The infrastructure underpinning the world's most lucrative cybercrime operations is predominantly American, according to a major investigation by the Associated Press and PBS Frontline that exposes how Silicon Valley's innovations have become foundational to an industrialised, global fraud machine. The research demonstrates that scammers operating from compounds in Southeast Asia rely heavily on US-registered infrastructure, satellite services, and artificial intelligence tools to orchestrate fraud schemes that cost Americans nearly US$200 billion (RM815.34 billion) in 2024 alone—a staggering figure that underscores the scale and sophistication of operations that exploit gaps in corporate accountability and international regulatory frameworks.
The architecture of modern fraud extends far beyond the social media platforms where victims first encounter scam messages. Instead, the criminal enterprise depends on a complex supply chain of technical services that begins upstream, with companies controlling internet routing, satellite connectivity, and AI systems. These foundational layers remain largely invisible to public debate and regulatory scrutiny, even as they function as the nervous system of industrial-scale fraud. Cybersecurity watchdogs argue that companies controlling these critical infrastructure points possess both the technical capacity and the business resources to meaningfully disrupt scam operations, yet face minimal legal or regulatory pressure to do so, creating a perverse incentive structure where the cost of enabling fraud remains negligible.
The investigation identified two sophisticated software suites deployed by scammers operating from compounds in Southeast Asia, with OpenAI's ChatGPT playing the central role, supplemented by Google's Gemini and other artificial intelligence models. These tools enable criminals to operate across multiple languages simultaneously, generate convincing automated responses, create believable personas, and manage employee productivity—essentially industrialising what were once artisanal scam operations into structured businesses. Blockchain analysis conducted by TRM Labs revealed that operators of these systems generated tens of millions of dollars, suggesting that AI-powered fraud has become a highly profitable venture that attracts significant criminal investment and operational sophistication.
American network infrastructure proved particularly critical to enabling these operations. Analysis of device connections from four major scam compounds linked to sanctioned Myanmar entities showed that roughly one in five signals originated from US-registered companies, a dramatically higher proportion than any other non-regional country. Cogent Communications, Oracle, AT&T, and DigitalOcean emerged as significant carriers of this traffic, while international companies including Finland's UpCloud and Canada's GlobalTeleHost also routed scam compound traffic through US-based servers. All these companies emphasised their technical limitations in monitoring content flowing through their networks—a privacy-by-design architecture that simultaneously protects legitimate users but creates a regulatory blind spot for illicit activity.
Musk's Starlink satellite internet service remains the dominant connectivity provider for scam compounds throughout Myanmar, despite widely publicised enforcement actions and Congressional attention. In late 2025, the company announced it had disabled approximately 2,500 kits positioned near known scam facilities, yet device data and satellite imagery subsequently gathered by the International Justice Mission anti-trafficking organisation reveals that scammers have simply relocated to new sites. At least 25 newly constructed compounds have emerged since the crackdown, with device data confirming that at least 13 employed Starlink for internet access, demonstrating the adaptability of criminal networks operating within the current enforcement environment and the limitations of service-level responses to systemic problems.
The divergent regulatory approaches between the United States and other jurisdictions highlight the fundamental challenge facing American policymakers. The United Kingdom, European Union, Australia, and Singapore have implemented regulatory frameworks that impose financial penalties on companies failing to prevent scam abuse, creating genuine disincentives for negligence or indifference. By contrast, the American approach relies on voluntary cooperation, with government officials and lawmakers requesting that technology companies curtail scammer access to US infrastructure without offering legal consequences for non-compliance or weak enforcement. This voluntary framework has produced modest results, including recent partnerships with the Department of Justice's newly established Scam Center Strike Force, yet falls short of the structural incentives that international regulations are beginning to establish.
Penn State University telecommunications expert Sascha Meinrath articulated the core economic logic undermining current American approaches: absent meaningful penalties or business consequences, technology companies face no financial disincentive to continue facilitating scam operations. The investment required to implement robust abuse detection and prevention mechanisms across vast infrastructure networks represents a genuine cost that companies must absorb voluntarily, without corresponding revenue benefit or regulatory mandate. This creates a tragic asymmetry where criminals are willing to pay for premium infrastructure services, while legitimate anti-fraud efforts remain unfunded and unauthorised, allowing the path of least resistance to flow toward enabling rather than preventing fraud.
OpenAI and Google responded to the investigation by highlighting their existing safeguards against scammer abuse, though their responses characterised enforcement as reactive rather than proactive. OpenAI reported banning three accounts that AP identified as using its models to facilitate scams, a figure suggesting that enforcement mechanisms, while operational, may not function at scale commensurate with the problem. The companies' emphasis on robust programmes and responsive enforcement rings hollow against evidence that determined scammers continue operating despite these stated protections, raising questions about whether current safety protocols prioritise preventing legitimate use disruptions over aggressively targeting criminal exploitation.
The investigation raises critical implications for Southeast Asian readers and policymakers, as the region has become the geographic epicentre of American-enabled fraud operations. Myanmar's position as a major scam compound hub reflects how weak local governance and sanctions regimes intersect with international technology companies' unwillingness to enforce terms of service rigorously. Malaysia, Singapore, and other regional economies face growing threats from fraud operations headquartered in Myanmar but targeting victims across Southeast Asia, the United States, and globally. Regional governments have limited leverage over American technology companies, yet suffer disproportionate consequences when those companies fail to implement adequate controls, suggesting that ASEAN-level coordination on fraud prevention standards might prove more effective than relying on individual national approaches.
The infrastructure gap exposed by this investigation represents a market failure that voluntary cooperation appears incapable of addressing. Technology companies can articulate legitimate concerns about privacy, content monitoring limitations, and operational constraints, yet these concerns do not negate their fundamental capacity to implement risk-based controls targeting known scam infrastructure. The fact that international competitors outside the United States have begun adopting regulatory frameworks imposing financial consequences creates a strange incentive inversion: American technology companies may face greater pressure to strengthen scam prevention measures to maintain competitiveness in regulated markets than from their domestic regulatory environment. This perverse outcome suggests that American policymakers must move beyond voluntary cooperation frameworks toward regulatory structures that raise the cost of facilitating fraud to match the investment required for prevention.
Looking forward, the investigation documents a fundamental tension between the technology industry's genuine technical capabilities and the absence of business incentives to deploy those capabilities against fraud. US Attorney Jeanine Pirro, leading the Scam Center Strike Force, acknowledged this gap when she observed that criminals exploit American infrastructure to commit crimes, yet industry remains unprepared to respond decisively when fraud is detected. Closing this gap requires moving from exhortation and partnership rhetoric toward regulatory frameworks that align company incentives with fraud prevention, ensuring that the cost of enabling scams exceeds the cost of preventing them. Without such realignment, American technology infrastructure will continue functioning as the backbone of a global fraud industry that disproportionately victimises Americans and generates destabilising criminal profits that undermine regional stability throughout Southeast Asia.
