What Happened
An operation named Disruption Week brought together an unusual coalition: the DOJ's Scam Center Strike Force, the Royal Thai Police, law enforcement agencies across multiple countries, and private sector companies including Apple, Coinbase, Google, Meta, Microsoft, Silent Push, SpaceX, TRM Labs, and Zenlayer. The target was the infrastructure behind fraud operations running out of industrial-scale compounds in Cambodia, Laos, and Burma.
The results were significant. Over 1.4 million social media accounts, pages, and groups on Facebook and Instagram were taken down, along with Microsoft accounts and Starlink satellite internet kits used by the compounds. Malicious IP address traffic and network connections were disrupted. Servers and hosting infrastructure were decommissioned. Sixty-three individuals involved in scam activities were arrested. Criminal complaints were filed against individuals involved in cryptocurrency investment fraud operating out of Burma, and over $3.8 million in cryptocurrency assets linked to the networks were frozen.
"Disruption Week shows what is possible when governments and private industry focus their efforts in tandem: millions of scam accounts interrupted, and criminal networks pushed off the US internet platforms on which they rely," US Attorney Jeanine Ferris Pirro said.
The Compound Model
The fraud operations targeted in Disruption Week are not run by individuals working from laptops in coffee shops. They operate from physical compounds, entire buildings or complexes in Cambodia, Laos, and Burma that function as fraud factories. The scale is industrial, with hundreds or thousands of workers per compound running scams simultaneously across multiple platforms and countries.
The labor pipeline is itself a crime. Workers were lured to Thailand under the promise of high-paying technical jobs. On arrival, their identification documents were seized and they were trafficked to the compounds across borders, where they were forced to participate in fraud operations targeting victims in the United States and other countries. The workers become both tools of the fraud and victims of human trafficking, trapped in facilities they cannot leave, operating under coercion.
These compounds run romance scams, cryptocurrency investment fraud (commonly known as "pig butchering"), tech support scams, and other social engineering operations at scale. Each worker operates multiple fake identities across social media platforms, messaging apps, and dating sites. The operations are organized with management hierarchies, quotas, training programs, and quality control. The revenue generated flows through layers of cryptocurrency wallets, shell companies, and money laundering networks.
The Public-Private Coalition
What makes Disruption Week distinctive is the breadth of private sector participation. Previous law enforcement operations against cybercrime have involved individual companies as partners, but this operation brought together competitors who collectively control the platforms, infrastructure, and financial rails the scam networks depend on.
Meta removed the social media accounts and groups used to operate scams on Facebook and Instagram. Microsoft shut down accounts used for identity creation and communication. Apple contributed to the effort across its platforms. Google participated in disrupting the digital infrastructure. SpaceX's Starlink kits were being used to provide internet connectivity to remote compound locations, and those kits were disabled. Coinbase and TRM Labs addressed the cryptocurrency infrastructure used for money laundering. Silent Push and Zenlayer contributed network intelligence and infrastructure disruption.
The coordination here matters more than any individual contribution. Scam compounds depend on the entire stack working together: social media for victim contact, messaging platforms for relationship building, internet connectivity for operations, cryptocurrency for payment processing, and hosting infrastructure for backend systems. Disrupting any single layer forces the operation to rebuild that component. Disrupting all layers simultaneously forces a complete operational reset.
The Infrastructure Angle
The disruption of malicious IP address traffic, network connections, and hosting infrastructure deserves specific attention. These scam operations do not run on a single server. They use distributed infrastructure across multiple hosting providers, content delivery networks, VPN services, and satellite internet connections to maintain operations and evade detection.
The use of Starlink kits is particularly notable. Satellite internet provides connectivity in locations where traditional terrestrial ISPs either do not operate or cooperate with law enforcement. Compounds in remote areas of Burma and Laos used Starlink to maintain high-bandwidth, low-latency connections to the global internet without depending on local telecommunications infrastructure that might be subject to government monitoring or shutdown orders. SpaceX's participation in disabling these kits removes a connectivity option that was specifically chosen for its resistance to local-level disruption.
The decommissioning of servers and hosting infrastructure suggests that investigators identified the backend systems used to manage scam operations: databases of victim profiles, scripts and playbooks for social engineering, cryptocurrency wallet management tools, and communication platforms used to coordinate across compound locations. Losing this infrastructure means losing operational data, trained models, victim relationship histories, and the accumulated knowledge that makes long-running scams effective.
The Scale of the Problem
While the 1.4 million account figure is large, it represents a fraction of the total scam infrastructure operating in Southeast Asia. The United Nations Office on Drugs and Crime estimates that scam compounds in the region generate over $40 billion annually. Hundreds of compounds operate across Myanmar, Cambodia, Laos, the Philippines, and other countries. The labor force, consisting of trafficked workers and willing participants, numbers in the hundreds of thousands.
The cryptocurrency dimension is equally vast. The $3.8 million in frozen assets from this operation represents a small fraction of the total financial flows. Pig butchering scams alone accounted for over $3.9 billion in reported losses to Americans in 2023, according to the FBI's Internet Crime Complaint Center. Actual losses are significantly higher, as many victims do not report. The scam networks use sophisticated laundering chains involving multiple cryptocurrency exchanges, cross-chain bridges, mixers, and conversion to stablecoins to obscure the flow of funds.
This context does not diminish what Disruption Week accomplished. It illustrates why sustained, repeated operations are necessary. Each disruption forces the networks to rebuild infrastructure, recruit and retrain workers, establish new accounts, and reconstruct victim relationship pipelines. The cumulative cost of repeated disruptions eventually exceeds the revenue potential, making certain operational models economically unviable.
What This Means for Network Defenders
The infrastructure used by scam compounds overlaps significantly with the infrastructure used for other forms of cybercrime, including DDoS attacks, credential stuffing, phishing campaigns, and malware distribution. Compromised servers, rented botnets, bulletproof hosting, and cryptocurrency laundering networks are shared resources in the criminal ecosystem. When one operation is disrupted, the infrastructure it relied on becomes unavailable to other criminal operations as well.
The IP address and network connection disruptions from Disruption Week may reduce malicious traffic from the specific infrastructure that was decommissioned. Network defenders may see temporary reductions in certain categories of inbound malicious traffic, particularly social engineering attempts and reconnaissance activity originating from the affected hosting infrastructure.
More broadly, the operation demonstrates the increasing willingness of technology companies to take coordinated action against criminal infrastructure. The platforms involved in Disruption Week have enormous visibility into malicious activity on their networks. When they share intelligence with law enforcement and with each other, the resulting picture of criminal operations is far more complete than any single entity could develop alone. This model of public-private coordination will likely be replicated against other forms of cybercrime infrastructure.
What Comes Next
The 63 arrests and criminal complaints are the beginning, not the end. Seized infrastructure, account data, cryptocurrency transaction records, and network intelligence will feed investigations for months. Additional arrests are likely as financial trails are traced and operational hierarchies are mapped. The human trafficking dimension adds another layer of legal proceedings, as victims of trafficking are identified and cases are built against the compound operators who recruited and exploited them.
The scam networks will adapt. Compounds will relocate to jurisdictions with weaker law enforcement cooperation. New social media accounts will be created. Alternative internet connectivity solutions will replace the disabled Starlink kits. Cryptocurrency laundering methods will evolve. The fundamental economics of the scam model remain profitable enough to justify the cost of rebuilding.
The lesson for both law enforcement and the private sector is that disruption must be continuous. A single operation, no matter how successful, creates a temporary setback. Sustained pressure through repeated operations, continuous platform enforcement, and ongoing financial intelligence sharing is what ultimately degrades the networks' ability to operate at scale. Disruption Week is a strong model for how that sustained pressure can be organized and executed.
Infrastructure visibility matters. Malicious traffic from compromised and bulletproof hosting infrastructure targets networks indiscriminately. Flowtriq monitors every packet hitting your network at per-second granularity, detecting and classifying threats automatically so you know exactly what is targeting your infrastructure. $9.99/node/month with a free 7-day trial. Start your trial or explore the feature set.