A coordinated international operation involving law enforcement agencies from the United States, China, and several other countries resulted in the arrest of at least 276 suspects and the dismantling of nine scam centers used to carry out cryptocurrency investment fraud schemes that defrauded Americans of millions of dollars.
The operation was led by Dubai Police under the supervision of the United Arab Emirates (UAE) Ministry of Interior, in partnership with the U.S. Federal Bureau of Investigation (FBI) and China’s Ministry of Public Security. Among those arrested were suspects from Myanmar and Indonesia, who were apprehended by authorities in Dubai and Thailand.
Twenty-seven-year-old Thet Min Nyi, 23-year-old Wiliang Awang, 29-year-old Andreas Chandra, 29-year-old Lisa Mariam, and two fugitive co-conspirators have been charged in the United States with federal fraud and money laundering offenses.
“Fraudsters who target Americans from abroad cannot act with impunity, no matter where they are in the world,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “The operators of scam centers and the fraudsters who prey on Americans and others will face justice in U.S. courts and courts around the world. In today’s world, fraud knows no borders, and neither do the law enforcement efforts to combat and eradicate it.”
According to the indictment, the defendants allegedly managed, worked for, and recruited others to work for three companies—Ko Thet Company, Sanduo Group, and Giant Company—which are believed to have operated multiple scam centers. Investigators believe that Thet Min Nyi served as a manager and recruiter for Ko Thet Company.
The scheme relied on scammers spending weeks or even months building trust with victims by posing as friends or potential romantic partners. Once that trust had been established, they persuaded victims to invest in what appeared to be profitable cryptocurrency opportunities that were, in reality, fraudulent investment platforms. This type of scam is commonly known as pig butchering or romance investment fraud.
The operation was also closely linked to human trafficking. Foreign nationals were lured with fake offers of high-paying jobs before being forced to work in scam compounds under conditions resembling modern slavery.
“The scammers then promoted cryptocurrency investments and helped victims open accounts and transfer cryptocurrency to investment platforms that, unbeknownst to the victims, were fake,” the Justice Department said. “The alleged fraudsters showcased their own supposed investment success and profits to encourage victims to invest even more. They also urged victims to borrow money from friends and family or take out loans so they could continue ‘investing.'”
Once victims transferred their funds, the cryptocurrency was quickly laundered through a network of other crypto wallets, including wallets controlled by the scammers.
The U.S. Department of Justice said that, as of April 2026, the FBI had warned nearly 9,000 potential victims and helped prevent approximately $562 million in losses through Operation Level Up, an initiative launched in January 2024 to proactively identify and notify victims of cryptocurrency investment scams.
The announcement comes just days after the U.S. Department of Justice unsealed charges against two Chinese nationals—Jiang Wen Jie (also known as Jiang Nan) and Huang Xingshan (also known as A Zhe and Huang Xing Shaan)—for their alleged roles in a large-scale cryptocurrency investment fraud operation and for operating the Shunda scam compound in Myanlet Pyan, Myanmar.
Prosecutors also allege that the pair planned to establish a second scam center in Cambodia after the original compound in Myanmar was dismantled by authorities in November 2025.
According to investigators, Huang served as a senior manager at the Shunda compound and personally participated in the physical abuse of trafficking victims forced to work there. Jiang allegedly supervised a team responsible for targeting American victims. Both suspects were arrested by Thai authorities in early 2026 while traveling from Cambodia to Myanmar.

“The compound used fraudulent websites and mobile applications disguised as legitimate investment platforms to deceive victims, including Americans,” the U.S. Department of Justice said. “Workers at the compound were themselves victims of human trafficking who were held against their will and forced to scam others under threats of violence and torture.”
Authorities also seized a Telegram channel (@pogojobhiring2023) with more than 6,500 subscribers that had been used to recruit trafficking victims into a scam center in Cambodia, where they were forced to participate in law enforcement impersonation scams. In addition, investigators seized a network of 503 fraudulent investment websites used to defraud victims across the United States.
As part of the operation, led by the U.S. Government’s Fraud Task Force, authorities also seized more than $701 million in cryptocurrency believed to be linked to laundering proceeds from cryptocurrency investment scams.
Alongside the law enforcement operation, the U.S. Department of the Treasury imposed sanctions on a Cambodian senator allegedly connected to a network of cyber fraud operations. At the same time, the U.S. Department of State announced a reward of up to $10 million for information leading to the seizure or recovery of assets connected to the Tai Chang scam center in Myanmar.
The sanctions target Cambodian Senator Kok An, businessman Rithy Raksmey, their associates, and several affiliated businesses, including the K99 Group, for their alleged involvement in operating scam compounds. Authorities believe Kok An fled Thailand, where arrest warrants were issued for him and his children last July.
“Kok An’s network of scam centers, operating out of casinos and office parks converted into fraud compounds, launders victims’ funds while providing a safe haven for targeting U.S. citizens and committing serious human rights abuses with impunity,” the Office of Foreign Assets Control (OFAC) said.
Kok An is the second Cambodian senator sanctioned by the U.S. Treasury. The first was Ly Yong Phat, who was sanctioned in September 2024 for his alleged role in human trafficking linked to forced labor in online scam compounds.
The rapid expansion of industrial-scale scam operations has prompted Cambodia’s parliament to pass its first law specifically targeting scam centers operating within the country. The legislation is intended to prevent dismantled scam compounds from re-emerging and introduces prison sentences of five to ten years, along with fines of up to $250,000, for those convicted of operating such schemes.
Researchers have also uncovered an Android banking trojan believed to be operating from several locations, including the K99 Triumph City complex owned by Cambodia’s K99 Group. The malware is capable of real-time surveillance, credential theft, data exfiltration, and financial fraud and is believed to have been active since at least 2023.
According to a joint report by Infoblox and the Vietnamese non-profit organization Chong Lua Dao, the sophisticated Malware-as-a-Service (MaaS) platform shares infrastructure and behavioral characteristics with operations previously attributed to the threat groups Vigorish Viper and Vault Viper.
“The operation remains active, registering around 35 new domains every month, including both Registered Domain Generation Algorithm (RDGA) domains and lookalike domains that impersonate legitimate organizations and government services to distribute malware,” the researchers said.
“These domains are designed to mimic banks, pension funds, social security organizations, utility providers, as well as tax authorities, immigration agencies, telecommunications companies, and law enforcement organizations. More recently, the operation has expanded both geographically and contextually, using lures themed around airlines and e-commerce platforms while increasingly targeting countries across Africa and Latin America.”
Overall, researchers estimate that around 400 malicious lure domains were registered throughout 2025 as part of what appears to be a coordinated fraud campaign. The attack chain typically unfolds as follows:
Malicious URLs are distributed via SMS messages or emails disguised as official communications from government agencies.
Victims are directed to a fake Google Play Store page or a counterfeit government website.
After downloading and launching the APK, the application requests elevated permissions to ensure it remains persistent on the device.
The malware then connects to a remote command-and-control server, allowing attackers to monitor the victim’s device in real time and steal sensitive information.
Finally, the attackers display fake login screens over legitimate mobile banking apps to capture victims’ credentials, which are then used to transfer funds to accounts under the attackers’ control.
“Activity associated with this infrastructure continues to evolve and expand, supporting large-scale campaigns targeting countries including Thailand, Indonesia, the Philippines, and Vietnam, while increasingly spreading across Africa and Latin America,” Infoblox and Chong Lua Dao said.
“With access to large multilingual workforces, growing technical capabilities, and exceptionally high profits, these groups are not only deploying malware but continuously adapting and transforming malware, infrastructure, and social engineering techniques into scalable and reusable attack models. An ecosystem is emerging that is flexible, experimental, and commercially driven—one in which tools are constantly repurposed, refined, and redistributed to maximize reach and profit.”
The developments come as authorities continue Operation Atlantic, a coordinated international effort that has successfully frozen approximately $12 million linked to cryptocurrency and investment fraud schemes.
The operation targeted scammers who relied on a technique known as approval phishing to gain access to victims’ cryptocurrency wallets and drain their digital assets.
Approval phishing is a form of cryptocurrency fraud in which victims are tricked into signing a blockchain transaction that grants scammers permission to access and control their wallets, allowing them to steal all of the assets stored inside.
According to TRM Labs, these attacks are often disguised as investment scams or romance scams.
“This tactic is frequently used in online investment fraud, commonly known as pig butchering, to persuade victims to transfer increasingly larger amounts of money to scammers,” the U.S. Secret Service said.
More than 20,000 victims have been identified across 30 countries, including Canada, the United Kingdom, and the United States. Authorities have also seized more than 120 phishing domains used by the criminal network and identified an additional $33 million in assets believed to be connected to investment fraud schemes operating worldwide.
Earlier in April, the Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) within the U.S. Department of the Treasury announced a new information-sharing initiative aimed at strengthening cybersecurity across the digital asset sector.
Under the program, eligible U.S. digital asset companies and industry organizations will receive timely cybersecurity intelligence from the Treasury Department at no additional cost.
“This initiative will provide timely and actionable cybersecurity information to eligible U.S. digital asset companies and industry organizations, helping them better detect, prevent, and respond to cyber threats targeting their customers and networks,” the U.S. Department of the Treasury said.