China Fights Scam Compounds … For China
China Fights Scam Compounds … for China
China's recent crackdown on Southeast Asian scam compounds is clearly good news. But its efforts to tackle the scourge are domestically driven and may even cause scammers to shift their focus to Americans.
Authorities announced on Jan. 7 that an alleged scam kingpin, Chen Zhi, had been arrested by Cambodian authorities and extradited to China. Chen is the founder of the Prince Group, which is ostensibly a Cambodian corporate conglomerate, but which U.S. authorities allege was a transnational criminal organization that operated forced-labor scam compounds engaging in various fraud schemes.
U.S. authorities had taken action against Chen Zhi. Back in October of last year, he was sanctioned and indicted and had a whopping $15 billion worth of cryptocurrency seized by the U.S. But China had the regional clout to actually get him in handcuffs.
Unfortunately, experts say China's efforts against scam centers are reactive. They're driven by domestic outrage, rather than a desire to strategically improve global or even regional security.
The country's efforts against scam compounds really kicked off in 2023. In October of that year, a number of Chinese citizens were killed while attempting to escape a scam center in Kokang, a Myanmar province bordering China. Reports of the deaths circulated on Chinese social media, including a rumor that four of the victims were undercover police officers.
Until the scam center killings, China's default policy was to suppress conflict near its border. After the deaths, however, an offensive against Myanmar's military junta appears to have been tacitly approved by Beijing. Within weeks, a coalition of armed ethnic groups known as the Three Brotherhood Alliance launched a military offensive in Kokang, with one of its stated goals being to eliminate scam compounds. Beijing subsequently brokered a ceasefire deal, with one of the conditions for the junta being a crackdown on scam centers.
From a counter-scam center perspective, the Three Brotherhood offensive reaped immediate benefits, with a number of crime family arrests in the following months.
The scam compounds didn't go away, though. In January of last year, Chinese actor Wang Xing was lured to a scam compound with the offer of a fake acting job. He was rescued within days after his girlfriend's pleas for help went viral on Chinese social media.
The Chinese government has redoubled efforts to crack down on scam compounds, and harsh sentences are being handed down in Chinese courts. In September of last year, 39 members of the Ming crime family were sentenced, including 11 to death and 11 to life in prison. The family operated one of the largest scam compounds in Kokang. Members of three other crime families have also been charged, with another five individuals sentenced to death in November.
Between them, the four crime families are said to have operated over 100 scam compounds.
This all sounds great! It's hard to feel sorry for compound kingpins given the horrific human misery they cause.
With scam compounds, though, there is a dark cloud attached to every silver lining. Unfortunately, the Chinese government isn't motivated to tackle all scam compounds, just the specific ones that generate bad press because they target Chinese citizens.
That is good for China, but maybe not for anyone else.
In congressional testimony in March of last year, Jason Tower, then the Myanmar country director for the U.S. Institute of Peace, said that Chinese crackdowns were narrowly effective in that they had "increased the cost of scamming in China dramatically." On the flip side, that meant "scam syndicates are increasingly pivoting to target the rest of the world, and especially Americans."
He also noted that the Chinese government wasn't all that interested in cracking down on groups that were laundering money back into China or had deep connections with Chinese political elites.
It's pretty clear that the U.S. just doesn't have the regional might to tackle Southeast Asian scam centers alone. It could really benefit from having a regional partner with boots on the ground. We doubt that China will play ball, but the Philippines and Thailand come to mind as potentially willing partners. We aren't holding our breath though.
Maduro Raid Cements Disruptive Cyber Role
The spectacular U.S. raid to capture Venezuelan President Nicolás Maduro signals that disruptive cyber operations are now a regular part of military operations.
In a press conference following the operation, President Trump hinted that a cyber operation was used to cut power in Caracas: "The lights of Caracas were largely turned off due to a certain expertise that we have, it was dark, and it was deadly."
At the same press conference, chairman of the Joint Chiefs of Staff Gen. Dan Caine acknowledged that U.S. Cyber Command was one of the organizations involved in "layering different effects" that allowed U.S. forces to fly into the country.
The New York Times was more explicit, reporting that the "effort began with a cyberoperation that cut power to large swaths of Caracas, shrouding the city in darkness to allow the planes, drones and helicopters to approach undetected."
Despite our natural inclination to be cautious about everything we read, we think it is very likely what happened. Venezuelan authorities confirmed an outage, cyberattacks on electricity grids are not new, and the Trump administration had both the time and the intent to develop and refine the capability. And this operation was particularly well suited for a disruptive cyberattack.
One criticism of disruptive cyber operations, at least when it comes to contributing to conventional warfare, is that they require relatively long lead times to develop and test techniques to ensure they have the desired effect. In this case, U.S. cyber organizations have been looking for weaknesses in Venezuelan networks since at least President Trump's first term. Back then, the U.S. launched disruptive attacks against Venezuela's military payroll systems and the computer networks of Maduro's intelligence service. Agencies were searching for ways to undermine the Maduro regime, so you can be sure that critical infrastructure networks were examined.
In addition to that earlier reconnaissance, months of planning went into the Maduro raid itself.
The operation was also likely to benefit from, rather than be hindered by, another accepted weakness of cyber operations: their tendency to have short-term effects. Even if computers are completely wiped, replacing them usually takes much less time than rebuilding after physical infrastructure has been bombed. In the case of the Maduro raid, a cyber disruption is actually better than the conventional military equivalent because it is less likely to cause long-term damage. The plan was to extract Maduro and leave Venezuela intact for a suitably cowed replacement who would be more receptive to U.S. interests. Destroying energy infrastructure would make managing the country more difficult for that new leadership.
Given the importance of the raid, we're sure there was a plan B if cyber-enabled disruption wasn't effective. The U.S. already has special-purpose munitions that are designed to disrupt the electric grid by dropping conductive fibers across infrastructure to create short circuits. The effects of these "graphite bombs" are theoretically reversible if the affected sites are carefully cleaned, but when they were used in Iraq in 2003 a number of transformers caught fire and were destroyed.
So even though the Maduro raid was particularly well suited for disruptive cyber operations, they merely replaced a conventional capability with something more ephemeral. And cooler, if you are a cyber person.
But not exactly awe-inspiring.
The real significance here is political. The Trump administration has signaled it wants an increased role for offensive cyber operations. Cyber agencies were involved in a stunning U.S. military operation and were not found wanting: The president was pleased. It marks the arrival of disruptive cyber operations as a regular part of future military planning.
Three Reasons to Be Cheerful This Week:
- U.S. spyware founder guilty: Bryan Fleming, the founder of pcTattletale stalkerware, has pleaded guilty to charges related to running the surveillance software. Department of Homeland Security investigators said pcTattletale was marketed for the purpose of "surreptitiously spying on spouses and partners," and Fleming openly advertised his links to the spyware. It's the first stalkerware-related conviction in the U.S. in over 10 years.
- Catching lots and lots of North Korean remote workers: Amazon's chief security officer says the company has stymied more than 1,800 attempts by North Koreans to be fraudulently employed at the company. Interestingly, it identified one of these workers employed by a contractor firm using their keystroke latency, which wasn't consistent with someone operating in the U.S.
- New NSA leadership, hopefully: President Trump has nominated Lt. Gen. Joshua Rudd, a former special forces commander, to lead the National Security Agency (NSA) and Cyber Command. And former NSA employee Tim Kosiba, once the agency's liaison officer in Canberra, has been announced as deputy director. Hopefully they don't get Loomered.
Shorts
Cyber Support for Iranian Protesters Too Weak
Last week the Wall Street Journal reported that President Trump would be presented on Tuesday with a range of options to respond to the Iranian regime's lethal crackdown on protesters. These range from targeted kinetic strikes within Iran to destructive cyberattacks.
Although the administration is keen on offensive cyber operations, it also wants to avoid affecting innocent civilians in Iran. Given that potentially tens of thousands of protesters have been killed, our view is that a cyber response focused narrowly on the Iranian military or regime would be perceived as disproportionately weak. And that doesn't seem like the president's style.
Risky Biz Talks
In our latest Between Two Nerdsdiscussion, Tom Uren and The Grugq talk about the role of cyber operations in the U.S. capture of Venezuela’s president Nicolas Maduro.
From Risky Bulletin:
Voice cloning defenses still weak, can be bypassed: Modern security systems designed to protect user voices from getting cloned are still weak and can be bypassed with the proper tools.
These systems work by injecting random noise in voice audio recordings in order to prevent AI-based cloning technology from copying a user's voice. Voice cloning attacks are still possible, but they produce low-quality output that can be easily detected and flagged by both manual reviewers and automated systems.
But three researchers from the University of Texas at San Antonio say that these systems are not complex enough and can be easily bypassed if attackers account for the added noise.
Apex Legends streamers hacked again: Respawn Entertainment has patched an exploit in the Apex Legends game that allowed third parties to take remote control over a player's in-game character.
The exploit was used against several Apex streamers over the past week. Hackers emptied their inventory (backpack) and moved their in-game avatar off the map, ending their games.
Based on the game developer's tweet, a patch was deployed to the Apex anti-cheat, suggesting the vulnerability resided in that component.
The incident is similar to another exploit from 2024. Respawn stopped and postponed a major tournament after a hacker exploited another bug to install cheating software on the PCs of two participants.
Dutch man sentenced for infecting port with malware: A 44-year-old Dutch man was sentenced to seven years in prison for a scheme to deploy malware on the Belgian port of Antwerp. The man admitted to paying a port employee in 2020 to connect a USB drive to the port network that installed the malware. The individual used access to the port network to import drugs into the country. His actions were discovered after Belgian and Dutch authorities seized the Sky ECC encrypted messaging service in 2021.
.jpg?sfvrsn=5067f307_5)
