China Fights Scam Compounds … For China

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . This week's edition is sponsored by Prowler .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

China's recent crack down on Southeast Asian scam compounds is clearly good news. But its efforts to tackle the scourge are domestically driven and may even cause scammers to shift their focus to Americans. 

Last week authorities announced that an alleged scam kingpin, Chen Zhi, had been arrested by Cambodian authorities and extradited to China. Chen is the founder of the Prince Group, which is ostensibly a Cambodian corporate conglomerate, but which US authorities allege was a transnational criminal organisation that operated forced-labour scam compounds engaging in various fraud schemes. 

US authorities had taken action against Chen Zhi. Back in October of last year, he was sanctioned and indicted and had a whopping USD$15 billion worth of cryptocurrency seized by the US. But China had the regional clout to actually get him in handcuffs. 

Unfortunately, experts say China's efforts against scam centres are reactive. They're driven by domestic outrage, rather than a desire to strategically improve global or even regional security. 

The country's efforts against scam compounds really kicked off in 2023. In October of that year, a number of Chinese citizens were killed while attempting to escape a scam centre in Kokang, a Myanmar province bordering China. Reports of the deaths circulated on Chinese social media, including a rumor that four of the victims were undercover police officers.  

Until the scam centre killings, China's default policy was to suppress conflict near its border. After the deaths, however, an offensive against Myanmar's military junta appears to have been tacitly approved by Beijing. 

Within weeks, a coalition of armed ethnic groups known as the Three Brotherhood Alliance launched a military offensive in Kokang, with one of its stated goals being to eliminate scam compounds. Beijing subsequently brokered a ceasefire deal, with one of the conditions for the junta being a crackdown on scam centres.

From a counter-scam centre perspective, the Three Brotherhood offensive reaped immediate benefits, with a number of crime family arrests in the following months.

The scam compounds didn't go away, though. In January of last year, Chinese actor Wang Xing was lured to a scam compound with the offer of a fake acting job. He was rescued within days after his girlfriend's pleas for help went viral on Chinese social media. 

The Chinese government has redoubled efforts to crack down on scam compounds and harsh sentences are being handed down in Chinese courts. In September last year 39 members of the Ming crime family were sentenced , including 11 to death and 11 to life sentences. The family operated one of the largest scam compounds in Kokang. Members of three other crime families have also been charged, with another five individuals sentenced to death in November. 

Between them, the four crime families are said to have operated over 100 scam compounds. 

This all sounds great! It's hard to feel sorry for compound kingpins given the horrific human misery they cause. 

With scam compounds, though, there is a dark cloud attached to every silver lining. Unfortunately, the Chinese government isn't motivated to tackle all scam compounds, just the specific ones that generate bad press because they target Chinese citizens. 

That is good for China, but maybe not for anyone else. 

In Congressional testimony in March of last year, Jason Tower, the Myanmar country director for the then US Institute of Peace, said that Chinese crackdowns were narrowly effective in that they had "increased the cost of scamming in China dramatically". On the flip side, that meant "scam syndicates are increasingly pivoting to target the rest of the world, and especially Americans". 

He also noted that the Chinese government wasn't all that interested in cracking down on groups which were laundering money back into China or had deep connections with Chinese political elites. 

It's pretty clear that the US just doesn't have the regional might to tackle Southeast Asian scam centres alone. It could really benefit from having a regional partner with boots on the ground. We doubt that China will play ball, but the Philippines and Thailand come to mind as potentially willing partners. We aren't holding our breath though.  

Maduro Raid Cements Disruptive Cyber Role

The spectacular US raid to capture Venezuelan President Nicolás Maduro signals that disruptive cyber operations are now a regular part of military operations.

In a press conference following the operation President Donald Trump hinted that a cyber operation was used to cut power in Caracas: "The lights of Caracas were largely turned off due to a certain expertise that we have, it was dark, and it was deadly". 

At the same press conference, chair of the Joint Chiefs of Staff General Dan Caine acknowledged that US Cyber Command was one of the organisations involved in "layering different effects" that allowed US forces to fly into the country.  

The New York Times was more explicit , reporting that the "effort began with a cyberoperation that cut power to large swaths of Caracas, shrouding the city in darkness to allow the planes, drones and helicopters to approach undetected". 

Despite our natural inclination to be cautious about everything we read, we think it is very likely what happened. Venezuelan authorities confirmed an outage , cyber attacks on electricity grids are not new and the Trump administration had both the time and intent to develop and refine the capability. And this operation was particularly well suited for a disruptive cyber attack. 

One criticism of disruptive cyber operations, at least when it comes to contributing to conventional warfare, is that they require relatively long lead times to develop and test techniques to ensure they have the desired effect. In this case, US cyber organisations have been looking for weaknesses in Venezuelan networks since at least President Trump's first term. Back then, the US launched disruptive attacks against Venezuela's military payroll systems and the computer networks of Maduro's intelligence service. Agencies were searching for ways to undermine the Maduro regime, so you can be sure that critical infrastructure networks were examined.

In addition to that earlier reconnaissance, months of planning went into the Maduro raid itself. 

The operation was also likely to benefit from, rather than be hindered by, another accepted weakness of cyber operations: their tendency to have short-term effects. Even if computers are completely wiped, replacing them is usually much faster than rebuilding after physical infrastructure has been bombed. In the case of the Maduro raid, a cyber disruption is actually better than the conventional military equivalent because it is less likely to cause long-term damage. The plan was to extract Maduro and leave Venezuela intact for a suitably cowed replacement who would be more receptive to US interests. Destroying energy infrastructure would make managing the country more difficult for that new leadership. 

Given the importance of the raid, we're sure there was a plan B if cyber-enabled disruption wasn't effective. The US already has special purpose munitions that are designed to disrupt the electric grid by dropping conductive fibres across infrastructure to create short circuits. The effects of these ' graphite bombs ' are theoretically reversible if the affected sites are carefully cleaned, but when they were used in Iraq in 2003 a number of transformers caught fire and were destroyed . 

So even though the Maduro raid was particularly well-suited for disruptive cyber operations, they merely replaced a conventional capability with something more ephemeral. And cooler, if you are a cyber person. 

But not exactly awe-inspiring. 

The real significance here is political. The Trump administration has signaled it wants an increased role for offensive cyber operations. Cyber agencies were involved in a stunning US military operation and were not found wanting: the President was pleased. It marks the arrival of disruptive cyber operations as a regular part of future military planning. 

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Risky Business Podcasts

In this special documentary episode , Patrick Gray and Amberleigh Jack take a historical dive into hacking in the 1980s. Through the words of those that were there, they discuss life on the ARPANET, the 414s hacking group, the Morris Worm, the vibe inside the NSA and a parallel hunt for German hackers happening at a similar time to Cliff Stoll’s famous Cuckoo’s Egg story.

Three Reasons to Be Cheerful This Week:

1. US spyware founder guilty: Bryan Fleming, the founder of pcTattletale stalkerware, has pleaded guilty to charges related to running the surveillance software. Department of Homeland Security investigators said pcTattletale was marketed for the purpose of "surreptitiously spying on spouses and partners" and Fleming openly advertised his links to the spyware. It's the first stalkerware-related conviction in the US over 10 years. 
2. Catching lots and lots of North Korean remote workers: Amazon's Chief Security Officer says the company has stymied more than 1,800 attempts by North Koreans to be fraudulently employed at the company. Interestingly, it identified one of these workers employed by a contractor firm using their keystroke latency , which wasn't consistent with someone operating in the US. 
3. New NSA leadership, hopefully: President Trump has nominated Lt Gen Joshua Rudd, a former special forces commander, to lead NSA and Cyber Command. And former NSA employee Tim Kosiba, once the agency's liaison officer in Canberra, has been announced as deputy director. Hopefully they don't get Loomered . 

Sponsor Section

In this Risky Business News sponsored interview the CEO and founder of Prowler, Toni de la Fuente, explains how implementing AI systems brings new security challenges that differ for traditional cloud workloads. Toni also talks about ‘attack paths’ in the context of cloud infrastructure and using them to minimise risk.

Shorts

Cyber Support for Iranian Protestors Too Weak

Last week The Wall Street Journal reported  that President Trump would be presented on Tuesday with a range of options to respond to the Iranian regime's lethal crackdown on protestors . These range from targeted kinetic strikes within Iran to destructive cyber attacks. 

Although the administration is keen on offensive cyber operations, it also wants to avoid affecting innocent civilians in Iran. Given that potentially tens of thousands of protestors have been killed, our view is that a cyber response focussed narrowly on the Iranian military or regime would be perceived as disproportionately weak. And that doesn't seem like the president's style. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last Between Two Nerds discussion Tom Uren and The Grugq talk about the role of cyber operations in the US capture of Venezuela’s president Nicolas Maduro.

Or watch it on YouTube!

From Risky Bulletin :

Voice cloning defenses still weak, can be bypassed: Modern security systems designed to protect user voices from getting cloned are still weak and can be bypassed with the proper tools.

These systems work by injecting random noise in voice audio recordings in order to prevent AI-based cloning technology from copying a user's voice. Voice cloning attacks are still possible, but they produce low quality output that can be easily detected and flagged by both manual reviewers and automated systems.

But three researchers from the University of Texas, in San Antonio, say that these systems are not complex enough and can be easily bypassed if attackers account for the added noise.

[ more on Risky Bulletin ]

Apex Legends streamers hacked again: Respawn Entertainment has patched an exploit in the Apex Legends game that allowed third-parties to take remote control over a player's in-game character.

The exploit was used against several Apex streamers over the past week. Hackers emptied their inventory (backpack) and moved their in-game avatar off the map, ending their games.

Based on the game developer's tweet , a patch was deployed to the Apex anti-cheat, suggesting the vulnerability resided in that component.

The incident is similar to another exploit from 2024 . Respawn stopped and postponed a major tournament after a hacker exploited another bug to install cheating software on the PCs of two participants.

[ more on Risky Bulletin ]

Dutch man sentenced for infecting port with malware: A 44-year-old Dutch man was sentenced to seven years in prison for a scheme to deploy malware on the Belgian port of Antwerp. The man admitted to paying a port employee in 2020 to connect an USB drive to the port network that installed the malware. The individual used access to the port network to import drugs into the country. His actions were discovered after Belgian and Dutch authorities seized the Sky ECC encrypted messaging service in 2021.