American technology and digital infrastructure have become the backbone of a sprawling international scam industry, according to a comprehensive investigation by the Associated Press and "Frontline" that reveals the industrialisation of fraud on a scale previously undocumented. The inquiry demonstrates that while public discourse typically focuses on social media platforms where victims encounter scams, the true machinery of cybercrime operates far upstream, routed through legitimate US companies that possess the technical capability to disrupt it but lack compelling incentives to do so.
The investigation identifies a troubling pattern: technology firms and infrastructure providers embedded throughout the digital supply chain have become unwitting—or indifferent—accomplices to criminals. The Federal Trade Commission estimates that scams cost Americans nearly US$200 billion (RM815.34 billion) in 2024 alone, yet most major US technology companies operate without mandatory regulatory obligations to police their platforms or networks for such abuse. While the AP found no evidence of illegal conduct by these companies, the patterns of enforcement failures raise fundamental questions about corporate responsibility and whether self-regulation through terms of service is sufficient.
Among the most concerning findings is the central role of artificial intelligence tools in mechanising scam operations. Researchers working with security nonprofit C4ADS documented two sophisticated software suites deployed by scammers from compounds across Southeast Asia, with OpenAI's ChatGPT featuring most prominently alongside Google's Gemini and other AI models. These tools enable fraudsters to operate across numerous languages simultaneously, generate convincing automated responses, construct believable false personas, and monitor their staff's productivity with corporate-level efficiency. Blockchain analysis by TRM Labs suggests that scammers purchasing these software packages generated tens of millions of dollars in illicit proceeds—a return on investment that makes compliance and enforcement distant concerns.
OpenAI responded to the AP's findings by banning three accounts identified as supporting online scams, and both OpenAI and Google stated they maintain robust programmes designed to detect and prevent malicious use. However, such reactive measures offer only limited protection. The sheer scale of these platforms means that enforcement depends either on resource-intensive monitoring or on external reporting mechanisms—neither of which has proven adequate in addressing the industrialised, highly organised scam compounds that have proliferated in Myanmar and neighbouring countries.
The investigation's analysis of device connections to four major scam compounds reveals the outsized role of US-registered infrastructure providers. Among more than 200,000 tracked connections, one in five signals originated from companies registered in the United States, according to data provided by the International Justice Mission, an anti-trafficking organisation. Four companies—Cogent Communications, Oracle, AT&T, and DigitalOcean—featured prominently, though non-US firms with American servers, including UpCloud of Finland and GlobalTeleHost of Canada, also facilitated high-risk traffic from scam centres. All these companies argue they operate under privacy-by-design principles that prevent them from observing the content transmitted across their networks, and they insist they respond promptly to legitimate abuse reports and coordinate with law enforcement.
Yet the case of Starlink presents a more complex picture of incomplete enforcement. Despite Congressional attention and a widely publicised crackdown in late 2025 when the company claimed to have disconnected 2,500 satellite kits near scam compounds, device data and recent satellite imagery shared with AP indicate that scammers continue accessing Starlink services from Myanmar. At least 25 new facilities have been constructed since the announced crackdown, with device data confirming that at least 13 utilised Starlink connectivity. The company, owned by Elon Musk, remains the dominant internet service provider for scam operations in Myanmar, suggesting that even high-profile enforcement actions produce only temporary disruption.
Starlink's persistent presence in the scam ecosystem raises uncomfortable questions about the limits of voluntary cooperation. The company declined to respond to detailed questions but reiterated its commitment to working with law enforcement and maintaining ethical service provision. However, the technical capacity to monitor and restrict service to specific coordinates—a capability satellite internet systems inherently possess—remains underutilised. Industry analysts emphasise that tech companies sit atop vast repositories of data and possess sophisticated tools that could substantially reduce illicit activity, but deploying such measures requires sustained investment and commitment that generates no direct revenue.
The fundamental problem, as Sascha Meinrath, the Palmer chair in telecommunications at Penn State University, articulated to AP: "If there's no disincentive to continuing this, if there's no cost to actually facilitating scamming, then why would I spend a dollar to prevent scamming?" This logic reveals the economic incentive structure underlying corporate inaction. Tech companies incur costs when investing in fraud prevention, while the reputational and legal consequences of enabling scams—at least in the United States—remain minimal. The business calculus tilts sharply toward acceptance of abuse as an operational cost.
Outside the United States, regulatory pressure is mounting. The United Kingdom, European Union, Australia, and Singapore have enacted or are implementing rules requiring companies to demonstrate active fraud prevention efforts or face financial penalties. These jurisdictions have effectively created the missing incentive: regulatory cost. Singapore's approach is particularly relevant for Malaysian readers, as the city-state's strict requirements and enforcement mechanisms increasingly set regional expectations. Yet Washington has relied almost exclusively on voluntary cooperation, with government officials and lawmakers appealing to corporate civic responsibility rather than mandating compliance through legal requirements.
This regulatory gap has profound implications for Southeast Asia, where scam compounds thrive partly because of permissive enforcement in host countries but fundamentally rely on the US infrastructure that remains insufficiently guarded. Malaysia, like other nations in the region, suffers as both a location from which scams originate and a source of victims. The investigation underscores that regional governments addressing cybercrime face structural limitations—criminal networks exploit US infrastructure that regional authorities cannot directly regulate, and US companies lack sufficient incentives to police their own platforms without legal mandates.
Jeanine Pirro, the US Attorney leading a new Scam Center Strike Force, recently stated that "when fraud is detected, industry must be ready, willing and able to stop it." However, this framing presupposes that fraud is reliably detected and that industry voluntarily prioritises prevention. The AP investigation suggests both assumptions are flawed. Detection requires investment that companies avoid absent legal requirement, and prioritisation occurs only when costs of inaction exceed costs of compliance.
The investigation demonstrates that solving the scam crisis requires synchronised action across three fronts: US regulatory frameworks that mandate corporate accountability, international coordination establishing baseline requirements for infrastructure providers, and enforcement mechanisms ensuring compliance. Without legal obligations and financial penalties, the technological sophistication that enables American companies to prevent fraud will continue serving its opposite purpose, generating revenue for legitimate tech firms while facilitating the largest theft scheme in human history.
