Full Report
A new US law enforcement initiative is aimed at crypto fraudsters targeting Americans—and now seeks to seize infrastructure it claims is crucial to notorious scam compounds.
Analysis Summary
# Incident Report: Legal Action Against Crypto Scam Infrastructure Utilizing Satellite Internet
## Executive Summary
US law enforcement has initiated legal action targeting the infrastructure supporting large-scale cryptocurrency investment scam compounds operating in Southeast Asia, specifically Myanmar. This action includes securing seizure warrants for Starlink satellite internet terminals and accounts believed to be crucial for the cybercriminals' operations. The immediate outcome is increased pressure on the criminal ecosystem via infrastructure disruption and the ongoing seizures of illicitly gained cryptocurrency.
## Incident Details
- Discovery Date: Ongoing, with recent action stemming from earlier WIRED investigation (earlier this year).
- Incident Date: Warrants issued Monday and Wednesday (dates are relative to the article publication date: Nov 14, 2025).
- Affected Organization: Starlink/SpaceX (as a service provider being targeted for seizure). Several scam compounds in Myanmar (Payathonzu, Tai Chang compound).
- Sector: Financial Fraud / Cybercrime Infrastructure; Satellite Communications.
- Geography: Myanmar (Scam Compound Locations); United States (Jurisdiction for warrants).
## Timeline of Events
### Initial Access
- Date/Time: Unknown, ongoing operation.
- Vector: Service provision (Starlink terminals supplied connectivity).
- Details: Cybercriminals at scam compounds in Myanmar established persistent internet access via Starlink terminals, enabling them to target US victims remotely.
### Lateral Movement
- **Not Applicable/Not Detailed:** The incident focuses on external criminal infrastructure facilitating fraud, not a network intrusion within a protected organization.
### Data Exfiltration/Impact
- **Not Applicable/Not Detailed:** The impact is financial fraud against victims, where approximately $6.7 million was lost in one identified scheme ("Wealthob") between Jan 2017 and Nov 2025.
### Detection & Response
- **Detection:** Ongoing intelligence gathering, including a specific WIRED investigation from earlier in the year revealing Starlink use.
- **Response Actions:**
* **Pre-Warrant:** Starlink proactively disabled over 2,500 Starlink devices used near scam compounds by the end of October.
* **Warrant Issuance (Monday/Wednesday):** DOJ/FBI secured two sets of warrants: one to seize 9 Starlink terminals/accounts used by compounds near Three Pagodas Pass, and a second to seize related scam websites.
* **Strike Force Action:** The new DC Scam Center Strike Force has already seized approximately $400 million in cryptocurrency tied to these scams.
## Attack Methodology
- **Initial Access:** Unknown specific initial compromise methods used by scammers to gain victims, but used Starlink connectivity for operation.
- **Persistence:** Use of physical Starlink terminals providing persistent, likely high-speed, internet connectivity at remote compound locations.
- **Privilege Escalation:** Not applicable to the response action described.
- **Defense Evasion:** Reliance on internet connectivity located outside US jurisdiction to mask operational locations.
- **Credential Access:** Not detailed, but integral to crypto fraud schemes.
- **Discovery:** Not detailed (likely internal reconnaissance within the fraud process).
- **Lateral Movement:** Not applicable.
- **Collection:** Victims were engaged via "unexpected text messages" leading to social engineering via WhatsApp.
- **Exfiltration:** Fraudulent transfer of funds (cryptocurrency).
- **Impact:** Financial loss for American citizens ($6.7M for one scheme noted).
## Impact Assessment
- Financial: At least $6.7 million lost by victims in the "Wealthob" scheme alone; total losses across the ecosystem are likely much higher. The Strike Force has seized $400 million in crypto so far.
- Data Breach: Not specified; focus is on financial theft via social engineering/investment fraud.
- Operational: Disruption of the criminal compounds' critical communications infrastructure is the ongoing operational goal.
- Reputational: Potential reputational impact on Starlink/SpaceX due to the alleged service provision to criminal enterprises, mitigated by their proactive disabling of devices.
## Indicators of Compromise
- **Network Indicators (Defanged):** Focus is on location exploitation; physical presence of Starlink hardware devices linked to compounds in Myanmar border areas (Payathonzu, Three Pagodas Pass, Tai Chang compound).
- **File Indicators:** Not applicable.
- **Behavioral Indicators:** Social engineering campaign initiated via text messages, migrating initial contact to WhatsApp for relationship building and investment pitching (e.g., "Wealthob" branding).
## Response Actions
- **Containment measures:** Starlink proactively identified and disabled over 2,500 Starlink devices operating in the vicinity of scam compounds by late October.
- **Eradication steps:** DOJ issued warrants to seize physical Starlink terminals (9 specified in one warrant) and associated accounts, forcing service disconnection. Seizure of related scam websites is also active.
- **Recovery actions:** The DC Scam Center Strike Force is actively working to recover (seize) ~$400 million in stolen cryptocurrency.
## Lessons Learned
- **Infrastructure Dependency:** Large-scale, complex criminal ecosystems heavily rely on robust, often commercially available, infrastructure (like satellite internet) for operational continuity.
- **Proactive Measures Work:** Starlink's prior action to disable thousands of devices demonstrated the possibility of using service agreements/control to significantly disrupt criminal operations before legal action.
- **Jurisdictional Challenges:** Law enforcement must leverage legal mechanisms (like seizure warrants) to target infrastructure physically located outside the jurisdiction, requiring cooperation or legal pressure on infrastructure providers.
## Recommendations
- **Infrastructure Vetting/Monitoring:** Providers offering global high-speed connectivity solutions should enhance monitoring for massive/unusual clusters of usage in known high-risk operational areas (e.g., remote border regions linked to transnational crime).
- **Inter-Agency Collaboration:** Continue high-level collaboration (DOJ, FBI, Secret Service) to form specialized strike forces capable of rapidly linking financial flows, technical infrastructure, and physical locations.
- **Supply Chain Transparency:** Review terms of service and supply chain mechanisms to prevent bulk/unauthorized acquisition of service hardware destined for high-risk zones facilitating known criminal activity.