A sweeping investigation by the Associated Press and Frontline has exposed how American technology companies—from satellite internet providers to artificial intelligence firms—have become essential infrastructure for a globalised fraud ecosystem that cost Americans nearly US$200 billion in 2024. Rather than intentionally facilitating crime, these companies operate within a regulatory vacuum where the financial incentives to prevent abuse are minimal and enforcement remains largely voluntary, creating what amounts to a systemic vulnerability in the digital economy that extends far beyond the United States into Southeast Asia and beyond.
The investigation's most significant finding challenges conventional wisdom about where scam operations originate. While public attention typically focuses on social media platforms where victims encounter fraudsters, the technical backbone enabling these crimes runs much deeper through internet service providers, satellite networks, and cloud infrastructure companies. This upstream architecture allows criminals to operate at unprecedented scale and sophistication, with the capacity to coordinate across continents, manage multiple languages simultaneously, and automate their operations using consumer-grade artificial intelligence tools.
Researchers working with security nonprofit C4ADS identified two complete software suites deployed by scammers operating from compounds in Southeast Asia, prominently featuring OpenAI's ChatGPT and Google's Gemini alongside other AI models. These systems perform critical functions for criminal enterprises: generating convincing text across numerous languages, creating automated responses that appear personalized, developing fabricated personas with seemingly legitimate backgrounds, and tracking individual scammer productivity metrics. According to blockchain analysis conducted by TRM Labs, scammers who purchased and deployed these tools collectively extracted tens of millions of dollars from victims, demonstrating the direct relationship between tool sophistication and criminal profitability.
When questioned about the investigation's findings, both OpenAI and Google acknowledged maintaining anti-abuse programmes but offered limited specifics about enforcement effectiveness. OpenAI indicated it had banned three accounts identified by AP as supporting online scams following the investigation's disclosure, suggesting reactive rather than proactive detection systems. Neither company disputed the fundamental premise that their tools were being weaponised against consumers, only that they maintained mechanisms to address such misuse once identified. This response pattern reflects a broader industry approach: acknowledging capability without demonstrating systematic prevention.
The investigation's analysis of network traffic from scam compounds linked to sanctioned Myanmar entities reveals the concentrated role of United States infrastructure in enabling these operations. Among more than 200,000 device connections analysed at four major compounds, one in five signals passed through United States-registered companies including Cogent Communications, Oracle, AT&T, and DigitalOcean. This concentration of US infrastructure usage stands out starkly; no other non-regional country approaches these levels of involvement. Non-American companies operating US-based servers, including Finland's UpCloud and Canada's GlobalTeleHost, also carried high-risk traffic from scam centres, indicating how the United States has become the preferred jurisdiction for internet infrastructure supporting illicit activity.
Elon Musk's Starlink satellite internet service occupies a particularly complex position in this ecosystem. Despite Congressional attention and a highly publicised enforcement action in late 2025 when the company claimed to have disconnected 2,500 kits near scam compounds, Starlink remains the dominant internet service provider for scam operations in Myanmar. Satellite imagery and device data analysed by International Justice Mission show the existence of at least 25 newly constructed scam compounds established after the widely reported crackdown, with at least 13 employing Starlink connectivity. This pattern suggests either that enforcement measures proved insufficient to deter determined operators or that replacing disconnected terminals proved trivial for well-resourced criminal enterprises. Starlink's refusal to engage substantively with detailed questions from investigators, offering only generic statements about law enforcement cooperation, left open questions about the company's enforcement priorities and technical capacity.
All companies identified as carrying scam traffic emphasised their technological inability to monitor content flowing across their networks, describing this limitation as privacy-by-design architecture. While legitimate privacy protections deserve consideration, this structural blindness also eliminates potential friction points for detecting patterns consistent with fraud. Each company stated they respond to valid abuse reports and cooperate with law enforcement, yet the persistence and growth of scam operations despite these mechanisms suggests either that abuse reports arrive too slowly or in insufficient quantity, or that enforcement responses prove inadequate relative to operational resilience. Oracle acknowledged working with law enforcement on AP's shared materials, and UpCloud indicated the investigation had prompted internal reviews of risk assessment processes, but these appeared to be post-hoc responses rather than systematic prevention.
Telecommunications scholar Sascha Meinrath from Penn State University articulated the economic logic underlying corporate inaction during the investigation: absent meaningful consequences for facilitating fraud, companies lack rational incentive to invest in prevention systems. The cost of enabling scamming remains zero while the investment required to meaningfully constrain it would be substantial. This misalignment between social harm and corporate incentives represents what economists call a negative externality—companies profit from infrastructure provision while crime victims bear the costs of fraud. Until regulatory frameworks impose financial consequences for negligence, the economic calculus supporting minimal enforcement remains rational from the company perspective.
International regulatory responses are beginning to alter this calculus in specific jurisdictions. The United Kingdom, European Union, Australia, and Singapore have implemented regulations requiring technology companies to demonstrate anti-scam efforts or face financial penalties. These frameworks establish that enforcement is technically feasible and economically viable, creating a competitive dynamic where regulated companies that invest in abuse prevention become disadvantaged relative to competitors operating in jurisdictions without similar requirements. This regulatory arbitrage creates perverse incentives that have not yet reached the United States, where lawmakers and government officials have requested voluntary cooperation from American technology companies without establishing binding obligations or penalties.
The newly established Scam Center Strike Force, led by United States Attorney Jeanine Pirro, represents the government's primary enforcement mechanism, operating through partnership requests rather than regulatory mandates. As Pirro stated at a recent conference, the fundamental irony resides in how criminals exploit American infrastructure to commit the crimes that cost American victims billions annually. Yet the institutional response remains premised on industry cooperation conducted without legal compulsion. This voluntary framework leaves American technology companies free to balance anti-scam investments against other operational priorities, and current evidence suggests those companies have consistently chosen minimal investment over maximum prevention.
For Malaysian and Southeast Asian readers, these findings carry particular weight given the regional concentration of scam operations and the vulnerability of emerging technology infrastructure. The investigation demonstrates that scammers operating in the region depend overwhelmingly on American technology and infrastructure, creating both vulnerability and opportunity. Southeast Asian governments could leverage this dependency through bilateral cooperation with United States authorities, by encouraging their own tech companies to adopt the regulatory frameworks emerging internationally, and by recognising that local infrastructure providers face competitive disadvantages when operating without anti-fraud compliance requirements. The investigation ultimately reveals that technological solutions to the scam epidemic exist but lack the regulatory and economic pressure necessary to drive implementation at scale.
