Framing

In January, Chinese authorities extradited Chen Zhi, the Cambodia-based founder of Prince Holding Group, on charges tied to a sprawling scam-center conglomerate. A second senior Prince Group figure followed this month. The US Treasury has sanctioned scam networks across Cambodia, the Philippines, and Myanmar, and worked with international partners to seize more than $14 billion in cryptocurrency tied to Chen Zhi's assets. Three days ago, the Department of Justice seized a cloud computing account that had been quietly powering the backend infrastructure of Huione Group, the Cambodian financial conglomerate whose Telegram-based marketplace has processed tens of billions of dollars in laundered crypto since 2021. Each of these is a real enforcement action against a named target, not a press-release gesture.

None of them have made the underlying industry smaller.

Interpol's latest regional review puts annual revenue from Southeast Asian scam operations — concentrated in Cambodia, Myanmar, Laos, and the Philippines — at roughly $40 billion, and finds that cybercrime now accounts for at least 30% of all recorded crime in more than half of its Asia-Pacific member countries. That figure describes the scale of the underlying fraud economy. It is a different number, measuring a different thing, from Chainalysis's separate finding that the Huione ecosystem alone — one laundering network, not the industry as a whole — processed over $16 billion in illicit funds in 2025, more than 20% of all crypto laundering activity Chainalysis tracks globally. The two figures aren't comparable and shouldn't be added together, but read side by side they say something simple: the leadership-level enforcement actions making headlines this year are landing on an industry whose financial and technical plumbing is, by any available measure, larger than what got seized.

This piece is about that plumbing — and about a second, separate reason enforcement keeps failing to shrink the industry, which has nothing to do with technology at all. Two threads run through everything that follows. The first is infrastructural: satellite internet, encrypted messaging platforms, and crypto laundering rails that let scam compounds operate from territory no government fully controls, and that survive enforcement actions by simply rerouting around them. The second is human and institutional: local corruption that ensures most enforcement, most of the time, never reaches the compounds at all. Neither thread is new on its own — satellite internet in conflict zones, money laundering through informal networks, and police corruption in weak-governance border regions are each, individually, old stories. What's underdocumented is how completely each one compensates for whatever progress gets made against the other. A government that successfully raids a compound accomplishes little if the compound's financial infrastructure and connectivity survive intact a few kilometers away. A blockchain-intelligence firm that maps a laundering network in granular detail accomplishes little if the compounds it's tracking operate with the tacit protection of the same officials nominally tasked with shutting them down.

The scale itself is genuinely contested, and worth stating plainly before going further: even the headline trafficking figures vary by a factor of three depending on which UN report and which year you cite — a detail that matters enough to its own section later in this piece, not a footnote to wave past here.

What follows traces both threads in turn — the technical stack first, then the corruption layer — before getting to where they actually intersect, and where the public record still runs out.

The Technical Stack

Start with the constraint these operations are actually built to defeat, because everything else in this section is downstream of it: governments that want to choke a scam compound have one obvious lever — cut its connection to the outside world — and for years that worked, at least partially. Thailand spent much of 2024 and 2025 cutting cross-border electricity and physical internet links into Myanmar's Myawaddy region, the densest cluster of compounds along the Thai-Myanmar border. The compounds adapted by going to space.

Starlink terminals don't depend on local telecom infrastructure or grid power in the way fiber and cellular networks do, which makes them functionally immune to exactly the kind of cutoff Thailand was attempting. International Justice Mission's combined satellite-imagery and mobile-data analysis found 2,492 active Starlink connections across eight major compounds in the Myawaddy area as of April 2025 — more than double the figure from a year earlier, and a trajectory that tracks almost exactly with Thailand's cutoff campaign rather than against it. Myanmar has no licensed Starlink service; the terminals reaching these compounds arrive as smuggled hardware, often registered to accounts in other countries, which is part of why disabling them requires identifying specific devices rather than simply geofencing a market SpaceX never opened there in the first place.

SpaceX's public response came only after sustained outside pressure — a Thai legislator's public appeal to Elon Musk in February 2025, a letter from US Senator Maggie Hassan in July, and finally, in November, Department of Justice seizure warrants directing the company to disable specific terminals tied to scam compounds. SpaceX disabled more than 2,500 devices "in the vicinity of suspected scam centers" the following month, in a statement from VP of business operations Lauren Dreyer, timed to follow a Myanmar military raid on the KK Park compound that seized 30 terminal sets. The Senate's Joint Economic Committee opened a formal investigation into Starlink's role in October 2025 and broadened it in December to the wider question of which US tech companies are implicated in the scam lifecycle. Worth stating plainly rather than letting the timeline imply otherwise: SpaceX's own pattern — minimal action until federal seizure warrants forced its hand — suggests this was compliance under legal pressure, not proactive enforcement of its own acceptable-use policy, whatever the policy says on paper.

If Starlink is the layer that keeps compounds online, Telegram is the layer that keeps them coordinated — and that overlap with criminal infrastructure runs deeper than messaging. After the KK Park raid scattered thousands of workers to other compounds, Telegram channels filled almost immediately with recruitment notices for the newly displaced, some offering direct flights from Yangon to Phnom Penh and "safe transportation by car" for workers without passports. That's the visible, low-tech layer. The more structurally important one is Huione Guarantee, a peer-to-peer marketplace that operated natively on Telegram and that blockchain-intelligence firm Elliptic first exposed in July 2024 as a hub where scam operators could buy laundering services, stolen identity data, and full romance-scam "kits" from independent vendors — a marketplace model, not a single criminal organization. Telegram removed the Huione Guarantee channels in May 2025 after that exposure became public. The marketplace did not meaningfully shrink; Chainalysis's research since then has tracked continued — and by some measures larger — transaction volume across a wider field of similar Telegram-native "guarantee" marketplaces serving the same Chinese-speaking criminal economy, which is the realistic ceiling on what platform-level takedowns accomplish here: removing one storefront doesn't remove the customers, the vendors, or the demand.

That marketplace sits on top of the third layer, and the one this week's enforcement action actually targeted: the laundering infrastructure run by Huione Group, the Cambodian conglomerate behind Huione Guarantee, Huione Pay, and Huione Crypto. US Treasury's FinCEN designated Huione Group a primary money-laundering concern under the PATRIOT Act in October 2025, identifying at least $4 billion in illicit proceeds laundered through the network between August 2021 and January 2025 — a figure worth distinguishing carefully from the much larger gross transaction volumes that get reported elsewhere, since FinCEN's number is specifically the confirmed-illicit subset, not total platform throughput, which different firms have estimated very differently depending on which Huione entity and time window they're measuring. Elliptic puts Huione Guarantee's lifetime crypto transaction volume above $31 billion and Huione Pay's separately above $103 billion, the combination of which is what the FBI characterized this week as a $134 billion criminal marketplace — more than twenty-five times the combined size of Silk Road and AlphaBay, by Elliptic's accounting. Chainalysis's own mid-2026 figure for 2025 alone is $16.1 billion processed through the network, which the firm says accounts for more than a fifth of all crypto-laundering activity it tracks globally. These numbers don't reconcile cleanly with each other, and that's worth sitting with rather than smoothing over: a deliberately opaque, multi-entity laundering operation spanning several blockchains and currencies resists being captured by any single figure, and reporting one number as "the" size of Huione would overstate the precision anyone outside the network actually has.

Three days ago, the Justice Department seized the cloud computing account that had been hosting the backend systems for Huione's subsidiaries — a deliberate shift in enforcement target, going after shared infrastructure rather than individual wallets or vendors, with assistance from Chainalysis, Elliptic, and Google's Cybercrime Investigation Team as part of an FBI-led effort called Operation Riptide. FinCEN's findings tie the network to more than just Southeast Asian fraud syndicates: the agency identified at least $37 million in laundered proceeds from North Korea's Lazarus Group cyber heists moving through Huione's infrastructure, a connection that places this squarely inside BCG's nation-state coverage as well as its cybercrime-ecosystem coverage — the same marketplace serving pig-butchering operators in Cambodia was, by FinCEN's own account, also serving a DPRK state hacking unit. One more detail worth flagging because it's the clearest evidence that this ecosystem is no longer just a laundering pipeline but a manufacturing base: Chainalysis found that generative-AI vendors selling scam-production tools on Huione Guarantee saw revenue grow roughly 1,900% year over year in 2024, including services advertised at around $200 for AI-generated "face-changing" video — tooling built specifically to defeat the identity-verification checks meant to stop exactly this kind of fraud.

The pattern across all three layers is the same one, just executed differently each time: a piece of legitimate, widely available infrastructure — satellite internet, a messaging app with two billion users, conventional crypto rails — gets repurposed by an industry that doesn't need to build its own technology stack when it can rent someone else's, and that survives any single piece of that stack being taken away because the next layer down absorbs the disruption. Whether the Justice Department's shift toward seizing shared infrastructure rather than individual targets actually breaks that pattern, rather than just adding friction to it, is a question we will return to.

The Corruption Layer

Start with the number that Section I promised to come back to, because the discrepancy is itself diagnostic rather than a citation error to quietly fix. UN OHCHR's foundational 2023 report on Southeast Asia's scam economy put the trafficked workforce at roughly 120,000 in Myanmar and 100,000 in Cambodia — figures that have anchored nearly every subsequent piece of coverage, including Interpol's. OHCHR's updated report this February raised that to "at least 300,000" across the region. That's not a correction of an earlier error; it's what happens when an industry operating almost entirely outside any government's effective monitoring gets re-measured three years later using better satellite imagery, more survivor interviews, and a wider definition of what counts as a scam operation. The honest reading is that nobody — not OHCHR, not Interpol, not any single national government — has ever had a real-time count of how many people are held in these compounds. Every figure in this piece, including the ones already cited in Section II, is a credible estimate built from partial visibility, not a census.

That partial visibility is itself the product of the thing this section is actually about. OHCHR's own reporting — not Amnesty's, not a secondhand characterization, but the UN's direct survivor-interview data — describes specific mechanisms of official collusion: victims fast-tracked through immigration checkpoints by officers who appeared to coordinate directly with recruiters, and police entering compounds and receiving payments from the managers running them. That's a substantially more specific claim than "corruption hampers enforcement," and it's worth holding onto the distinction between the two. The vaguer framing is true but unfalsifiable; the immigration-fast-tracking and in-compound-payment detail is a checkable, named allegation from a body with direct survivor access.

Amnesty International's investigation, conducted independently of OHCHR's, reaches the same conclusion through a different method: field visits to 75 of Cambodia's 86 confirmed scam compounds and interviews with 73 survivors. Amnesty's finding is sharper than "some corruption exists" — it's a direct dispute of the Cambodian government's own enforcement claims. Cambodian authorities say they've shuttered 250 scam centers and charged more than 1,000 people. Amnesty's survivors describe something different: none were treated by Cambodian authorities as trafficking victims, and most were processed instead as irregular migrants, in some cases unable to leave the country without paying fines. The disconnect between a government's stated enforcement numbers and what people who were actually inside the compounds experienced is, by itself, a more useful data point than either number in isolation.

Myanmar's version of this same pattern is documented at a different resolution — not survivor testimony, but satellite imagery. C4ADS's analysis of 21 known compounds in Myawaddy Township found that 14 of them, including the high-profile KK Park site that Myanmar's military raided with considerable publicity in October 2025, showed construction or expansion in the months after the raid was announced. Some compounds added solar panel installations — infrastructure investment specifically aimed at reducing dependence on the cross-border electricity supply that Thailand has used as a pressure point. A facility that survives a raid by expanding afterward was never meaningfully disrupted by that raid; at best, it was inconvenienced.

The testimony that connects these institutional-level findings to what actually happens on the ground comes from a named survivor account published by The Diplomat in March. A worker identified as "Long," who described his own role inside a Cambodian compound, told the outlet plainly that raids were predictable to the people running the operations he worked for: "For the large companies I work for, we received the information three days before the authorities took action." Long's account of who gets arrested in these raids matches the asymmetry Amnesty's broader survey describes — trafficked workers detained, while the people actually directing the criminal enterprise are not. That's not a contradiction between one survivor's account and the aggregate data; it's the same pattern showing up at two different scales.

None of this is uniform corruption at every level of every government touching this industry — and treating it as such would itself be a kind of overclaiming the sourcing doesn't support. China's extradition of Chen Zhi in January was real, and the US sanctions and asset seizures described in Section II are real enforcement, not theater. What the Cambodia and Myanmar evidence specifically shows is that leadership-level enforcement — extraditions, sanctions, headline raids announced for international audiences — and ground-level enforcement, where local police and immigration officers have ongoing financial relationships with the operations they're nominally policing, are not the same lever. Pulling the first doesn't reliably move the second. Jacob Sims, a fellow at Harvard's Asia Center who studies trafficking and transnational crime in the region, described the broader pattern to Fortune in terms that track precisely with what Amnesty and OHCHR documented independently: criminal groups deliberately locate in areas "where governance is weak, local authorities are easy to manipulate, and where corruption thrives" — not as an opportunistic byproduct of weak states, but as a site-selection criterion.

Cambodia ranks 17th of 193 countries on the 2025 Global Organized Crime Index, second in Southeast Asia only to Myanmar. That ranking, like every other figure in this section, measures something real but incomplete — it's an aggregate score, not a map of which specific officials are compromised or how systematically. What the survivor testimony, the satellite imagery, and the UN's own collusion findings converge on, independently of each other, is a more specific claim than the index ranking alone could support: in the areas where these compounds actually operate, the officials tasked with shutting them down have, in identifiable and recurring instances, been paid not to.

The infrastructure thread and the corruption thread look, at first pass, like two separate explanations for the same disappointing outcome — neither sanctions nor raids nor blockchain forensics has shrunk the industry. But they're not actually answering the same question. They're covering for two distinct, and largely non-overlapping, points of failure.

The technical stack — Starlink, Telegram, the Huione laundering ecosystem — is what makes the industry resilient to the enforcement that actually lands. When Thailand cuts power and internet, Starlink absorbs the disruption. When Elliptic exposes Huione Guarantee and Telegram pulls the channel, a wider field of Telegram-native marketplaces absorbs the customers. When the DOJ seizes a cloud account, the next enforcement question — raised explicitly by the on-chain analysts quoted in Section II — is whether the network reroutes to replacement infrastructure faster than investigators can map it. This is a story about an industry with enough redundancy built into its technology choices that no single intervention, however well-executed, removes a load-bearing piece.

The corruption layer is a different kind of failure, operating earlier in the sequence: it's what determines whether ground-level enforcement — the raids, the immigration checks, the local police response — ever actually constitutes an intervention in the first place. A raid announced three days in advance to the people it's supposedly targeting, as Long described to The Diplomat, isn't disrupted infrastructure recovering from a disruption. It's an enforcement action that was never a real threat to begin with, dressed up for an audience — international observers, sanctions-conscious foreign governments, a domestic public wanting to see action — that wasn't positioned to know the difference.

Put together, this means the two enforcement tracks visible in the public record — the high-profile, leadership-level actions (extraditions, sanctions, the Huione infrastructure seizure) and the ground-level actions (compound raids, arrests, immigration enforcement) — are not failing for the same reason, and probably can't be fixed by the same fix. The leadership-level track is failing because the industry has more technical redundancy than any single seizure can remove. The ground-level track is failing because the people executing it are, in a documented and recurring set of cases, financially entangled with the people they're supposed to be stopping. A government could theoretically solve the second problem completely — replace every compromised local official, end every tip-off — and the compounds would still have Starlink, still have a laundering marketplace, still have a Telegram-based recruitment pipeline absorbing displaced workers. A government could theoretically solve the first problem completely — somehow eliminate every piece of resilient infrastructure these operations currently rent — and compounds operating with active police cooperation would still be difficult to locate, let alone shut down, because the people whose job it is to find them have been told, or paid, to look elsewhere.

That's the actual shape of the resilience this industry has built, and it's worth stating as plainly as the evidence allows: it isn't one obstacle. It's two independent obstacles that happen to produce the same headline outcome, which makes "despite high-profile enforcement, the industry remains resilient" technically true and analytically useless as a diagnosis. The more precise version is that two different kinds of enforcement are each solving, at best, half the problem — and neither half-solution compounds with the other, because they don't share a mechanism.

What's Actually New in 2026

Every action against Huione described in the last two sections targeted something the network could, in principle, replace. A financial designation cuts off correspondent banking access; the network moves to a successor entity, which is exactly what happened this week — FinCEN's notice extending the Section 311 designation to a new entity called H-Pay Service PLC was issued the same day as the cloud seizure, an explicit acknowledgment that Huione was already moving to route around the October ruling before the ink was dry. A platform ban removes a Telegram channel; the network's customers and vendors redistribute across a wider field of similar Telegram-native marketplaces, which Chainalysis's own tracking shows happened after the May 2025 takedown. A sanctions list adds names; new names get used.

The cloud account seizure is being framed, including by the DOJ officials announcing it, as a different kind of target — going after what Assistant Attorney General A. Tysen Duva called the "technological backbone" itself rather than a financial instrument sitting on top of it. FBI Cyber Division Assistant Director Brett Leatherman made the same distinction explicitly: the bureau intends "to pursue not only the perpetrators, but also the services that support their criminal operations." Whether that distinction holds up depends on something the public reporting doesn't actually establish: which cloud provider held the seized account, and whether replacing it requires the kind of real-world contractual and billing relationship that's harder to reconstitute on short notice than a crypto wallet or a Telegram handle — or whether, like everything else in this ecosystem, it's simply one more rentable layer with a deep enough bench of alternative providers that the substitution happens in weeks rather than months. None of the coverage of this seizure names the provider or describes how access was obtained, which makes it genuinely unclear, not just unstated for brevity, whether this represents a structurally different chokepoint or the same maneuver one layer further down the stack.

The action sits inside a larger, time-bounded campaign rather than as a standalone event, which matters for reading it correctly: Operation Riptide is a 60-day FBI offensive that began June 9 and is explicitly targeting infrastructure and financial networks rather than individual cases, and this seizure is one move within it, not its conclusion. The same week's parallel Treasury action — sanctions on nine individuals and 26 entities tied to the Prince Group transnational criminal organization, separate from but adjacent to the Chen Zhi case described in Section I — suggests a coordinated push across financial, infrastructural, and individual-target enforcement simultaneously, rather than the single-lever actions that characterized 2025's response.

The honest read, available from the same on-chain analysts whose work underpins the figures in Section II, is that this kind of action reliably produces short-term fragmentation and only sometimes produces lasting disruption — criminal networks shift liquidity, reroute transactions, and migrate to replacement platforms in response to exactly this kind of pressure, and there's no public evidence yet establishing which outcome this seizure will produce. The genuinely diagnostic data won't come from this week's press release. It comes from whatever Chainalysis and Elliptic report later this year on whether Huione-linked transaction volume actually contracted, migrated to identifiable successor infrastructure, or simply became harder to trace — three different outcomes that would currently look identical from the outside, and won't be distinguishable until the firms doing this tracking publish their next read.

Epistemic Boundaries

Everything in this piece is sourced to named organizations, named survivors, and named government documents. None of that sourcing closes every gap, and it's worth being precise about which gaps are which — because "we don't know X" and "X is unknowable from the outside right now" are different claims, and conflating them is its own kind of imprecision.

Workforce composition. Section III flagged this once already and it belongs here in full: no named source quantifies what fraction of a compound's workforce is trafficked against what fraction is voluntary — syndicate members, paid management, or low-level staff who entered the work knowingly even if conditions later turned coercive. The Diplomat's survivor account and the experts quoted in Fortune both describe a mix without putting a number on it, and the large-scale figures from OHCHR (300,000) and Interpol describe people inside the ecosystem without distinguishing roles. Treating "staffed by trafficking victims" as describing the entire workforce, rather than an unquantified portion of it, would be a precision the sourcing doesn't support.

Tip-off mechanics. OHCHR's finding that immigration officers coordinate with recruiters, and Long's account of advance warning before raids, establish that coordination happens and that it's reliable enough for operators to plan around. Neither source — nor anything else reviewed for this piece — describes the actual mechanism: whether warnings travel by phone call, by messaging app, through an intermediary, or via standing arrangements that don't require active communication for each raid. That's not a minor gap. It's the difference between "corrupt officials exist" and "there is an identifiable channel a journalist or investigator could potentially intercept or document directly," and the public record currently only supports the former.

The cloud provider. Section V already flagged this, but it's worth restating as a boundary rather than a loose thread: no outlet covering the DOJ's Huione seizure has named the cloud provider whose account was seized, or described the legal mechanism — subpoena, warrant, provider cooperation — that produced the seizure. Without that, there's no way to assess whether this represents a genuinely harder-to-replace chokepoint or a substitutable one, which is the central open question Section V poses and which this piece cannot resolve on the available reporting.

AI-tooling capability. Chainalysis's figures on generative-AI scam vendors — the 1,900% revenue growth, the roughly $200 "face-changing" video services — describe marketplace activity: what vendors advertised and sold, and at what volume. They are not independent technical assessments of what those tools actually produce, how convincing the output is, or how often it succeeds against real identity-verification systems. Vendor marketing on a criminal marketplace is evidence of demand and of a growing industry within the industry; it is not evidence of capability, and this piece has been careful throughout to cite the growth figures without implying a technical verification that doesn't exist in the public record.

Reconciling the dollar figures. Section II already noted that Huione's various size estimates — FinCEN's $4 billion confirmed-illicit figure, Elliptic's $134 billion marketplace valuation, Chainalysis's $16.1 billion for 2025 alone, UNODC's $24 billion by end of 2024 — don't reconcile cleanly, and that's restated here as a standing limitation rather than a problem this piece manages to solve. Different organizations are measuring different entities, different time windows, and different categories of fund flow (confirmed-illicit versus gross volume) using different methodologies applied to a deliberately opaque network. A single authoritative number for "how big is Huione" doesn't currently exist, and any version of this story that presented one would be manufacturing a precision nobody outside the network actually has.

None of these boundaries undermine the piece's central claim — that infrastructure and corruption are separate, non-overlapping points of failure. They mark where that claim is well-supported and where it currently can't be pushed further without better access than any of the named sources cited here have been able to obtain.

Sourcing Note

Financial & technical infrastructure:

  • US Department of Justice, Office of Public Affairs press release, June 23, 2026 (Operation Riptide / Huione cloud seizure; quotes from AAG A. Tysen Duva, FBI Assistant Directors Heith Janke and Brett Leatherman)
  • FinCEN, Section 311 final rule and Federal Register notice (Huione Group designation, effective Nov. 17, 2025); FinCEN NPRM extending designation to H-Pay Service PLC, June 23, 2026
  • Chainalysis (multiple reports: 2025 Huione transaction volume $16.1B / >20% of global crypto laundering; Huione ecosystem $49B–$70B+ processed since 2021; generative-AI scam-vendor revenue growth ~1,900% YoY; "face-changing" services pricing; X post, June 24, 2026)
  • Elliptic (first exposed Huione Guarantee, July 2024; Huione Guarantee lifetime volume >$31B; Huione Pay lifetime volume >$103B; FBI collaboration statement, June 23, 2026; CEO Simone Maini quote)
  • UNODC report, April 2025 (Huione laundering estimate, ~$24B by end of 2024)
  • US Treasury sanctions on Prince Group Transnational Criminal Organization (9 individuals, 26 entities), June 2026, via CryptoTimes reporting
  • International Justice Mission, satellite + mobile-data analysis (Starlink connection counts, Myawaddy compounds, April 2025)
  • Stimson Center, "Lifeline or Liability? The Role of Satellite Internet in Fueling Online Scams," January 2026
  • SpaceX / Lauren Dreyer public statements, October 2025, via NBC News, The Record, The Register, UPI
  • US Senate Joint Economic Committee investigation announcements, October and December 2025

Corruption & human rights documentation:

  • UN Office of the High Commissioner for Human Rights, "Online Scam Operations and Trafficking into Forced Criminality in Southeast Asia," August 2023 (120,000 Myanmar / 100,000 Cambodia estimate)
  • UN OHCHR updated report and press briefing, February 2026 (300,000-person estimate; "two sets of victims" framing; spokesperson Jeremy Laurence and senior advisor Pia Oberoi quotes; immigration-fast-tracking and police-payment findings)
  • Amnesty International, Cambodia field investigation, June 2026 (75 of 86 confirmed compounds visited; 73 survivor interviews)
  • C4ADS satellite imagery analysis, via PBS Frontline, December 2025 (Myawaddy compound expansion post-raid)
  • The Diplomat, March 2026 (named survivor account, "Long")
  • Fortune, November 2025 (Jacob Sims, Harvard Asia Center; Hammerli Sriyai, ISEAS-Yusof Ishak Institute)
  • Global Organized Crime Index, 2025 edition (Cambodia ranking)

Jonathan Brown | Border Cyber Group bordercybergroup.com ~ Support independent cybersecurity research and investigative journalism.