service, which explicitly prohibit illegal applications. Both companies responded to the investigation's findings by asserting that they maintain robust programmes designed to identify and disrupt scammers attempting to abuse their platforms. OpenAI specifically indicated that it had terminated three accounts identified by the investigation as having supported online scam operations.
The investigation's examination of internet service provision painted an even more revealing picture. Analysis of more than 200,000 device connections originating from four major scam compounds linked to sanctioned Myanmar entities showed that one in every five signals was routed through US-registered companies. No other non-regional nation approached this level of infrastructure provision to the scam industry. The companies identified—including Cogent Communications, Oracle, AT&T, and DigitalOcean—join foreign providers such as Finland-based UpCloud and Canada-based GlobalTeleHost in hosting traffic from these criminal operations.
These companies uniformly contend that their network architecture—operating on privacy-by-design principles—prevents them from observing the content transmitted across their infrastructure or the specific activities conducted by end users. While this design principle serves legitimate privacy protections for lawful users, it simultaneously shields fraudulent operators from detection. All companies emphasised their responsiveness to valid abuse reports and their cooperation with law enforcement agencies. Oracle stated it was actively collaborating with authorities regarding the material shared by the investigation, whilst UpCloud indicated that the inquiry had prompted an internal review and strengthening of its risk assessment protocols.
Elon Musk's Starlink satellite internet service remains the primary internet service provider serving Myanmar, including the compounds where industrial-scale scam operations are coordinated, despite Congressional attention and a widely publicised network shutdown announced in late 2025. The company claimed at that time to have severed connections to 2,500 satellite kits positioned near scam compounds. Nevertheless, evidence accumulated through satellite imagery and device data provided by the International Justice Mission—an anti-trafficking organisation—demonstrates that scammers continue accessing Starlink services. Particularly concerning is the emergence of at least 25 newly constructed scam facilities within Myanmar since the announced crackdown, with device data indicating that at least 13 of these sites have successfully connected to Starlink. Although this data represents only a sample and may not encompass all Starlink usage at these locations, the pattern suggests that enforcement efforts have produced limited sustained disruption.
The fundamental economic problem driving this situation was articulated clearly by Sascha Meinrath, the Palmer chair in telecommunications at Penn State University. As Meinrath explained, without substantial costs or consequences attached to facilitating scam operations, technology companies lack rational incentive to invest in prevention measures. The problem is neither technologically intractable nor economically justified—it is fundamentally one of misaligned incentives. Prevention would require significant corporate investment in monitoring, analysis, and enforcement, whilst the current regulatory environment imposes negligible costs on companies that choose to ignore the problem entirely.
The divergence between American and international approaches to this challenge has become increasingly pronounced. The United Kingdom, European Union, Australia, and Singapore have all implemented regulatory frameworks that mandate stricter scam prevention measures and impose financial penalties for non-compliance. These jurisdictions have recognised that voluntary cooperation from technology companies yields insufficient results. Meanwhile, Washington continues to rely on voluntary partnerships and appeals to corporate responsibility, with US Attorney Jeanine Pirro, who leads the Department of Justice's newly established Scam Center Strike Force, urging companies to recognise their obligation to prevent criminals from exploiting American infrastructure.
For Southeast Asian policymakers and business communities, this investigation carries particular significance. The region's exposure to scam operations originating from within Myanmar and other locations remains acute, with millions of regional citizens falling victim to fraud facilitated by American technology infrastructure. The fact that US-registered companies provide the majority of infrastructure supporting these operations creates an implicit responsibility and a strategic vulnerability. As long as American regulatory frameworks remain permissive and enforcement remains voluntary, the region will continue bearing disproportionate costs from a problem rooted substantially in the United States.
