A comprehensive investigation by the Associated Press and Frontline has exposed a troubling reality: the technology infrastructure built and maintained by American companies has become essential to the operation of sophisticated, industrialised fraud networks across Southeast Asia and beyond. Rather than isolated criminal acts, scamming has evolved into a coordinated system that leverages everything from satellite internet connectivity to artificial intelligence platforms, painting a picture of how global digital architecture can be weaponised at scale.
While public attention typically focuses on the social media platforms where victims encounter scams, the investigation reveals that the real vulnerability lies far upstream in the supply chain. The infrastructure that fraudsters exploit—ranging from internet service providers to satellite communications—operates with minimal oversight and few incentives to detect and prevent abuse. This layered approach to the scam ecosystem means that shutting down one point of contact between criminals and victims does little to disrupt the underlying machinery that enables them to operate.
The scale of the problem is staggering. United States federal regulators estimate that fraud cost Americans nearly US$200 billion in 2024 alone, yet the companies providing the technical backbone for these operations face limited pressure to act. Security analysts and watchdog organisations argue that satellite internet providers, artificial intelligence companies, and internet infrastructure firms all possess the technical capacity to implement stronger protections. However, without robust legal and regulatory frameworks, combined with meaningful business incentives, few are motivated to invest the resources required.
The investigation identified specific software suites deployed by criminal operations at compounds throughout Southeast Asia, particularly in Myanmar. OpenAI's ChatGPT emerged as the primary artificial intelligence tool powering these systems, supplemented by Google's Gemini and other language models. These platforms, which have entirely legitimate applications, enable scammers to operate across multiple languages simultaneously, automate customer interactions, develop convincing fictional personas, and monitor their staff's productivity. When blockchain analysts examined the financial flows, they discovered that scammers using these customised tools generated tens of millions of dollars in criminal proceeds.
Both OpenAI and Google responded by emphasising their commitment to preventing misuse of their services. OpenAI stated it maintains comprehensive systems to identify and disrupt fraudulent activity on its platform, and following the investigation's disclosure, the company banned three accounts that had been facilitating online scams. Google similarly highlighted its proactive measures. Yet the fact that the investigation was able to identify these operations using publicly available information suggests that detection and prevention mechanisms may not be sufficiently aggressive or transparent.
The internet connectivity question presents an even starker picture. Analysis of device connections from scam compounds linked to entities designated by international sanctions revealed that one in every five signals originated through a company registered in the United States. No other non-regional nation came close to this proportion. Among the American firms identified were Cogent Communications, Oracle, AT&T, and DigitalOcean. Additionally, foreign companies including Finland-based UpCloud and Canada-registered GlobalTeleHost operated servers physically located in the United States that carried substantial volumes of traffic from these criminal operations.
All these companies invoked the same defence: they cannot inspect the content flowing through their networks due to privacy protections built into their architecture. This design principle, though conceptually sound for protecting user privacy, creates a significant blindspot regarding criminal activity. Representatives from each company emphasised their commitment to responding to legitimate abuse reports and cooperating with law enforcement when presented with evidence. Oracle indicated it was actively engaging with law enforcement authorities on material provided by the investigation, while UpCloud suggested the inquiry had prompted internal reviews of its risk assessment frameworks.
Elon Musk's Starlink satellite internet service presents a particularly compelling case study. Despite Congressional attention and a highly publicised enforcement action in late 2025 during which the company claimed to have disconnected 2,500 terminals near scam locations, Starlink remains the dominant internet service provider serving scam compounds throughout Myanmar. Device data and satellite imagery analysed for the investigation show that criminals have simply relocated to new sites, with at least 25 new locations constructed since the supposed crackdown. Of these newly built facilities, at least 13 have established internet connectivity using Starlink, according to the device data examined. Notably, the analysis covered only a sample of activity and may not capture the full extent of Starlink usage at these locations.
When confronted with detailed questions about these findings, Starlink declined to provide substantive responses. The company has instead relied on general public statements about cooperating with law enforcement and recent enforcement efforts, including a May operation coordinated with the Department of Justice's newly established Scam Center Strike Force. The company has characterised its service as remaining committed to being a positive force globally, though this sentiment rings hollow given the apparent ease with which criminals continue to utilise its infrastructure.
Cybersecurity experts point to a fundamental economic problem underlying this regulatory vacuum. Technology companies possess vast databases of network activity that could be deployed to identify and prevent illicit operations. However, implementing such protections requires substantial capital investment and operational complexity. As Sascha Meinrath, a telecommunications specialist at Penn State University, observed, companies face no meaningful penalty for facilitating scam operations. When the cost of enabling fraud remains effectively zero, there is little economic rationale for spending company resources to prevent it. The problem, Meinrath emphasises, is neither invisible nor unsolvable—it simply requires expenditure.
Internationally, this calculus is beginning to shift. Jurisdictions including the United Kingdom, the European Union, Australia, and Singapore have enacted regulatory frameworks that impose financial penalties on companies failing to implement adequate anti-fraud protections. These regimes are forcing tech firms to view fraud prevention as a mandatory business expense rather than a voluntary corporate responsibility. In contrast, the United States regulatory approach remains largely voluntary, with government officials requesting cooperation from industry partners without the backing of enforceable penalties.
For Malaysian policymakers and businesses, this investigation carries significant implications. Malaysia has emerged as both a source of some scam operations and a target for fraud, making the governance of this infrastructure particularly relevant. The findings demonstrate that attacks originating from or transiting through Southeast Asia depend critically on American-controlled infrastructure, suggesting that international regulatory coordination could substantially disrupt these networks. Furthermore, as Malaysia develops its own technology sector and digital infrastructure, questions about how to prevent exploitation of these systems merit serious attention before the problem becomes entrenched.
The broader lesson is that infrastructure providers cannot escape responsibility by claiming invisibility into the content they carry. While privacy protections remain important, they cannot become an excuse for willful blindness to demonstrable criminal abuse. Jeanine Pirro, who leads the Department of Justice's Scam Center Strike Force, captured this tension when she noted that criminals exploit American infrastructure to commit crimes against Americans. If industry partners cannot be convinced through voluntary means that fraud prevention serves their own long-term interests, then policymakers may need to follow the international precedent and establish enforceable obligations backed by meaningful consequences.
