US tech powers global scams at industrial scale, AP/FRONTLINE investigation reveals
5 Sources
[1]
Methodology for AP/'FRONTLINE' investigation into how US tech is abused for global scams
The AP/"FRONTLINE" investigation was based on tens of thousands of leaked scam center files, videos and photos; an analysis with C4ADS of misuse of artificial intelligence at scam centers; an examination of more than 200,000 connections made by devices at four scam compounds in Myanmar linked to entities sanctioned by the U.S. government; and interviews with 58 scam victims and three dozen current and former scammers from 19 countries. The Associated Press analyzed a sample of 202,013 connections made by devices at four scam compounds in Myanmar that have been linked to entities sanctioned by the U.S. government. International Justice Mission, an anti-trafficking non-profit, obtained the commercially available ad tech data, which covers several time intervals between February 2025 and January 2026, and shared it with the AP. Each event in the dataset logs a device's geographic coordinates and its IP address. AP used a database maintained by Scamalytics, a fraud prevention company, to identify which ISPs had been allocated the IP addresses in the dataset. In case of conflicting or ambiguous results, AP prioritized IP allocations identified by Scamalytics. This combination allowed us to identify not just where internet traffic was physically coming from, but which companies profit from hosting it. The data was enriched with risk indicators assigned by Scamalytics, including open source blacklists maintained by Firehol, IP2ProxyLite, IPSum, Spamhaus and X4Bnet Spambot, and Scamalytics' own risk score, which it assigns based on fraud reports and their own analysis. These scores are indicators of potential risk, rather than evidence of proven fraud. There are several important caveats. This dataset captures only geolocation-enabled devices. The actual internet infrastructure serving these compounds is significantly larger than what is recorded here. Spur Intelligence Corporation, a cybersecurity company, reviewed the data and found instances of ad fraud. AP removed known instances of devices used to run ad fraud identified by Spur. There may well be more that we were unable to detect. Telecommunications companies and internet service providers can meet a range of digital needs for scammers, including: Connecting to the internet; running and hosting fraudulent platforms like fake crypto or spoofed shopping sites; using VPNs or proxy networks to mask their true locations; and simply transiting traffic across the internet. While patterns in the data may suggest one use case over another, no definitive conclusions can be drawn from the commercially available data alone. Devices in the dataset were geolocated to the following compounds: Tai Chang, Deko Park, KK Park and a new compound near Hpakalu, Myanmar. KK Park, like most scam compounds along the Thai border, operates under the protection of the Karen Border Guard Force -- also known as the Karen National Army (KNA) -- an armed militia made up of ethnic Karen people who live in eastern Myanmar that is affiliated with the Myanmar military, according to U.S. and European government sanctions notices. The U.S. Treasury designated the Karen National Army as a transnational criminal organization in May 2025, citing its role in facilitating cyberscams targeting US citizens and human trafficking. Treasury's Office of Foreign Assets Control (OFAC) said the KNA provided security for KK Park and has profited from scam operations by leasing land to criminal syndicates. In October 2025, Myanmar's military government led a high-profile demolition campaign against KK Park. Scammers scattered, including to an emerging site in Hpakalu. The International Justice Mission found that some devices active in KK Park shortly before the raids were active in Hpakalu in Jan. 2026. Deko Park and Tai Chang are located in territory controlled by the Democratic Karen Benevolent Army (DKBA). The U.S. Treasury Department sanctioned the DKBA in November 2025, citing its role in supporting cyberscam centers, including the Tai Chang compound, where rescued trafficking victims have reported torture and beatings by DKBA soldiers. The AP also verified satellite imagery of 25 new scam compounds in Myanmar identified by International Justice Mission, which have appeared or grown significantly since the high-profile crackdown against KK Park and other compounds in October 2025. AP analyzed a sample of device activity at these sites between March 1, 2026, and June 1, 2026, which was provided by the International Justice Mission. At least 13 of them used Starlink IP addresses. Again, that data covers only a sample and may not capture all Starlink activity at these locations. The AP shared detailed data about the location and timing of device connections with each company named in the story. -- - This story is part of an ongoing collaboration between The Associated Press and "FRONTLINE" (PBS) that includes an upcoming documentary. -- - The Associated Press receives financial support from multiple private foundations. AP is solely responsible for all content. Find AP's standards for working with philanthropies, a list of supporters and funded coverage areas at AP.org. -- - Contact AP's global investigative team at [email protected] or https://www.ap.org/tips/
[2]
Takeaways from AP/'FRONTLINE' investigation into how US tech is abused for global scams
American technology and American companies are being used to power a revolution in the cyberscam industry, playing key roles in the industrialization and globalization of fraud in ways that have not been clear until now, an AP/"FRONTLINE" investigation has found . Most public scrutiny of the technology that fuels scams has focused on the social media platforms victims see, but the infrastructure exploited to commit fraud begins much farther upstream, the investigation showed. Watchdogs say satellite internet, AI and internet infrastructure companies along the digital supply chains that fraudsters abuse have the technical capacity to do more to protect consumers but lack the legal, regulatory and business incentives to crack down on a crime the Federal Trade Commission estimates cost Americans nearly $200 billion in 2024. The AP found no evidence to suggest these companies were doing anything illegal. However, the patterns of abuse AP identified raise questions about how vigorously they are enforcing their own terms of service, which prohibit illegal activity. Here are key findings: American AI is being used to scam at industrial scale in SE Asia The AP identified two suites of software used by scammers at compounds in Southeast Asia. OpenAI's ChatGPT played the most prominent role in these tools, along with Google's Gemini, though the software incorporated other AI models as well, according to an analysis with security nonprofit C4ADS. The software, which has legitimate and illegitimate uses, allows scammers to work across dozens of languages, generate automated replies, develop credible characters, and track employee performance. Scammers who purchased these tools took in tens of millions of dollars, according to blockchain analysis by TRM Labs at the request of AP/"FRONTLINE." OpenAI and Google both said they have robust programs in place to proactively disrupt scammers from abusing their tools. OpenAI said that based on the information AP shared, it banned three accounts that had been using its models to support online scams. US internet service providers play outsized role in carrying scam center traffic One in five signals from devices at four scam compounds linked to sanctioned entities in Myanmar was carried by a U.S.-registered company, according to an AP analysis of more than 200,000 device connections provided by International Justice Mission, an anti-trafficking non-profit. No other non-regional country came close. Among them were Cogent Communications, Oracle, AT&T and DigitalOcean. Companies outside the U.S. -- including UpCloud, in Finland, and GlobalTeleHost, in Canada -- also had servers in the U.S. that hosted high-risk traffic from scam centers. These companies all emphasized they can't see the content their networks carry or what end users are doing online -- privacy by design that constrains their ability to monitor for abuse. All said they respond to valid abuse reports and cooperate with law enforcement. Oracle said it was "diligently working with law enforcement" on the material shared by AP. UpCloud said AP's query had prompted an internal review and refinement of its risk assessment processes. Starlink is the number one internet service provider in Myanmar and scammers have been a big part of its customer base, data shows Elon Musk's satellite internet service, Starlink, is still the number one internet service provider in Myanmar, including to scam centers, according to device data, public records and interviews -- despite Congressional scrutiny and a widely publicized crackdown last fall, when the company said it cut off 2,500 kits near scam compounds. But scammers are still using Starlink, including from a proliferation of new sites that have grown inside Myanmar since then, satellite imagery and device data International Justice Mission shared with AP show. At least 25 new sites have been constructed, and at least 13 of them have used Starlink to get online, device data shows. That data covers only a sample and may not capture all Starlink activity at these locations. Starlink declined to respond to detailed questions, but has publicly said they cooperate with law enforcement - including a crackdown in May with the Department of Justice's Scam Center Strike Force and other companies - and are committed to ensuring the service remains "a force for good." Critics say that in the US the cost of facilitating scamming is zero Tech companies have access to a trove of data that could be used to minimize illicit activity, but doing so requires significant investment, cybersecurity analysts say. "If there's no disincentive to continuing this, if there's no cost to actually facilitating scamming, then why would I spend a dollar to prevent scamming?" said Sascha Meinrath, the Palmer chair in telecommunications at Penn State University. "This is the problem. It's identifiable, it's addressable -- at least somewhat -- but it costs something. And right now the cost of facilitating scamming is zero." Outside the United States, that cost is starting to rise. The United Kingdom, the European Union, Australia and Singapore have introduced regulations that require companies to do more to prevent scams -- or face financial penalties. Meanwhile, in Washington, lawmakers and government officials have been asking American tech companies to cooperate to cut scammers off from U.S. infrastructure, but on a voluntary basis. "The amazing part of this tragedy is that the criminals use our own infrastructure to commit the crime," U.S. Attorney Jeanine Pirro, who leads a new Scam Center Strike Force that has sought to forge partnerships with industry, said at a recent conference. "When fraud is detected, industry must be ready, willing and able to stop it." -- - This story is part of an ongoing collaboration between The Associated Press and "FRONTLINE" (PBS) that includes an upcoming documentary. -- - Kinetz reported from Rome, Washington, London and Lisbon, Portugal. AP journalists Juliet Linderman in Washington and Raynham, Mass, Ope Adetayo in Lagos, Nigeria, Larry Fenn in New York, Huizhong Wu in Bangkok and Michael Reo in Washington contributed to this story. Freelance reporter Rejimon Kuttappan in Thiruvananthapuram, India, and Anthony DeLorenzo, Martha Mendoza and Peter Klein from "FRONTLINE" (PBS) also contributed. -- - The Associated Press receives financial support from multiple private foundations. AP is solely responsible for all content. Find AP's standards for working with philanthropies, a list of supporters and funded coverage areas at AP.org . -- - Contact AP's global investigative team at [email protected] or https://www.ap.org/tips/
[3]
Takeaways from AP/'FRONTLINE' investigation into how US tech is abused for global scams
American technology and American companies are being used to power a revolution in the cyberscam industry, playing key roles in the industrialization and globalization of fraud in ways that have not been clear until now, an AP/"FRONTLINE" investigation has found. Most public scrutiny of the technology that fuels scams has focused on the social media platforms victims see, but the infrastructure exploited to commit fraud begins much farther upstream, the investigation showed. Watchdogs say satellite internet, AI and internet infrastructure companies along the digital supply chains that fraudsters abuse have the technical capacity to do more to protect consumers but lack the legal, regulatory and business incentives to crack down on a crime the Federal Trade Commission estimates cost Americans nearly $200 billion in 2024. The AP found no evidence to suggest these companies were doing anything illegal. However, the patterns of abuse AP identified raise questions about how vigorously they are enforcing their own terms of service, which prohibit illegal activity. Here are key findings: American AI is being used to scam at industrial scale in SE Asia The AP identified two suites of software used by scammers at compounds in Southeast Asia. OpenAI's ChatGPT played the most prominent role in these tools, along with Google's Gemini, though the software incorporated other AI models as well, according to an analysis with security nonprofit C4ADS. The software, which has legitimate and illegitimate uses, allows scammers to work across dozens of languages, generate automated replies, develop credible characters, and track employee performance. Scammers who purchased these tools took in tens of millions of dollars, according to blockchain analysis by TRM Labs at the request of AP/"FRONTLINE." OpenAI and Google both said they have robust programs in place to proactively disrupt scammers from abusing their tools. OpenAI said that based on the information AP shared, it banned three accounts that had been using its models to support online scams. US internet service providers play outsized role in carrying scam center traffic One in five signals from devices at four scam compounds linked to sanctioned entities in Myanmar was carried by a U.S.-registered company, according to an AP analysis of more than 200,000 device connections provided by International Justice Mission, an anti-trafficking non-profit. No other non-regional country came close. Among them were Cogent Communications, Oracle, AT&T and DigitalOcean. Companies outside the U.S. -- including UpCloud, in Finland, and GlobalTeleHost, in Canada -- also had servers in the U.S. that hosted high-risk traffic from scam centers. These companies all emphasized they can't see the content their networks carry or what end users are doing online -- privacy by design that constrains their ability to monitor for abuse. All said they respond to valid abuse reports and cooperate with law enforcement. Oracle said it was "diligently working with law enforcement" on the material shared by AP. UpCloud said AP's query had prompted an internal review and refinement of its risk assessment processes. Starlink is the number one internet service provider in Myanmar and scammers have been a big part of its customer base, data shows Elon Musk's satellite internet service, Starlink, is still the number one internet service provider in Myanmar, including to scam centers, according to device data, public records and interviews -- despite Congressional scrutiny and a widely publicized crackdown last fall, when the company said it cut off 2,500 kits near scam compounds. But scammers are still using Starlink, including from a proliferation of new sites that have grown inside Myanmar since then, satellite imagery and device data International Justice Mission shared with AP show. At least 25 new sites have been constructed, and at least 13 of them have used Starlink to get online, device data shows. That data covers only a sample and may not capture all Starlink activity at these locations. Starlink declined to respond to detailed questions, but has publicly said they cooperate with law enforcement - including a crackdown in May with the Department of Justice's Scam Center Strike Force and other companies - and are committed to ensuring the service remains "a force for good." Critics say that in the US the cost of facilitating scamming is zero Tech companies have access to a trove of data that could be used to minimize illicit activity, but doing so requires significant investment, cybersecurity analysts say. "If there's no disincentive to continuing this, if there's no cost to actually facilitating scamming, then why would I spend a dollar to prevent scamming?" said Sascha Meinrath, the Palmer chair in telecommunications at Penn State University. "This is the problem. It's identifiable, it's addressable -- at least somewhat -- but it costs something. And right now the cost of facilitating scamming is zero." Outside the United States, that cost is starting to rise. The United Kingdom, the European Union, Australia and Singapore have introduced regulations that require companies to do more to prevent scams -- or face financial penalties. Meanwhile, in Washington, lawmakers and government officials have been asking American tech companies to cooperate to cut scammers off from U.S. infrastructure, but on a voluntary basis. "The amazing part of this tragedy is that the criminals use our own infrastructure to commit the crime," U.S. Attorney Jeanine Pirro, who leads a new Scam Center Strike Force that has sought to forge partnerships with industry, said at a recent conference. "When fraud is detected, industry must be ready, willing and able to stop it." -- - This story is part of an ongoing collaboration between The Associated Press and "FRONTLINE" (PBS) that includes an upcoming documentary. -- - Kinetz reported from Rome, Washington, London and Lisbon, Portugal. AP journalists Juliet Linderman in Washington and Raynham, Mass, Ope Adetayo in Lagos, Nigeria, Larry Fenn in New York, Huizhong Wu in Bangkok and Michael Reo in Washington contributed to this story. Freelance reporter Rejimon Kuttappan in Thiruvananthapuram, India, and Anthony DeLorenzo, Martha Mendoza and Peter Klein from "FRONTLINE" (PBS) also contributed. -- - The Associated Press receives financial support from multiple private foundations. AP is solely responsible for all content. Find AP's standards for working with philanthropies, a list of supporters and funded coverage areas at AP.org. -- - Contact AP's global investigative team at [email protected] or https://www.ap.org/tips/
[4]
Four days to make victims fall in love: How global scammers use US tech to fleece people
The instructions were clear: He had four days to make each victim fall in love. And there were a lot of victims. Online, Safeer Mohammed Koorimannil, who was trafficked to a scam center in Myanmar, impersonated a 28-year-old Singaporean woman named Ella. On a typical shift, he said, he chatted with more than 100 people across dozens of profiles at the same time, as supervisors prowled among the desks with electric batons. In just a month, Koorimannil targeted some 50,000 victims from at least 17 countries, according to records he smuggled out to The Associated Press. His "clients" included a widowed tailor in Kurdistan, a pastry chef in Turkey, a sheep farmer in Kyrgyzstan, soldiers in Iraq, an engineer in Russia, a building painter in Germany, a port officer in Argentina, a student in Indonesia, a security guard in Poland and a dairy farmer in the Republic of Georgia. And he did it using software built with artificial intelligence models from American tech companies that scammers are abusing to target victims at unprecedented speed and scale. "Everyone is a robot there," he told AP from his home in southern India in his native Malayalam language. Technology from American companies is being used to power a revolution in the scam industry, playing a key role in the industrialization and globalization of fraud in ways that have not been clear until now, an AP/"FRONTLINE" investigation has found. Watchdogs say these companies have the technical capacity to do more to protect against abuse but lack the legal, regulatory and business incentives to crack down on a crime the Federal Trade Commission estimates cost Americans nearly $200 billion in losses in 2024. While most public scrutiny of the technology that fuels scams has focused on the social media platforms victims see, the infrastructure exploited to commit fraud begins much farther upstream, the investigation showed. American technology is present all along the digital supply chains that connect scammers with the scammed, from AI models baked into powerful new tools to optimize workflow and create more perfect fakes, to satellite dishes that enable scammers to evade internet crackdowns, to internet service providers that carry traffic from the lawless borderlands of Myanmar to the phones and computers of millions of victims. The AP found no evidence to suggest these companies were doing anything illegal themselves. However, the abuse of their tools and tech infrastructure at scam compounds in Myanmar, as documented by the AP and "FRONTLINE," raises questions about how vigorously they are enforcing their own terms of service, which prohibit illegal activity and, in many cases, explicitly ban fraud. Among the AP's findings: -- American-made AI models -- chiefly ChatGPT and Gemini -- have been used to build specialized software that allows scammers to seamlessly work across dozens of languages, surveil workers and target victims around the world, the investigation found with the help of C4ADS, a Washington-based nonprofit focused on global security. Scammers who purchased these tools took in tens of millions of dollars, according to blockchain analysis by TRM Labs at the request of AP/"FRONTLINE." -- A sophisticated, global internet infrastructure supports Myanmar's scam compound economy, which relies on services from Cogent Communications, AT&T, DigitalOcean and Oracle, among others. One in five signals from devices at four scam compounds linked to sanctioned entities in Myanmar was carried by a U.S.-registered company, according to an AP analysis of more than 200,000 device connections provided by International Justice Mission, an anti-trafficking nonprofit. -- Elon Musk' s satellite internet company, Starlink, is the number one internet service provider in Myanmar, including to scam centers, according to device data, public records and interviews -- despite public pressure from Congress and a widely publicized crackdown last fall. - At least 25 new scam compounds have been built deep inside Myanmar since a high-profile crackdown along the Thai border last fall, new satellite imagery shows. Scammers from at least 13 of these outposts used Starlink IP addresses to get online between early March and the end of May, an AP analysis of device and satellite data from International Justice Mission shows. The AP/"FRONTLINE" investigation was based on tens of thousands of leaked scam center files, videos and photos; an analysis with C4ADS of misuse of AI at scam centers; an examination of more than 200,000 connections made by devices over a year at four scam compounds in Myanmar linked to entities sanctioned by the U.S. government; and interviews with 58 scam victims and three dozen current and former scammers from 19 countries. Cybersecurity experts say internet service providers, AI companies and Starlink could do more to prevent the abuse by scammers -- but lack the legal, regulatory and business incentives. "If there's no disincentive to continuing this, if there's no cost to actually facilitating scamming, then why would I spend a dollar to prevent scamming?" said Sascha Meinrath, the Palmer chair in telecommunications at Penn State University. "This is the problem. It's identifiable, it's addressable -- at least somewhat -- but it costs something. And right now the cost of facilitating scamming is zero." Outside the United States, that cost is starting to rise. The United Kingdom, the European Union, Australia and Singapore have introduced new regulations that require companies to do more to prevent scams -- or face financial penalties. Meanwhile, in Washington, lawmakers and government officials have been asking American tech companies to cooperate to cut scammers off from U.S. infrastructure, but on a voluntary basis. In November, District of Columbia U.S. Attorney Jeanine Pirro created the Scam Center Strike Force to target scam compounds. In a four-day exercise in May, the Strike Force worked with Meta, SpaceX, Google and others to disrupt more than 1.4 million social media and email accounts, interrupt malicious IP address traffic, seize satellite internet terminals and decommission servers and hosting infrastructure linked to Southeast Asian scam networks. "We will not allow criminal organizations to weaponize our own infrastructure against us or devastate the life savings of hardworking families," Pirro said in an email to AP. "Our message is clear: we will find you, we will stop you, and we will protect the American people." OpenAI and Google both said they have robust programs in place to proactively disrupt scammers from abusing their tools. Starlink did not respond to detailed requests for comment. Internet service providers emphasized that they can't see the content their networks carry or what end users are doing online -- privacy by design that constrains their ability to monitor for abuse. All said they respond to valid abuse reports and cooperate with law enforcement. None would disclose specific customer information, citing privacy rules, but several said they had taken concrete action in response to AP's reporting. OpenAI said that based on the information AP shared, it identified and banned three accounts that had been using its models to support online scams. Oracle said it was "diligently working with law enforcement" on the material shared by AP. UpCloud, a Finnish cloud services provider with servers in the U.S., said AP's query had prompted an internal review and refinement of its risk assessment processes. OpenAI CEO Sam Altman has likened artificial intelligence to a utility, akin to electricity or water. But unlike water utilities, tech and telecom companies in the United States are generally not responsible for proactively ensuring the safety of the content they carry. Some people believe that should change. "This has to be like clean water," said Matthew Moynahan, the CEO of GetReal Security, a cybersecurity firm. "Anything coming out of the tap for an end user, whether that tap is a PC, a browser somewhere, or your mobile phone, dirty water shouldn't get to you. This is what this is." Almost Automated: American AI abused for industrial-scale scamming in SE Asia The use of AI in scams is exploding so fast that many in the cybersecurity community fear fully-automated scams run by AI agents will soon become commonplace. "We're moving towards a world where maybe you don't need human scammers anymore," said Ari Redbord, global head of policy at TRM Labs, a crypto analytics firm. "All you need is hundreds, thousands, millions of agentic agents who don't need to sleep, don't need to eat, who are 24/7 doing this." Already, the basic AI-powered tools Koorimannil used required scant human intervention. His job was to cut and paste responses from scripts his scam bosses generated. Koorimannil and his best friend had answered an ad online for jobs encouraging tourism to Thailand. From the airport in Bangkok, however, a waiting black car sped them to the border with Myanmar, he said, and the next morning armed men escorted them across the Moei River to Tai Chang, a scam compound the U.S. government sanctioned last year. Koorimannil managed to sneak out a screenshot from his computer that AP and security nonprofit C4ADS used to identify the key to his productivity -- a software platform called Kongtian Intelligent Customer Acquisition, or KT for short. AP also identified a similar suite of software, called Global Social Traffic Navigation, or 007TG, described by a former scammer as a "one-stop shop" for running scams at industrial scale. KT and 007TG are part of a thriving gray market for tech that has both legitimate and illegitimate uses and is widely exploited by scammers, according to blockchain analysis, a review of Telegram channels frequented by scammers, and interviews with scammers from three countries. KT and 007TG were created by for-profit businesses using AI models from leading global companies and sold to scammers -- who in turn generated tens of millions of dollars in illicit profits. OpenAI's ChatGPT played the most prominent role, along with Google's Gemini, though the software incorporated other AI models as well, including from Europe and China. Both KT and 007TG used ChatGPT and Gemini to generate automated replies, power a role-play chatbot, which scammers could use to develop convincing characters, and embed real-time translation in over 100 languages, C4ADS found. KT and 007TG software also tracked the performance of workers -- to devastating effect, in Koorimannil's case. He was beaten for being bad at scamming people, leaving his body red and swollen with lashes, photographs show. "When they came near my computer, my hands would shake and sweat," Koorimannil told AP. At night, he said, he and his best friend curled in the same narrow bunk, too frightened to sleep alone. Blockchain analysis, done for AP/"FRONTLINE" by TRM Labs, shows how powerful these tools can be. Cryptocurrency transactions are recorded on an indelible public ledger, or blockchain, which can be analyzed to show the pattern and volume of cryptocurrency transactions. TRM Labs found that a single crypto wallet used by 007TG received $860,000 in payments between April 2024 and December 2025 -- including transfers from at least four cryptocurrency wallets associated with known scam networks. Those scammers, in turn, raked in at least $75 million. Stopping AI abuses at scale is challenging because scammers often use ChatGPT the same way hundreds of millions of other people do -- to translate, help write messages, create content and do basic research, according to OpenAI. The intimacy, financial pressure and manipulative language in romance scams, for example, may be hard to distinguish from genuine users seeking help with a divorce. And tools like KT and 007TG can have legitimate uses, especially for Chinese businesses seeking to expand overseas. But by tracking user behavior over time to surface patterns of deception and manipulation, OpenAI said it detects scams with 95% accuracy and takes down 100,000 scam accounts each month. The company said it has also independently disrupted service to scam networks operating from Cambodia, Myanmar and Nigeria. Even as fraud networks exploit their technology, a growing number of people are using the same tools to fight back. OpenAI said people use ChatGPT millions of times a month to identify and avoid scams -- up to three times more often, the company estimates, than the model is abused by scammers. OpenAI also recently collaborated with the Global Anti-Scam Alliance to launch scam.org, which helps users assess the risk they are being targeted by scammers. Google did not respond to specific questions about AP's findings, but said the company is "committed to developing AI responsibly" and engineers its models with safety guardrails to filter out content that promotes scams. 007TG went dark in December but has since claimed to be back up and running. Neither it nor KT responded to requests for comment. In the end, through a connection in Bahrain, Koorimannil and his friend found a broker who oversaw ransom payments for 21 Indians from their compound, he said. They each had to pay 500,000 Indian rupees ($5,300) for their freedom. Missed signals: US internet service providers play outsized role in carrying scam center traffic It took a long time for Chris Colocousis to understand the extent to which scammers around the world use American technology to prey on people like him. At first, all he saw was that the woman who reached out to him on Facebook had a New York phone number -- not too far away from his home in Massachusetts -- and said she worked at a well-known financial firm in Atlanta. "Eliza" suggested a video call. And there she was -- the same blond beauty as in her Facebook photos. She even had little bags under her eyes. She was too real not to be real. Now Colocousis, a divorced man in his 60s, has no idea where "Eliza" really is, whether he was talking with her or with ChatGPT -- and even if she's a she. He does know that the $400,000 he says he "invested" under Eliza's guidance is now gone, robbing him of the secure retirement he'd spent years working for. "You just feel like your whole world fell apart," he said. "I'm thinking about all this time that I invested into reaching a point where I could retire at a certain age -- and it's just gone." Each step of a fraud is a digital signal, said John Breyault, vice president of public policy, telecommunications and fraud at the nonprofit National Consumers League. And internet service providers are the network on which many of these services ride. "The ISPs are in a particularly critical place in this chain," he said. New data shows that U.S. internet service providers play an outsized role in scams run out of Myanmar. The AP analyzed a sample of 202,013 connections made by devices at four scam compounds in Myanmar -- KK Park, Tai Chang, Deko Park and a newer site near Hpakalu. One in five was routed through U.S. internet service providers. No other nonregional country came close. Among them were Cogent Communications, Oracle, AT&T and DigitalOcean. Companies outside the United States -- including UpCloud, the Finnish cloud provider, and GlobalTeleHost, a Canadian hosting and internet infrastructure company -- also used servers in the U.S. to host high-risk traffic from scam centers, the data shows. "They are getting paid a lot of money to route these IP addresses," said Riley Kilmer, co-founder of Spur Intelligence Corporation, a cybersecurity company. "Right now the revenue outweighs the risk. And if you could shift that balance, the ISPs would have to act." Internet service providers have access to a trove of data that could be used to minimize illicit activity, but doing so requires significant investment, cybersecurity analysts say. "The policy in much of the hosting world tends to be, we will take action after the fact," said Dan Winchester, co-founder of Scamalytics, a fraud prevention company. "That's not really very effective. What you need to be doing is proactively stopping fraud on your servers." The ad tech data was compiled by International Justice Mission between February 2025 and January 2026. This data captures a slice of activity from apps that share information with data brokers, which can reveal the location and IP address a given device is using when it goes online. AP then identified the companies those IP addresses had been allocated to using a database maintained by Scamalytics, which also rates IP addresses for potential fraud risk. These companies were among the most significant players in the dataset: ORACLE More than 100 U.S.-geolocated IP addresses allocated to Oracle were used at the KK Park scam compound between February and April 2025. AP shared the detailed connection data with Oracle. "We are diligently working with law enforcement on this matter," an Oracle spokesperson told AP. COGENT COMMUNICATIONS Cogent Communications was among the biggest players, with connections from KK Park and Tai Chang scam compounds. Nearly 40% of the IP addresses allocated to Cogent appeared on publicly available blacklists of potential abuse, according to Scamalytics data. Scamalytics rated 99.6% of them as potentially risky. Cogent says it relies on third parties to report fraud and investigates every verified complaint, but like other ISPs, it can't see user traffic directly. AT&T IP addresses allocated to AT&T were used at three compounds between February 2025 and January 2026. AT&T says it's cracking down on fraud by making traffic on its network more transparent. In September it began enforcing new rules that require business customers to route traffic under their own network identity, not AT&T's, to make it harder to disguise questionable activity. DIGITALOCEAN Devices from KK Park and Hpakalu used at least 41 IP addresses allocated to DigitalOcean, a cloud infrastructure provider based in Colorado. Scamalytics rated nearly all as potentially risky. DigitalOcean said it reviewed the data shared by AP but declined to disclose the outcome. The company said it does not control how customer applications are used and works closely with them to fight abuse. UPCLOUD UpCloud had a single IP address -- linked to a server in New York City and rated very high risk by Scamalytics -- which connected at least 382 times between February and April 2025 with devices inside KK Park. UpCloud said the data AP shared "triggered a thorough internal review on our side to ensure that the risk of similar situations is further reduced going forward." The company said it may have involved a VPN hosted on its platform, but noted that it cannot access customer systems, which are private. They declined to provide further details, citing European data protection laws. The firm said it monitors for illegal activity as mandated by EU law but does not rely on Scamalytics because their risk assessments are not detailed enough. GLOBALTELEHOST GlobalTeleHost, a Canadian company that provides data center equipment and network connectivity for business customers, was allocated IP addresses used at KK Park and Tai Chang. Two-thirds appeared on public blacklists as potentially abusive, according to Scamalytics, which rated 99.9% as potentially risky. GlobalTeleHost said it does not serve end users directly and does not control its customers' applications, traffic or internal review processes. The company said the IPs shared by AP were assigned to commercial VPN providers. The company said it passed AP's technical findings to those customers and asked them to investigate, but some responded that their records were not detailed enough to identify specific users. GlobalTeleHost said it does not rely on Scamalytics risk ratings but acts on "verified abuse complaints and lawful requests from authorities." ___ In many cases, scammers in Myanmar routed their internet connections through U.S.-based cloud services to hide where they were really located before connecting to major platforms -- chiefly Meta, which owns Facebook, Instagram and WhatsApp, according to Kentik, a network monitoring firm in San Francisco that mapped internet traffic from a sample of data shared by AP. That makes it easier for scammers to appear to be somewhere else and slip past platform safety checks. Meta said that kind of deliberate evasion is why collaboration -- with law enforcement and across industry, including connectivity and technology companies -- is key to disrupting bad actors at scale. "Scammers are determined criminals who use increasingly sophisticated tactics to defraud people and evade detection on our platforms and across the internet," a spokesperson said in a statement. By analyzing behavioral patterns of users, Meta said it has been able to disrupt millions of accounts tied to scam centers across Southeast Asia and the United Arab Emirates. "This stuff is so pervasive," said Doug Madory, director of internet analysis at Kentik. "You can successfully launder connections to your heart's content." One way to do that is by leasing IP addresses which can be more valuable when traffic appears to originate from a well-known provider. This profitable loophole can be exploited to evade security controls. AT&T began enforcing a change in September that tightened this loophole by requiring business customers to announce their own network identity. "It would be great if everybody did what AT&T did," Madory said. "They probably lost some customers out of that policy, but those were pretty bad customers." Colocousis said people who think scam victims like him are gullible idiots don't understand the sophistication of criminal organizations behind online fraud. On Jan. 25, 2025, Colocousis laid out $80,000 cash in neat rows on his table, just as the customer service representative at his crypto trading app had instructed. Eliza had told him if he just paid this last bit, he could unlock his funds and withdraw all his money. "I will tell you that I feel a little uneasy but I know you keep telling me it's ok," he messaged her. She responded instantly with a string of kiss emoji. The next morning a young man, who Colocousis said showed up in a Jeep with New York plates, trudged across a thin layer of snow to his doorstep. Once inside, the man -- who said his name was Vincent -- told Colocousis to put the stacks of $50 and $100 bills in a plastic shopping bag. Vincent sent a message and the money instantly appeared in the fraudulent crypto trading account Eliza had helped Colocousis open, he said. Vincent left with a big smile and a quick, amiable wave. "See you next time," he said. "Maybe. OK. Bye-bye." Colocousis believes American tech companies should do more to protect people like him. He is still so shaken that he says he sometimes has trouble leaving his house. "The greed is --," Colocousis searched for words. "I'm all for capitalism, but when it's totally ruining people's lives, people that have worked their whole life towards a goal so that they don't have to work anymore, only to have it just ripped out of their chest -- you know, something's wrong." Starlink is the top internet service provider in Myanmar and scammers have been a big part of its user base, data shows Today, Musk's Starlink satellite service is the most widely used internet provider in Myanmar, including at known scam compounds, AP found -- despite an ongoing congressional investigation, a November order from a U.S. court to seize Starlink accounts from specific Myanmar scam compounds and announcements, in October and June, that Starlink had cut service to thousands of units around scam centers. Sen. Maggie Hassan, a New Hampshire Democrat who is leading a bipartisan congressional investigation into the role Starlink and other companies play in the surging losses of scam victims in America, has pressed SpaceX for details on Starlink's role in transnational fraud and urged the company to do more to prevent the criminal misuse of its devices. "We need to do more at every level to combat the scams that are plaguing Americans across the country," she said in an email to the AP. "Given that SpaceX's Starlink is the first choice of satellite internet technology for many scammers, cutting off scammers' access to Starlink is a key way to prevent scams at the source." To be sure, Starlink has been a lifeline for schools, humanitarian groups, hospitals, media and more in Myanmar, according to Amnesty International and others. But data from the Asia Pacific Network Information Center (APNIC), the regional internet registry, indicates that scammers represent a disproportionate share of its user base. Myanmar has become a haven for industrial-scale scam compounds, which have drafted some 300,000 people from dozens of countries, often against their will, according to the United Nations. One of those compounds is Deko Park, a conglomeration of big, blue-roofed buildings dotted with white satellite dishes near the Thai border. Data from a sample of devices at Deko Park, provided by International Justice Mission, shows Starlink among the top internet service providers in use from Dec. 10, 2025, to Jan. 6, 2026, just after two regional telecom companies. An Ethiopian engineer named Ebisa told AP he used Starlink at Deko Park from December 2024 through December 2025, when he managed to escape. He asked AP to only publish his first name because he wants to protect his privacy. Ebisa's job was to collect the WhatsApp numbers of rich, vulnerable men. He said he was constantly punished -- beaten, shocked, detained and forced to exercise for hours at a time -- for failing to meet impossible performance goals. One day, he said, he got fed up and tried to evade a beating. He didn't get very far. He said the security guards at Deko Park beat him so badly he was blinded in one eye. Photographs show his eye injuries and AP spoke with an NGO who helped him seek medical care in Thailand. "It was hard to survive," he told AP. "Finally, God helped us out from that hell." Speaking from a shelter for human trafficking victims in Thailand in December, he said he wanted to get his eye fixed before going home because his mother's health is fragile and he worried the sight of his injury might kill her. "It's very shameful," he said. "If God helps me, if I get medication, maybe I can get back my eye." He told AP on Monday from his home in Ethiopia that doctors had informed him they could not save his eye. "It's been a tough reality to face," he said. "They told me that it's too late to bring back my sight." A Nigerian who was also tricked into working at Deko Park, Obinna Okeadu, never made it back home, according to three co-workers, a human rights activist and reports from his family back in Nigeria. On the afternoon of Oct. 28, 2025, Okeadu and his roommate, Ogbonnaya Tochukwu Agwu -- known as Valentine -- came off an unsuccessful overnight shift and were called out for punishment. Back in their dorm room after the beating, Valentine watched as Okeadu began to tremble uncontrollably. Okeadu slid to the ground with a thud, his head lolling strangely, with sharp, anguished sounds rising from his body. "It's OK," a friend told him softly. "We're here." But Okeadu was not OK. "I'm going to die like this," Okeadu called out, according to Valentine. Valentine said Okeadu was taken away -- presumably to a hospital. He prayed for his friend. But the next day, Okeadu's computer disappeared and his name was deleted from work chats. Valentine never saw him again. This kind of abuse -- and the swelling cost of cyberscams to victims around the world -- has led to periodic crackdowns. In early 2025, Thailand temporarily cut off internet connectivity, electricity and gas supplies to scam compounds just over its border with Myanmar. Starlink was a way around the blockade at the time. Satellite dishes proliferated on the rooftops of scam centers in Myanmar, satellite imagery showed, and Starlink usage in Myanmar surged, according to APNIC data. In April 2025, as the United States prepared sanctions against foreign scam networks in Southeast Asia, SpaceX reassigned IP addresses from Tanzania to create a dedicated block for Myanmar. It's not clear why, but experts say that step is usually taken to serve growing demand or prepare for entry into a new market. By June 2025, Starlink was the number one internet service provider in the impoverished, war-torn country, with a 14% share of the market -- despite its relatively high cost, according to APNIC data. In October, amid another sweeping crackdown, Starlink said it cut services to more than 2,500 units near scam compounds in Myanmar. It lost nearly half of its users in the country and its market share plunged from 15% to 6.5%, according to APNIC data. But in December, Starlink use surged back, and by February, the company was again number one in Myanmar. Today it has a nearly 20% share of the market, APNIC data show. SpaceX's October service cuts demonstrated that the company can sever scam centers from its satellites when it wants to -- and shows just how important the criminal networks that pay for scam center infrastructure have been to its user base. According to Starlink's own coverage map, it does not sell services in Myanmar. AP asked Myanmar's ruling military government whether Starlink was legally authorized to work in the country but got no response. Starlink also declined to respond to detailed requests for comment. But in public comments, Lauren Dreyer, vice president of Starlink business operations at SpaceX, has said that Starlink has "zero tolerance" for abuse. "We proactively detect and disable terminals involved in illegal activity," she said in a June statement about the company's work with the Scam Center Strike Force. "Through collaboration with law enforcement and technology companies, we advance global anti-scam efforts and ensure Starlink remains a force for good." Yet Starlink's service cuts have not stopped scammers -- not even from one of the most high-profile scam compounds in Asia, KK Park. In October, in response to growing international pressure, Myanmar's military government began demolishing the compound and broadcast images of dozens of seized Starlink terminals. But when the scammers scattered, they brought their tech with them. By January, at least seven devices used at KK Park had migrated to a new compound some 30 kilometers to the northwest, near Hpakalu, according to International Justice Mission, which tracked the devices using ad tech data. "These new compounds are showing up in the middle of nowhere and they're walled multibuilding complexes with a bunch of these terminals on the roof," said Eric Heintz, a global analyst at IJM. "You should be able to shut them down, and there should be a paper trail for who's paying the subscriptions for them." Heintz has identified at least 25 new sites in Myanmar that have appeared or grown significantly since the crackdown last fall. Satellite imagery, verified by AP, shows empty fields transformed into industrial-scale office parks in just a few months and new roads cut through thick trees. White satellite dishes dot the rooftops of some of them, and geolocated device data shows that scammers from at least 13 are logging on just as they did before: With Starlink. -- - This story is part of an ongoing collaboration between The Associated Press and "FRONTLINE" (PBS) that includes an upcoming documentary. -- - Kinetz reported from Rome, Washington, London and Lisbon, Portugal. AP journalists Juliet Linderman in Washington and Raynham, Mass, Ope Adetayo in Lagos, Nigeria, Larry Fenn in New York, Huizhong Wu in Bangkok and Michael Reo in Washington contributed to this story. Freelance reporter Rejimon Kuttappan in Thiruvananthapuram, India, and Anthony DeLorenzo, Martha Mendoza and Peter Klein from "FRONTLINE" (PBS) also contributed. -- - The Associated Press receives financial support from multiple private foundations. AP is solely responsible for all content. Find AP's standards for working with philanthropies, a list of supporters and funded coverage areas at AP.org. -- - Contact AP's global investigative team at [email protected] or https://www.ap.org/tips/
[5]
How global scammers use US tech to fleece people
Indian scammer Safeer Koorimannil reveals how AI from American tech giants fuels global fraud rings in Myanmar. Trafficked to a scam center, he used sophisticated software to target thousands daily. The investigation highlights how U.S. technology, from AI models to internet infrastructure, enables these operations, raising questions about company accountability and regulatory oversight. The instructions were clear: He had four days to make each victim fall in love. And there were a lot of victims. Online, Safeer Mohammed Koorimannil, who was trafficked to a scam center in Myanmar, impersonated a 28-year-old Singaporean woman named Ella. On a typical shift, he said, he chatted with more than 100 people across dozens of profiles at the same time, as supervisors prowled among the desks with electric batons. In just a month, Koorimannil targeted some 50,000 victims from at least 17 countries, according to records he smuggled out to The Associated Press. His "clients" included a widowed tailor in Kurdistan, a pastry chef in Turkey, a sheep farmer in Kyrgyzstan, soldiers in Iraq, an engineer in Russia, a building painter in Germany, a port officer in Argentina, a student in Indonesia, a security guard in Poland and a dairy farmer in the Republic of Georgia. And he did it using software built with artificial intelligence models from American tech companies that scammers are abusing to target victims at unprecedented speed and scale. "Everyone is a robot there," he told from his home in southern India in his native Malayalam language. Technology from American companies is being used to power a revolution in the scam industry, playing a key role in the industrialization and globalization of fraud in ways that have not been clear until now, an AP/"FRONTLINE" investigation has found. Watchdogs say these companies have the technical capacity to do more to protect against abuse but lack the legal, regulatory and business incentives to crack down on a crime the Federal Trade Commission estimates cost Americans nearly $200 billion in losses in 2024. While most public scrutiny of the technology that fuels scams has focused on the social media platforms victims see, the infrastructure exploited to commit fraud begins much farther upstream, the investigation showed. American technology is present all along the digital supply chains that connect scammers with the scammed, from AI models baked into powerful new tools to optimize workflow and create more perfect fakes, to satellite dishes that enable scammers to evade internet crackdowns, to internet service providers that carry traffic from the lawless borderlands of Myanmar to the phones and computers of millions of victims. The AP found no evidence to suggest these companies were doing anything illegal themselves. However, the abuse of their tools and tech infrastructure at scam compounds in Myanmar, as documented by the AP and "FRONTLINE," raises questions about how vigorously they are enforcing their own terms of service, which prohibit illegal activity and, in many cases, explicitly ban fraud. Among the AP's findings: American-made AI models - chiefly ChatGPT and Gemini - have been used to build specialized software that allows scammers to seamlessly work across dozens of languages, surveil workers and target victims around the world, the investigation found with the help of C4ADS, a Washington-based nonprofit focused on global security. Scammers who purchased these tools took in tens of millions of dollars, according to blockchain analysis by TRM Labs at the request of AP/"FRONTLINE." A sophisticated, global internet infrastructure supports Myanmar's scam compound economy, which relies on services from Cogent Communications, AT&T, DigitalOcean and Oracle, among others. One in five signals from devices at four scam compounds linked to sanctioned entities in Myanmar was carried by a U.S.-registered company, according to an AP analysis of more than 200,000 device connections provided by International Justice Mission, an anti-trafficking nonprofit. Elon Musk' s satellite internet company, Starlink, is the number one internet service provider in Myanmar, including to scam centers, according to device data, public records and interviews - despite public pressure from Congress and a widely publicized crackdown last fall. At least 25 new scam compounds have been built deep inside Myanmar since a high-profile crackdown along the Thai border last fall, new satellite imagery shows. Scammers from at least 13 of these outposts used Starlink IP addresses to get online between early March and the end of May, an AP analysis of device and satellite data from International Justice Mission shows. The AP/"FRONTLINE" investigation was based on tens of thousands of leaked scam center files, videos and photos; an analysis with C4ADS of misuse of AI at scam centers; an examination of more than 200,000 connections made by devices over a year at four scam compounds in Myanmar linked to entities sanctioned by the U.S. government; and interviews with 58 scam victims and three dozen current and former scammers from 19 countries. Cybersecurity experts say internet service providers, AI companies and Starlink could do more to prevent the abuse by scammers - but lack the legal, regulatory and business incentives. "If there's no disincentive to continuing this, if there's no cost to actually facilitating scamming, then why would I spend a dollar to prevent scamming?" said Sascha Meinrath, the Palmer chair in telecommunications at Penn State University. "This is the problem. It's identifiable, it's addressable - at least somewhat - but it costs something. And right now the cost of facilitating scamming is zero." Outside the United States, that cost is starting to rise. The United Kingdom, the European Union, Australia and Singapore have introduced new regulations that require companies to do more to prevent scams - or face financial penalties. Meanwhile, in Washington, lawmakers and government officials have been asking American tech companies to cooperate to cut scammers off from U.S. infrastructure, but on a voluntary basis. In November, District of Columbia U.S. Attorney Jeanine Pirro created the Scam Center Strike Force to target scam compounds. In a four-day exercise in May, the Strike Force worked with Meta, SpaceX, Google and others to disrupt more than 1.4 million social media and email accounts, interrupt malicious IP address traffic, seize satellite internet terminals and decommission servers and hosting infrastructure linked to Southeast Asian scam networks. "We will not allow criminal organizations to weaponize our own infrastructure against us or devastate the life savings of hardworking families," Pirro said in an email to AP. "Our message is clear: we will find you, we will stop you, and we will protect the American people." OpenAI and Google both said they have robust programs in place to proactively disrupt scammers from abusing their tools. Starlink did not respond to detailed requests for comment. Internet service providers emphasized that they can't see the content their networks carry or what end users are doing online - privacy by design that constrains their ability to monitor for abuse. All said they respond to valid abuse reports and cooperate with law enforcement. None would disclose specific customer information, citing privacy rules, but several said they had taken concrete action in response to AP's reporting. OpenAI said that based on the information AP shared, it identified and banned three accounts that had been using its models to support online scams. Oracle said it was "diligently working with law enforcement" on the material shared by AP. UpCloud, a Finnish cloud services provider with servers in the U.S., said AP's query had prompted an internal review and refinement of its risk assessment processes. OpenAI CEO Sam Altman has likened artificial intelligence to a utility, akin to electricity or water. But unlike water utilities, tech and telecom companies in the United States are generally not responsible for proactively ensuring the safety of the content they carry. Some people believe that should change. "This has to be like clean water," said Matthew Moynahan, the CEO of GetReal Security, a cybersecurity firm. "Anything coming out of the tap for an end user, whether that tap is a PC, a browser somewhere, or your mobile phone, dirty water shouldn't get to you. This is what this is." Almost Automated: American AI abused for industrial-scale scamming in SE Asia The use of AI in scams is exploding so fast that many in the cybersecurity community fear fully-automated scams run by AI agents will soon become commonplace. "We're moving towards a world where maybe you don't need human scammers anymore," said Ari Redbord, global head of policy at TRM Labs, a crypto analytics firm. "All you need is hundreds, thousands, millions of agentic agents who don't need to sleep, don't need to eat, who are 24/7 doing this." Already, the basic AI-powered tools Koorimannil used required scant human intervention. His job was to cut and paste responses from scripts his scam bosses generated. Koorimannil and his best friend had answered an ad online for jobs encouraging tourism to Thailand. From the airport in Bangkok, however, a waiting black car sped them to the border with Myanmar, he said, and the next morning armed men escorted them across the Moei River to Tai Chang, a scam compound the U.S. government sanctioned last year. Koorimannil managed to sneak out a screenshot from his computer that AP and security nonprofit C4ADS used to identify the key to his productivity - a software platform called Kongtian Intelligent Customer Acquisition, or KT for short. AP also identified a similar suite of software, called Global Social Traffic Navigation, or 007TG, described by a former scammer as a "one-stop shop" for running scams at industrial scale. KT and 007TG are part of a thriving gray market for tech that has both legitimate and illegitimate uses and is widely exploited by scammers, according to blockchain analysis, a review of Telegram channels frequented by scammers, and interviews with scammers from three countries. KT and 007TG were created by for-profit businesses using AI models from leading global companies and sold to scammers - who in turn generated tens of millions of dollars in illicit profits. OpenAI's ChatGPT played the most prominent role, along with Google's Gemini, though the software incorporated other AI models as well, including from Europe and China. Both KT and 007TG used ChatGPT and Gemini to generate automated replies, power a role-play chatbot, which scammers could use to develop convincing characters, and embed real-time translation in over 100 languages, C4ADS found. KT and 007TG software also tracked the performance of workers - to devastating effect, in Koorimannil's case. He was beaten for being bad at scamming people, leaving his body red and swollen with lashes, photographs show. "When they came near my computer, my hands would shake and sweat," Koorimannil told AP. At night, he said, he and his best friend curled in the same narrow bunk, too frightened to sleep alone. Blockchain analysis, done for AP/"FRONTLINE" by TRM Labs, shows how powerful these tools can be. Cryptocurrency transactions are recorded on an indelible public ledger, or blockchain, which can be analyzed to show the pattern and volume of cryptocurrency transactions. TRM Labs found that a single crypto wallet used by 007TG received $860,000 in payments between April 2024 and December 2025 - including transfers from at least four cryptocurrency wallets associated with known scam networks. Those scammers, in turn, raked in at least $75 million. Stopping AI abuses at scale is challenging because scammers often use ChatGPT the same way hundreds of millions of other people do - to translate, help write messages, create content and do basic research, according to OpenAI. The intimacy, financial pressure and manipulative language in romance scams, for example, may be hard to distinguish from genuine users seeking help with a divorce. And tools like KT and 007TG can have legitimate uses, especially for Chinese businesses seeking to expand overseas. But by tracking user behavior over time to surface patterns of deception and manipulation, OpenAI said it detects scams with 95% accuracy and takes down 100,000 scam accounts each month. The company said it has also independently disrupted service to scam networks operating from Cambodia, Myanmar and Nigeria. Even as fraud networks exploit their technology, a growing number of people are using the same tools to fight back. OpenAI said people use ChatGPT millions of times a month to identify and avoid scams - up to three times more often, the company estimates, than the model is abused by scammers. OpenAI also recently collaborated with the Global Anti-Scam Alliance to launch scam. org, which helps users assess the risk they are being targeted by scammers. Google did not respond to specific questions about AP's findings, but said the company is "committed to developing AI responsibly" and engineers its models with safety guardrails to filter out content that promotes scams. 007TG went dark in December but has since claimed to be back up and running. Neither it nor KT responded to requests for comment. In the end, through a connection in Bahrain, Koorimannil and his friend found a broker who oversaw ransom payments for 21 Indians from their compound, he said. They each had to pay 500,000 Indian rupees ($5,300) for their freedom. Missed signals: US internet service providers play outsized role in carrying scam center traffic It took a long time for Chris Colocousis to understand the extent to which scammers around the world use American technology to prey on people like him. At first, all he saw was that the woman who reached out to him on Facebook had a New York phone number - not too far away from his home in Massachusetts - and said she worked at a well-known financial firm in Atlanta. "Eliza" suggested a video call. And there she was - the same blond beauty as in her Facebook photos. She even had little bags under her eyes. She was too real not to be real. Now Colocousis, a divorced man in his 60s, has no idea where "Eliza" really is, whether he was talking with her or with ChatGPT - and even if she's a she. He does know that the $400,000 he says he "invested" under Eliza's guidance is now gone, robbing him of the secure retirement he'd spent years working for. "You just feel like your whole world fell apart," he said. "I'm thinking about all this time that I invested into reaching a point where I could retire at a certain age - and it's just gone." Each step of a fraud is a digital signal, said John Breyault, vice president of public policy, telecommunications and fraud at the nonprofit National Consumers League. And internet service providers are the network on which many of these services ride. "The ISPs are in a particularly critical place in this chain," he said. New data shows that U.S. internet service providers play an outsized role in scams run out of Myanmar. The AP analyzed a sample of 202,013 connections made by devices at four scam compounds in Myanmar - KK Park, Tai Chang, Deko Park and a newer site near Hpakalu. One in five was routed through U.S. internet service providers. No other nonregional country came close. Among them were Cogent Communications, Oracle, AT&T and DigitalOcean. Companies outside the United States - including UpCloud, the Finnish cloud provider, and GlobalTeleHost, a Canadian hosting and internet infrastructure company - also used servers in the U.S. to host high-risk traffic from scam centers, the data shows. "They are getting paid a lot of money to route these IP addresses," said Riley Kilmer, co-founder of Spur Intelligence Corporation, a cybersecurity company. "Right now the revenue outweighs the risk. And if you could shift that balance, the ISPs would have to act." Internet service providers have access to a trove of data that could be used to minimize illicit activity, but doing so requires significant investment, cybersecurity analysts say. "The policy in much of the hosting world tends to be, we will take action after the fact," said Dan Winchester, co-founder of Scamalytics, a fraud prevention company. "That's not really very effective. What you need to be doing is proactively stopping fraud on your servers." The ad tech data was compiled by International Justice Mission between February 2025 and January 2026. This data captures a slice of activity from apps that share information with data brokers, which can reveal the location and IP address a given device is using when it goes online. AP then identified the companies those IP addresses had been allocated to using a database maintained by Scamalytics, which also rates IP addresses for potential fraud risk. These companies were among the most significant players in the dataset: ORACLE More than 100 U.S.-geolocated IP addresses allocated to Oracle were used at the KK Park scam compound between February and April 2025. AP shared the detailed connection data with Oracle. "We are diligently working with law enforcement on this matter," an Oracle spokesperson told AP. COGENT COMMUNICATIONS Cogent Communications was among the biggest players, with connections from KK Park and Tai Chang scam compounds. Nearly 40% of the IP addresses allocated to Cogent appeared on publicly available blacklists of potential abuse, according to Scamalytics data. Scamalytics rated 99.6% of them as potentially risky. Cogent says it relies on third parties to report fraud and investigates every verified complaint, but like other ISPs, it can't see user traffic directly. AT&T IP addresses allocated to AT&T were used at three compounds between February 2025 and January 2026. AT&T says it's cracking down on fraud by making traffic on its network more transparent. In September it began enforcing new rules that require business customers to route traffic under their own network identity, not AT&T's, to make it harder to disguise questionable activity. DIGITALOCEAN Devices from KK Park and Hpakalu used at least 41 IP addresses allocated to DigitalOcean, a cloud infrastructure provider based in Colorado. Scamalytics rated nearly all as potentially risky. DigitalOcean said it reviewed the data shared by AP but declined to disclose the outcome. The company said it does not control how customer applications are used and works closely with them to fight abuse. UPCLOUD UpCloud had a single IP address - linked to a server in New York City and rated very high risk by Scamalytics - which connected at least 382 times between February and April 2025 with devices inside KK Park. UpCloud said the data AP shared "triggered a thorough internal review on our side to ensure that the risk of similar situations is further reduced going forward." The company said it may have involved a VPN hosted on its platform, but noted that it cannot access customer systems, which are private. They declined to provide further details, citing European data protection laws. The firm said it monitors for illegal activity as mandated by EU law but does not rely on Scamalytics because their risk assessments are not detailed enough. GLOBALTELEHOST GlobalTeleHost, a Canadian company that provides data center equipment and network connectivity for business customers, was allocated IP addresses used at KK Park and Tai Chang. Two-thirds appeared on public blacklists as potentially abusive, according to Scamalytics, which rated 99.9% as potentially risky. GlobalTeleHost said it does not serve end users directly and does not control its customers' applications, traffic or internal review processes. The company said the IPs shared by AP were assigned to commercial VPN providers. The company said it passed AP's technical findings to those customers and asked them to investigate, but some responded that their records were not detailed enough to identify specific users. GlobalTeleHost said it does not rely on Scamalytics risk ratings but acts on "verified abuse complaints and lawful requests from authorities." In many cases, scammers in Myanmar routed their internet connections through U.S.-based cloud services to hide where they were really located before connecting to major platforms - chiefly Meta, which owns Facebook, Instagram and WhatsApp, according to Kentik, a network monitoring firm in San Francisco that mapped internet traffic from a sample of data shared by AP. That makes it easier for scammers to appear to be somewhere else and slip past platform safety checks. Meta said that kind of deliberate evasion is why collaboration - with law enforcement and across industry, including connectivity and technology companies - is key to disrupting bad actors at scale. "Scammers are determined criminals who use increasingly sophisticated tactics to defraud people and evade detection on our platforms and across the internet," a spokesperson said in a statement. By analyzing behavioral patterns of users, Meta said it has been able to disrupt millions of accounts tied to scam centers across Southeast Asia and the United Arab Emirates. "This stuff is so pervasive," said Doug Madory, director of internet analysis at Kentik. "You can successfully launder connections to your heart's content." One way to do that is by leasing IP addresses which can be more valuable when traffic appears to originate from a well-known provider. This profitable loophole can be exploited to evade security controls. AT&T began enforcing a change in September that tightened this loophole by requiring business customers to announce their own network identity. "It would be great if everybody did what AT&T did," Madory said. "They probably lost some customers out of that policy, but those were pretty bad customers." Colocousis said people who think scam victims like him are gullible idiots don't understand the sophistication of criminal organizations behind online fraud. On Jan. 25, 2025, Colocousis laid out $80,000 cash in neat rows on his table, just as the customer service representative at his crypto trading app had instructed. Eliza had told him if he just paid this last bit, he could unlock his funds and withdraw all his money. "I will tell you that I feel a little uneasy but I know you keep telling me it's ok," he messaged her. She responded instantly with a string of kiss emoji. The next morning a young man, who Colocousis said showed up in a Jeep with New York plates, trudged across a thin layer of snow to his doorstep. Once inside, the man - who said his name was Vincent - told Colocousis to put the stacks of $50 and $100 bills in a plastic shopping bag. Vincent sent a message and the money instantly appeared in the fraudulent crypto trading account Eliza had helped Colocousis open, he said. Vincent left with a big smile and a quick, amiable wave. "See you next time," he said. "Maybe. OK. Bye-bye." Colocousis believes American tech companies should do more to protect people like him. He is still so shaken that he says he sometimes has trouble leaving his house. "The greed is --," Colocousis searched for words. "I'm all for capitalism, but when it's totally ruining people's lives, people that have worked their whole life towards a goal so that they don't have to work anymore, only to have it just ripped out of their chest - you know, something's wrong." Starlink is the top internet service provider in Myanmar and scammers have been a big part of its user base, data shows Today, Musk's Starlink satellite service is the most widely used internet provider in Myanmar, including at known scam compounds, AP found - despite an ongoing congressional investigation, a November order from a U.S. court to seize Starlink accounts from specific Myanmar scam compounds and announcements, in October and June, that Starlink had cut service to thousands of units around scam centers. Sen. Maggie Hassan, a New Hampshire Democrat who is leading a bipartisan congressional investigation into the role Starlink and other companies play in the surging losses of scam victims in America, has pressed SpaceX for details on Starlink's role in transnational fraud and urged the company to do more to prevent the criminal misuse of its devices. "We need to do more at every level to combat the scams that are plaguing Americans across the country," she said in an email to the AP. "Given that SpaceX's Starlink is the first choice of satellite internet technology for many scammers, cutting off scammers' access to Starlink is a key way to prevent scams at the source." To be sure, Starlink has been a lifeline for schools, humanitarian groups, hospitals, media and more in Myanmar, according to Amnesty International and others. But data from the Asia Pacific Network Information Center (APNIC), the regional internet registry, indicates that scammers represent a disproportionate share of its user base. Myanmar has become a haven for industrial-scale scam compounds, which have drafted some 300,000 people from dozens of countries, often against their will, according to the United Nations. One of those compounds is Deko Park, a conglomeration of big, blue-roofed buildings dotted with white satellite dishes near the Thai border. Data from a sample of devices at Deko Park, provided by International Justice Mission, shows Starlink among the top internet service providers in use from Dec. 10, 2025, to Jan. 6, 2026, just after two regional telecom companies. An Ethiopian engineer named Ebisa told AP he used Starlink at Deko Park from December 2024 through December 2025, when he managed to escape. He asked AP to only publish his first name because he wants to protect his privacy. Ebisa's job was to collect the WhatsApp numbers of rich, vulnerable men. He said he was constantly punished - beaten, shocked, detained and forced to exercise for hours at a time - for failing to meet impossible performance goals. One day, he said, he got fed up and tried to evade a beating. He didn't get very far. He said the security guards at Deko Park beat him so badly he was blinded in one eye. Photographs show his eye injuries and AP spoke with an NGO who helped him seek medical care in Thailand. "It was hard to survive," he told AP. "Finally, God helped us out from that hell." Speaking from a shelter for human trafficking victims in Thailand in December, he said he wanted to get his eye fixed before going home because his mother's health is fragile and he worried the sight of his injury might kill her. "It's very shameful," he said. "If God helps me, if I get medication, maybe I can get back my eye." He told AP on Monday from his home in Ethiopia that doctors had informed him they could not save his eye. "It's been a tough reality to face," he said. "They told me that it's too late to bring back my sight." A Nigerian who was also tricked into working at Deko Park, Obinna Okeadu, never made it back home, according to three co-workers, a human rights activist and reports from his family back in Nigeria. On the afternoon of Oct. 28, 2025, Okeadu and his roommate, Ogbonnaya Tochukwu Agwu - known as Valentine - came off an unsuccessful overnight shift and were called out for punishment. Back in their dorm room after the beating, Valentine watched as Okeadu began to tremble uncontrollably. Okeadu slid to the ground with a thud, his head lolling strangely, with sharp, anguished sounds rising from his body. "It's OK," a friend told him softly. "We're here." But Okeadu was not OK. "I'm going to die like this," Okeadu called out, according to Valentine. Valentine said Okeadu was taken away - presumably to a hospital. He prayed for his friend. But the next day, Okeadu's computer disappeared and his name was deleted from work chats. Valentine never saw him again. This kind of abuse - and the swelling cost of cyberscams to victims around the world - has led to periodic crackdowns. In early 2025, Thailand temporarily cut off internet connectivity, electricity and gas supplies to scam compounds just over its border with Myanmar. Starlink was a way around the blockade at the time. Satellite dishes proliferated on the rooftops of scam centers in Myanmar, satellite imagery showed, and Starlink usage in Myanmar surged, according to APNIC data. In April 2025, as the United States prepared sanctions against foreign scam networks in Southeast Asia, SpaceX reassigned IP addresses from Tanzania to create a dedicated block for Myanmar. It's not clear why, but experts say that step is usually taken to serve growing demand or prepare for entry into a new market. By June 2025, Starlink was the number one internet service provider in the impoverished, war-torn country, with a 14% share of the market - despite its relatively high cost, according to APNIC data. In October, amid another sweeping crackdown, Starlink said it cut services to more than 2,500 units near scam compounds in Myanmar. It lost nearly half of its users in the country and its market share plunged from 15% to 6.5%, according to APNIC data. But in December, Starlink use surged back, and by February, the company was again number one in Myanmar. Today it has a nearly 20% share of the market, APNIC data show. SpaceX's October service cuts demonstrated that the company can sever scam centers from its satellites when it wants to - and shows just how important the criminal networks that pay for scam center infrastructure have been to its user base. According to Starlink's own coverage map, it does not sell services in Myanmar. AP asked Myanmar's ruling military government whether Starlink was legally authorized to work in the country but got no response. Starlink also declined to respond to detailed requests for comment. But in public comments, Lauren Dreyer, vice president of Starlink business operations at SpaceX, has said that Starlink has "zero tolerance" for abuse. "We proactively detect and disable terminals involved in illegal activity," she said in a June statement about the company's work with the Scam Center Strike Force. "Through collaboration with law enforcement and technology companies, we advance global anti-scam efforts and ensure Starlink remains a force for good." Yet Starlink's service cuts have not stopped scammers - not even from one of the most high-profile scam compounds in Asia, KK Park. In October, in response to growing international pressure, Myanmar's military government began demolishing the compound and broadcast images of dozens of seized Starlink terminals. But when the scammers scattered, they brought their tech with them. By January, at least seven devices used at KK Park had migrated to a new compound some 30 kilometers to the northwest, near Hpakalu, according to International Justice Mission, which tracked the devices using ad tech data. "These new compounds are showing up in the middle of nowhere and they're walled multibuilding complexes with a bunch of these terminals on the roof," said Eric Heintz, a global analyst at IJM. "You should be able to shut them down, and there should be a paper trail for who's paying the subscriptions for them." Heintz has identified at least 25 new sites in Myanmar that have appeared or grown significantly since the crackdown last fall. Satellite imagery, verified by AP, shows empty fields transformed into industrial-scale office parks in just a few months and new roads cut through thick trees. White satellite dishes dot the rooftops of some of them, and geolocated device data shows that scammers from at least 13 are logging on just as they did before: With Starlink.
Share
Copy Link
An AP/FRONTLINE investigation exposes how American technology fuels a revolution in cyberscams. From AI-powered tools using ChatGPT and Gemini to Starlink satellite internet, US tech enables scammers in Myanmar to target victims worldwide. The investigation analyzed over 200,000 device connections and found US companies carry one in five signals from sanctioned scam compounds, raising questions about enforcement of terms of service.
US Tech Abused for Global Scams at Unprecedented Scale
American technology is fueling a revolution in the cyberscam industry, enabling fraud operations in Southeast Asia to target victims worldwide at unprecedented speed and scale, according to a comprehensive
AP/FRONTLINE investigation
2
. The investigation, based on tens of thousands of leaked scam center files and an examination of more than 200,000 device connections at four scam compounds in Myanmar linked to entities sanctioned by the U.S. government, reveals that US tech plays a key role in the industrialization and globalization of fraud. While most public scrutiny has focused on social media platforms, the infrastructure exploited to commit fraud begins much farther upstream along the digital supply chain, the investigation found.AI-Powered Tools Enable Industrial Scale Fraud
The investigation identified two suites of specialized software used by scammers at compounds in Southeast Asia, with OpenAI's ChatGPT and Google's Gemini playing the most prominent roles
3
4
. According to an analysis with security nonprofit C4ADS, these AI-powered tools allow scammers to work across dozens of languages, generate automated replies, develop credible characters, and track employee performance. The dual-use nature of AI makes detection challenging, as the software has both legitimate and illegitimate applications. Scammers who purchased these tools took in tens of millions of dollars, according to blockchain analysis by TRM Labs at the request of AP/FRONTLINE. The case of Safeer Mohammed Koorimannil, a trafficked worker at a scam center in Myanmar, illustrates the scale: he targeted some 50,000 victims from at least 17 countries in just one month, chatting with more than 100 people across dozens of profiles simultaneously4
5
. OpenAI said it banned three accounts using its models to support online scams based on information shared by AP, while both companies emphasized their robust programs to disrupt scammers.US Internet Infrastructure Carries One in Five Scam Center Signals
One in five signals from devices at four scam compounds linked to sanctioned entities in Myanmar was carried by a U.S.-registered company, according to an AP analysis of more than 200,000 device connections provided by International Justice Mission, an anti-trafficking nonprofit
2
3
. No other non-regional country came close. Among the US internet infrastructure providers identified were Cogent Communications, Oracle, AT&T, and DigitalOcean. Companies outside the U.S., including UpCloud in Finland and GlobalTeleHost in Canada, also had servers in the U.S. that hosted high-risk traffic from scam centers. The data, which covers several time intervals between February 2025 and January 2026, was enriched with risk indicators from fraud prevention company Scamalytics1
. These companies emphasized they cannot see the content their networks carry due to privacy by design, which constrains their ability to monitor for abuse. Oracle said it was "diligently working with law enforcement" on the material shared by AP, while UpCloud said the inquiry prompted an internal review and refinement of its risk assessment processes.Starlink Remains Top Internet Service Provider Despite Crackdown
Elon Musk's satellite internet company, Starlink, is still the number one internet service provider in Myanmar, including to scam centers, according to device data, public records and interviews—despite Congressional scrutiny and a widely publicized crackdown last fall when the company said it cut off 2,500 kits near scam compounds
2
4
. Scammers are still using Starlink from a proliferation of new sites that have grown inside Myanmar since then. At least 25 new scam compounds have been constructed deep inside Myanmar since a high-profile crackdown along the Thai border last fall, and at least 13 of them used Starlink IP addresses to get online between early March and the end of May, an AP analysis of device and satellite data from International Justice Mission shows3
5
. That data covers only a sample and may not capture all Starlink activity at these locations. The satellite imagery verified by AP shows these new compounds emerged after Myanmar's military government led demolition campaigns against KK Park and other sites in October 20251
. Starlink declined to respond to detailed questions but has publicly said they cooperate with law enforcement and are committed to ensuring the service remains "a force for good."Related Stories
Scam Operations in Myanmar Target Victims Worldwide
The devices analyzed were geolocated to compounds including Tai Chang, Deko Park, KK Park, and a new compound near Hpakalu, Myanmar
1
. KK Park operates under the protection of the Karen Border Guard Force, also known as the Karen National Army (KNA), which the U.S. Treasury designated as a transnational criminal organization in May 2025, citing its role in facilitating cyberscams targeting US citizens and human trafficking. Deko Park and Tai Chang are located in territory controlled by the Democratic Karen Benevolent Army (DKBA), which the U.S. Treasury Department sanctioned in November 2025. Trafficked workers at these compounds conduct romance scams and other fraud schemes, with supervisors enforcing quotas through intimidation. The International Justice Mission found that some devices active in KK Park shortly before the raids were active in Hpakalu in January 2026, showing how scammers scattered to new locations1
.Enforcement of Terms of Service Questioned as Costs Mount
The AP found no evidence to suggest these companies were doing anything illegal. However, the patterns of abuse identified raise questions about how vigorously they are enforcing their own terms of service, which prohibit illegal activity
2
3
. Watchdogs say satellite internet, AI and internet infrastructure companies along the digital supply chains that fraudsters abuse have the technical capacity to do more to protect consumers but lack the legal, regulatory and business incentives to crack down on a crime the Federal Trade Commission estimates cost Americans nearly $200 billion in 2024. "If there's no disincentive to continuing this, if there's no cost to actually facilitating scamming, then why would I spend a dollar to prevent scamming?" said Sascha Meinrath, the Palmer chair in telecommunications at Penn State University2
. Cybersecurity experts say tech companies have access to a trove of data that could be used to minimize illicit activity, but doing so requires significant investment. The investigation involved interviews with 58 scam victims and three dozen current and former scammers from 19 countries, revealing the global reach of these scam operations powered by US tech1
4
. The investigation highlights the need for stronger regulatory oversight to address the growing threat of industrial scale fraud enabled by American technology.References
Summarized by
Navi
[2]
Related Stories
AI scams escalate as criminal networks use cheap tools to evade crackdown and dupe more victims
10 Feb 2026•Technology
AI scams cost victims $442 billion globally as deepfakes and voice cloning make fraud harder to detect
15 Jun 2026•Technology
Google sues Chinese cybercrime network that weaponized Gemini AI to automate massive scam operation
12 Jun 2026•Technology
Recent Highlights
1
OpenAI limits GPT-5.6 rollout after government request, says restrictions shouldn't be the norm
Technology
2
Bank for International Settlements warns $1 trillion AI bubble could trigger global recession
Policy and Regulation
3
Five Eyes Alliance Warns AI Cyber Risks Will Transform Hacking in Months, Not Years
Policy and Regulation
Recent Highlights
Today's Top Stories
Don’t drown in AI news. We cut through the noise - filtering, ranking and summarizing the most important AI news, breakthroughs and research daily. Follow topics that matter to you and stay ahead.
