International Operation Arrests 276, Shuts 9 Crypto Scam Centers, Restrains $701M in Assets

TL;DR A coordinated law enforcement operation led by Dubai Police, the FBI, and China's Ministry of Public Security has arrested at least 276 suspects and dismantled nine cryptocurrency investment fraud centers operating pig butchering and romance baiting schemes. The operation, which includes Treasury sanctions on Cambodian officials and seizure of fake investment infrastructure, has restrained $701 million in cryptocurrency and notified nearly 9,000 U.S. victims under the FBI's Operation Level Up initiative launched in January 2024.

What happened

A multinational law enforcement operation spanning the UAE, United States, China, Thailand, and Burma has targeted industrial-scale cryptocurrency investment fraud operations that combined financial crime with human trafficking. The crackdown arrested suspects from Burma and Indonesia, apprehended by authorities in Dubai and Thailand.

Five named individuals—Thet Min Nyi (27), Wiliang Awang (23), Andreas Chandra (29), Lisa Mariam (29), and two unnamed fugitive co-conspirators—have been charged in the U.S. with federal fraud and money laundering offenses. According to the Justice Department indictment, these defendants managed or recruited workers at three entities: Ko Thet Company, Sanduo Group, and Giant Company, which operated multiple scam centers. Thet Min Nyi is identified as manager and recruiter for Ko Thet Company.

The operation involved building trust with victims—often through feigned romantic relationships—before directing them to fake investment platforms. Once victims transferred cryptocurrency to these platforms, the funds were immediately laundered to accounts controlled by the perpetrators. Victims were encouraged to borrow money from family members and take out loans to increase investments.

The crackdown extends to higher-level operators. The Justice Department charged two Chinese nationals, Jiang Wen Jie (aka Jiang Nan) and Huang Xingshan (aka Ah Zhe and Huang Xing Saan), for running the Shunda scam compound in Min Let Pan, Myanmar. Huang worked as a high-level manager and personally participated in physical punishment of trafficked workers; Jiang served as a team leader targeting American victims. Thai authorities arrested both men in early 2026 while they were en route from Cambodia to Burma. Burmese authorities had seized the Shunda compound in November 2025.

The Treasury Department sanctioned Cambodian Senator Kok An and businessman Rithy Raksmei, targeting their K99 Group holding company used for scam center operations. Kok An is assumed to have fled Thailand after arrest warrants were issued for him and his children last July. Kok An is the second Cambodian senator sanctioned for scam center involvement; Ly Yong Phat was sanctioned in September 2024 for trafficking victims into forced labor at online fraud operations.

Law enforcement seized the Telegram channel @pogojobhiring2023, which had more than 6,500 followers and was used to recruit trafficking victims. The operation also involved 503 fake investment websites targeting U.S. victims.

The FBI's Operation Level Up initiative, launched in January 2024, has notified almost 9,000 victims and saved an estimated $562 million as of April 2026.

An Android banking trojan linked to the K99 Triumph City compound in Cambodia has been identified as actively registering approximately 35 new domains per month, including spoofed government and financial institution domains. The trojan has been operational since at least 2023. Researchers from Infoblox and Vietnamese nonprofit Chong Lua Dao report the malware shares infrastructure and behavioral overlaps with threat actors tracked as Vigorish Viper and Vault Viper. In 2025 alone, 400 lure domains targeting victims were registered; the attack chain distributes malicious links via SMS or email impersonating government officials.

Why it matters

For developers and infrastructure operators in the MENA region, this operation underscores the operational footprint of cryptocurrency fraud networks. The trojan's ongoing domain generation—35 new domains monthly—indicates active infrastructure targeting beyond the U.S., with recent scope expansion to Africa and Latin America. SOC analysts should note the trojan's capability for real-time surveillance, credential theft, data exfiltration, and financial fraud.

The human trafficking component reveals that scam center operations are not purely technical attacks. Workers are held against their will and forced to execute fraud under threats of violence. This context is critical for threat intelligence assessment: infrastructure takedowns must account for victim rescue operations.

For regional security teams, the sanctioning of high-level operators and the passage of Cambodia's cybercrime law—imposing 5-10 year sentences and up to $250,000 fines—signal escalating state-level enforcement. Organizations should monitor for migration of these operations to jurisdictions with weaker legal frameworks.

The restraint of $701 million in cryptocurrency suggests attackers moved large volumes through exchanges and wallets with insufficient compliance controls. Defenders should review cryptocurrency transaction monitoring and cross-exchange coordination mechanisms.

Affected systems and CVEs

Ko Thet Company scam operation
Sanduo Group scam operation
Giant Company scam operation
Shunda scam compound (Myanmar)
K99 Triumph City compound (Cambodia)
Android banking trojan (MaaS platform)
503 fake investment websites
Telegram channel @pogojobhiring2023

No CVE assigned at the time of publication.

What to do

Monitor for malicious URLs spoofing government agencies, financial institutions, airlines, and e-commerce platforms, particularly via SMS and email.
Track domain registrations in campaigns matching the Android trojan's profile: 35 new domains per month, RDGA and lookalike domains.
Review cryptocurrency transaction controls for lookalike or high-risk wallet patterns consistent with money laundering.
Alert users of phishing campaigns impersonating government officials distributing malicious links to fake app stores.
Cross-reference victim lists against internal customer databases if your organization operates in affected sectors (banking, pension funds, telecom, immigration services).
If operating in Cambodia, ensure compliance with the new cybercrime law provisions.
Monitor U.S. Treasury OFAC sanctions lists for additions linked to K99 Group and associated entities.

Open questions

No CVE identifier has been assigned to the Android banking trojan; the extent of affected device versions and Android versions is not specified.
Names, locations, and operational dates of the nine shut-down scam centers have not been fully disclosed.
The identity and current status of the two unnamed fugitive co-conspirators remains unconfirmed.
Geographic scope and specific targets of the Android trojan beyond government and financial sectors are unclear.
The exact mechanism by which Operation Level Up saved $562 million—whether through fraud prevention, asset recovery, or victim reimbursement—is not detailed.
Specific cryptocurrency exchanges or wallets involved in the $701 million restraint are not named.