Dubai Police, the FBI, and China's Ministry of Public Security coordinate a global sweep
The crackdown was led by the Dubai Police, under the United Arab Emirates Ministry of Interior, in partnership with the U.S. Federal Bureau of Investigation (FBI) and the Chinese Ministry of Public Security. Authorities across multiple countries — including arrests by Dubai and Thai teams of nationals from Burma and Indonesia — moved against operational centers described as industrial-scale cryptocurrency scam hubs. Nine scam centers were closed and at least 276 people were arrested, according to the reporting.
U.S. indictments, named defendants, and the mechanics of 'pig butchering'
In the U.S., federal indictments name defendants Thet Min Nyi, 27; Wiliang Awang, 23; Andreas Chandra, 29; Lisa Mariam, 29; and two fugitive co‑conspirators on charges of fraud and money laundering. The indictment alleges the defendants managed or recruited others to work at companies identified as Ko Thet Company, Sanduo Group, and Giant Company, and that Thet Min Nyi served as manager and recruiter for Ko Thet.
Prosecutors describe a long‑running romance baiting scheme — often called pig butchering — in which scammers build trust through friendly or romantic relationships, promote bogus cryptocurrency investments, assist victims in opening accounts, and encourage continued or leveraged investment. Once funds were transferred to sham platforms, the DoJ says assets were laundered to other cryptocurrency accounts, including some controlled by the fraudsters.
The indictments also link the scam centers to human trafficking: foreign nationals were allegedly recruited with false job offers and coerced into operating scams under "slave‑like conditions," including threats of violence. Two additional Chinese nationals, Jiang Wen Jie (aka Jiang Nan) and Huang Xingshan (aka Ah Zhe and Huang Xing Saan), were charged for roles in an operation run from the Shunda compound in Min Let Pan, Myanmar; Thai authorities arrested them in early 2026 while they were en route from Cambodia to Burma, the DoJ said.
Operation Level Up: the FBI's proactive victim notifications and reported savings
Operation Level Up, launched in January 2024, is a proactive FBI initiative named by the DoJ that seeks to identify and alert victims of cryptocurrency investment fraud. The FBI has notified almost 9,000 victims and, the DoJ reports, saved an estimated $562 million as of April 2026 by intervening before further losses occurred.
Operation Atlantic and 'approval phishing' frozen $12 million; global victim counts climb
Separately, Operation Atlantic has frozen roughly $12 million tied to a cybercrime group that used "approval phishing" to seize control of crypto wallets. The U.S. Secret Service described approval phishing as a method that tricks victims into signing blockchain transactions that grant a scammer complete control of a wallet, allowing attackers to drain assets — a tactic TRM Labs says is commonly wrapped inside investment or romance scams.
Authorities attribute more than 20,000 identified victims across 30 countries — including Canada, the U.K., and the U.S. — to schemes associated with Operation Atlantic and have confiscated more than 120 domains used for phishing. Investigators also identified an additional $33 million believed linked to investment fraud schemes worldwide.
Android malware, K99 Group compounds, and the domain‑based lure economy
Researchers from Infoblox and Vietnamese nonprofit Chong Lua Dao reported an Android banking trojan — a malware‑as‑a‑service (MaaS) platform — operating since at least 2023 and likely run from multiple locations, including the K99 Triumph City compound owned by Cambodia's K99 Group. The malware enables real‑time surveillance, credential theft, data exfiltration, and injection of overlay screens to steal banking credentials, then use those credentials to transfer funds.
The joint report links the infrastructure and behavior to actors tracked as Vigorish Viper and Vault Viper, and documents a sustained domain‑registration campaign: roughly 35 new domains per month, 400 targeted lure domains registered in 2025, and lookalike domains spoofing banks, pension funds, social security organizations, utility providers, government services, airlines, and e‑commerce platforms. A seized Telegram channel, @pogojobhiring2023, had more than 6,500 followers and was used to recruit trafficking victims for Cambodia‑based scam compounds; a cluster of 503 fake investment websites was also identified and tied to U.S. victimization.
What this means for technologists, policymakers, and victims
- Technologists and security teams: expect continued abuse of domain registration and APK distribution channels. The Infoblox/Chong Lua Dao findings underscore the need to track lookalike‑domain clusters and APK distribution paths that elevate permissions to persist on devices.
- Policymakers and regulators: the Treasury Department has already sanctioned Cambodian Senator Kok An, Cambodian businessman Rithy Raksmei, their associates, and related entities — including K99 Group — and the State Department offered rewards up to $10 million for information tied to proceeds from the Tai Chang scam center. Cambodia's parliament has adopted a law imposing five‑ to 10‑year sentences and fines up to $250,000 for convicted scam operators, signaling legislative responses to the compound model.
- Victims and the public: the FBI and DoJ reporting highlights how romance baiting and approval‑phishing tactics escalate losses and coerce continued investment. The agencies' notifications — almost 9,000 to date under Operation Level Up — and frozen assets in multiple operations provide immediate relief in some cases, but the scale of identified victims (more than 20,000 in Operation Atlantic alone) indicates losses and recovery remain a long‑term challenge.
The coordinated actions — arrests across at least three continents, sanctions and reward offers, malware takedowns, and cryptocurrency restraints totaling more than $701 million — demonstrate a multipronged response to a hybrid crime: financial fraud fused with trafficking and advanced malware. The record today mixes criminal charges with asset seizures and new lawmaking; the unanswered operational challenge is whether investigators can sustain cross‑border follow‑through as the domain and malware networks continue to register new lures and scale their operations.
https://thehackernews.com/2026/05/global-crackdown-arrests-276-shuts-9.html
