A collaborative investigation by the Associated Press and Frontline has uncovered uncomfortable truths about the role of American technology in fuelling a booming international fraud industry. Rather than stemming from backstreet operators, the scam apparatus now functions as an industrialised, globalised criminal operation, with technology developed and controlled by major US corporations forming its backbone. What emerges from this research is a picture of systemic vulnerability not in the technology itself, but in how inadequately these companies police their own networks and services against criminal exploitation.
The investigation's most striking finding concerns where the real infrastructure of fraud begins. Most public attention has focused on social media platforms—the visible front where victims encounter scammers—but the true enabling machinery lies far upstream, in the unglamorous layers of the internet that most consumers never see. Satellite internet services, artificial intelligence platforms, and backbone internet infrastructure providers have all become integral to how modern scams operate at scale. Watchdog organisations argue that these companies possess the technical sophistication to dramatically reduce criminal activity, yet they lack the legal mandates, regulatory pressure, or financial incentive to do so. The Federal Trade Commission estimates that scams cost Americans nearly US$200 billion in 2024—a staggering figure that underscores the scale of the problem—yet the response from infrastructure providers remains largely passive.
The investigation identified specific tools being deployed from scam compounds in Southeast Asia, with OpenAI's ChatGPT and Google's Gemini playing prominent roles. These AI systems, when incorporated into bespoke software suites, allow criminals to operate across multiple languages simultaneously, generate convincing automated responses, create believable false personas, and monitor their criminal workforce's productivity. The technology enables an almost industrial approach to fraud: dozens of fake identities, thousands of potential victims, all managed through sophisticated automation. According to blockchain analysis conducted for the investigation, criminal organisations that obtained these tools generated tens of millions of dollars in illicit proceeds. What makes this particularly troubling is that both companies say they have robust programmes to prevent exactly this kind of abuse—yet the investigation found evidence suggesting enforcement of their own terms of service may not match the rhetoric.
The connectivity picture reveals equally troubling patterns. When researchers analysed over 200,000 device connections from four scam compounds in Myanmar linked to entities under international sanctions, they discovered that one in five signals originated through US-registered companies. Cogent Communications, Oracle, AT&T, and DigitalOcean featured prominently, joined by non-American firms like Finland-based UpCloud and Canada-based GlobalTeleHost that nonetheless route traffic through American servers. This creates a peculiar situation: American infrastructure is disproportionately supporting criminal networks that target American citizens and others globally. When confronted with these findings, the companies offered familiar explanations—their networks are encrypted, they cannot see content transiting their systems, and they respond to abuse reports. Yet this privacy-by-design argument, while technically sound, obscures a deeper question about corporate responsibility.
Starlink, Elon Musk's satellite internet venture, emerges as particularly significant in the Myanmar context. Despite Congressional scrutiny and a widely publicised shutdown of 2,500 service kits near scam compounds in late 2025, device data reveals that criminal operators continue using Starlink extensively. More concerning still, satellite imagery and connectivity data show at least 25 new scam sites constructed inside Myanmar since the crackdown, with at least 13 of them already utilising Starlink for internet access. The data examined represents only a sample of total activity, suggesting the actual number of Starlink connections to scam operations may be substantially higher. This pattern—a crackdown that appears impressive in press releases but fails to disrupt actual criminal operations—illustrates a fundamental enforcement gap.
The regulatory disparity between the United States and other developed economies is striking. The United Kingdom, European Union, Australia, and Singapore have all implemented regulations requiring technology companies to actively prevent scams or face financial penalties. This regulatory pressure creates real incentives for compliance. In Washington, by contrast, the approach remains voluntary. The Department of Justice's newly established Scam Center Strike Force has sought partnerships with industry, but without statutory obligation or financial consequence, the incentive structure remains weak. As Sascha Meinrath, telecommunications expert at Penn State University, bluntly observed: if the cost of facilitating scams is zero, why would any company spend resources preventing them? This is not a question of capability but of economics.
For Malaysia and Southeast Asia more broadly, this investigation carries profound implications. The region's position as both a target market for scammers and a location for scam operations makes it acutely vulnerable. Malaysian consumers and businesses lose significant sums to these sophisticated frauds, yet the remedies available remain limited when the infrastructure enablers face no legal consequences in their home jurisdictions. A Malaysian victim defrauded by a scammer operating from Myanmar using American satellite internet and American AI tools has limited recourse. Neither the satellite operator nor the AI company faces regulatory pressure in the United States that would incentivise them to prevent the fraud in the first place.
The investigation also highlights a critical gap in how technology companies frame their responsibilities. When OpenAI reported banning three accounts after being informed of abuse, the company framed this as evidence of its robust prevention programme. Yet the investigation's existence suggests that such proactive detection is inadequate. If major scam operations were routinely identified and shut down without external investigation, researchers would not need to conduct lengthy investigations to uncover them. The reactive posture—waiting for journalists or law enforcement to identify abuse before acting—suggests that enforcement of terms of service is not genuinely robust.
The technical capacity to reduce scam infrastructure exists. Companies could implement stricter know-your-customer verification for high-risk markets, monitor patterns consistent with scam operations, or require more friction in accessing services from locations known to host criminal networks. That such measures remain largely voluntary rather than mandatory reflects a political choice, not a technical limitation. The United States has chosen, through its legislative and regulatory framework, to prioritise corporate flexibility and privacy architecture over consumer protection in this domain. Other developed democracies have made different choices, implementing legal requirements that companies take active steps against fraud.
For Southeast Asian policymakers, the investigation underscores why unilateral action by any single country has limited effectiveness. When scam infrastructure depends on American companies and satellites, regional regulators cannot fully protect their citizens without corresponding action from the United States. This creates leverage: if major markets like the European Union and Australia can push American technology companies toward stricter controls through regulation, Southeast Asian countries might consider whether coordinated regional requirements—or participation in existing international regulatory frameworks—could achieve similar pressure. The vulnerability of the region to scams powered by American infrastructure is ultimately a vulnerability of American regulatory architecture.
The investigation's findings suggest that the current approach has failed. Voluntary cooperation has not produced the security outcomes that watchdogs and law enforcement believe are achievable. The gap between technological capability and actual practice remains wide, with American companies possessing both the data and the tools to substantially disrupt scam operations but lacking sufficient incentive to deploy them systematically. For Malaysian readers, this represents not merely a consumer protection issue but a question of whether international norms around corporate responsibility will evolve to match the scale and sophistication of modern fraud. Until American regulators establish binding requirements equivalent to those now in place in London, Brussels, Canberra, and Singapore, Southeast Asia will remain disproportionately vulnerable to scams powered by infrastructure that wealthy nations refuse to adequately police.
