Starlink an Internet Lifeline for Scam Compounds

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Prowler .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

Starlink is being used to keep forced labour scam compounds in Myanmar online after their internet access was cut by Thai authorities, according to a report in Wired . 

We'd love Starlink's parent company SpaceX to do something about this, but we're not holding our breath.

In Southeast Asia hundreds of thousands of people are forced by organised criminal gangs to carry out so-called " pig butchering " scams. These modern slavery compounds cause immense human suffering and generate billions of dollars of annual revenue. 

In an effort to disrupt scam compounds in Myanmar near the Thai border, the Thai government has been cutting their electricity and internet access in cooperation with telecommunication providers. In response, the syndicates have installed Starlink terminals. Per Wired : 

Reports of the use of Starlink at [the] Tai Chang [scam compound] are not a one-off—criminals running multibillion-dollar empires across Southeast Asia appear to be widely using the satellite internet network. At least eight scam compounds based around the Myanmar-Thailand border region are using Starlink devices, according to mobile phone connection data reviewed by WIRED. …

The eight compounds, spread around the Myawaddy region of war-torn Myanmar, likely have installed multiple Starlink devices. Photos of Tai Chang reviewed by WIRED appear to show dozens of white Starlink satellite dishes on a single rooftop, while human rights watchdogs and other experts say that Starlink use at the scam compounds has increased in the past year.

Last May, Thai authorities seized 134 Starlink receivers they believed were destined for scam compounds. 

Wired reported that requests from both a US district attorney and a Thai politician  for SpaceX to voluntarily disable Starlink internet access to specific scam compounds has, so far, amounted to nought. 

Starlink is not available for purchase in Thailand or Myanmar. Its availability map says service in Thailand is "pending regulatory approval". Myanmar's service date is "unknown at this time". 

While Starlink has historically worked in countries where the company is not authorised by telecoms regulators to do business, that seems to be changing… gradually. In April last year Starlink warned customers in Africa that it would shut down service in regions where the service wasn't allowed. Per Techpoint Africa : 

In the email, the company explained that it intended its regional and global roaming plans for temporary use by customers who are travelling and in transit, not for permanent use in locations in unauthorised areas.

Starlink gave subscribers a two month grace period to either update their subscription to a new location or return their terminals to their authorised home countries. 

But enforcement after Starlink's deadline passed was haphazard . A majority of Starlink users in unauthorised regions were still able to access the service. 

Starlink has also failed to selectively restrict access to its service during the war in Ukraine. Early in the invasion, Starlink provided a clear advantage to Ukraine as it was not available to Russian forces.

However, in October last year The Washington Post reported SpaceX was not cracking down on Russian forces' use of Starlink in Ukraine. The Post described "a burgeoning black market" that sourced terminals for Russian forces as "an important factor in Russia's recent [military] gains".

Cleanly blocking Russian use of Starlink is difficult for a couple of reasons. Starlink can disable terminals based on either their unique identifiers or by 'geofencing', where it denies service to specific areas.

The front line is fluid and there needs to be some wiggle room to allow Ukrainian forces to advance, so a geofence that meets Ukrainian needs will also allow at least some Russian use. It's also hard to assign particular terminals at the front line to one side or the other solely on their location. 

Per The Washington Post : 

One person familiar with Starlink said that the company is technically capable of identifying the location of active terminals based on their pings up to satellites, but that it can be challenging to discern the user in the "forward edge of the battle area," where Ukrainian and Russian troops are operating.

The point here is that even with a strong incentive, SpaceX didn't restrict Russian forces' use of Starlink. Beyond the moral imperative to assist defenders facing an unjust invasion, these incentives included a USD$537 million contract to provide services to Ukraine's military, the Biden administration making representations to SpaceX on behalf of Ukraine, and the potential for military contracts worth billions more .

To us, the overall picture here is of a company that lacks the willingness and the internal processes to limit its service to the regions it is allowed to operate in, and to enforce terms of service abuse. (And yes, running a modern slavery compound is against Starlink's Acceptable Use Policy ).

We can see how this might have unfolded as Starlink grew. Why would a startup devote time and effort to block subscribers when that would suppress growth? Rigorously limiting Starlink's use to authorised countries would also undercut its marketing as a global telecommunications solution. 

The upshot here is that dealing with terms of service violations isn't SpaceX's forté. What are the levers that will get the company to pay attention here? And what will it take for SpaceX to regularly identify and boot off harmful customers like scam compounds?

Taking known scam compounds offline would be good, but having an ongoing process to identify and remove the most abusive users of Starlink would be even better. 

The Thai government also has some leverage here as regulatory approval for Starlink to operate in the country is still pending. From a Thai point of view it would seem counterproductive if Starlink terminals are sold in your country and immediately shipped across the border to be used in compounds that are damaging Thailand's reputation and national security. 

It's not clear how high a priority international problems like scam syndicates will be for the Trump administration. And SpaceX CEO Elon Musk's closeness to President Trump also feels like a wild card. 

Ultimately, nobody wins if these scam compounds continue operating. Except the crime syndicates, and maybe a small bump to SpaceX's bottom line.

Trump-Putin Bromance Raises Five Eyebrows 

Five Eyes countries are likely to at least reassess some of their intelligence sharing practices given recent policy changes made by the Trump administration that are favourable to Russia. 

Let’s look at the list so far:

• President Trump's blow-up with Ukraine's President Zelensky;  
• Halting military aid to Ukraine;  
• Pausing US Cyber Command operations against Russia; 
• Deprioritising Russian cyber threats at CISA; 
• Attorney General Pam Bondi disbanding the the FBI's Foreign Influence Task Force , and a task force targeting Russian oligarchs close to the Kremlin; and
• Placing CISA officials that had worked on election-related disinformation on administrative leave.

The administration has denied that US Cyber Command paused Russian operations or that there has been a change in priorities at CISA. Risky Business News and Kim Zetter's Zero Day both have excellent coverage breaking down the separate reports. This is covered more later in the newsletter. 

Speaking on the Deep State Radio podcast , Marc Polymeropoulos, a former CIA Senior Intelligence Service officer, said he was "absolutely convinced" the administration's actions will result in less intelligence sharing, particularly from British HUMINT sources who collect information about Russia. 

Polymeropoulos said that Trump's actions, coupled with Director of National Intelligence Tulsi Gabbard's "very sympathetic" views on Russia , will mean that other Five Eyes countries' intelligence services will decide that "you can't trust the US". 

This is particularly important for HUMINT agencies where keeping sources (as in, agents) safe is a prerequisite for long-term success. Screwing up and getting agents killed or arrested drastically limits the ability to recruit sources down the line.

"You have a sacred bond with your agent, if you're at the British Secret Intelligence Service and you can't trust the United States… they're going to incrementally stop sharing", he said.

Another former HUMINT officer wasn’t so sure. Speaking to Seriously Risky Business , he described Polymeropoulos's conclusion as a "slightly long bow to draw". He noted that the agencies had a decades-long history of relatively successful collaboration. If he were at the helm, he said, he wouldn't be taking any immediate action. 

Still he thought there "was a lot to be concerned about" and that "you'd be nuts not to think about it". 

The officer highlighted the summary firing of people in the intelligence community and the arbitrary nature of White House behaviour as giving the overall impression that "nothing is off limits" and that "alliances are just marriages of convenience". From an Australian perspective he also noted that all that "coercive stuff", like withdrawing military aid from Ukraine and imposing tariffs on friendly nations, is "not that different from tactics that we've called out [dealing with Chinese state behaviour]".

Although he wouldn't take any immediate action if he were in charge, he'd "ostensibly invest in housekeeping" and strengthen security practices.  

All this may not cause an immediate change to intelligence sharing, but the warning lights are flashing red. 

The "Logic" of US Cyber Command's Russia Stand-down, that Either Did Happen or Didn't Happen

Several contested reports have claimed the US Secretary of Defense, Pete Hegseth, ordered US Cyber Command to halt current cyber operations targeting Russia. Although this was interpreted by some as " throwing away leverage ", there is an internal logic to the decision. 

Jason Kitka, a former Cyber Command official told Zero Day that:

…halting offensive cyber operations and information operations against a country during negotiations with that country is normal. "Not exactly standard, but common enough," he said.

Additionally, if you are going to halt anything, offensive Cyber Command operations are as good a choice as any. In the current environment where the US would like to avoid direct escalation with Russia, these are likely to be irritants rather than operations that would lead directly to a decisive strategic advantage.  

It is, in other words, throwing Russia a bone. 

The stand down was originally reported by The Record , then confirmed the next day by The Washington Post and later by the Associated Press , which wrote that " a U.S. official , speaking on condition of anonymity to discuss sensitive operations, on Monday confirmed the pause". [Emphasis added]

Shortly after the AP report, the Department of Defense (DoD) denied the operational pause . 

Kim Zetter's Zero Day has excellent reporting covering the response from Ellen Nakashima, The Washington Post's intelligence and national security reporter, who stands by her initial reporting. Per Zero Day : 

Nakashima believes the DoD denial was aimed at the public's perception that they were standing down much bigger Russian ops that would, if halted, put the U.S. at a big security disadvantage. But they weren't engaging in these types of operations against Russia anyway, she noted.

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. California enforces data broker rules: The California Privacy Protection Agency (CPPA) announced that it reached a settlement with data broker Background Alert, that agreed to shut down its operations for three years. Background Alert had failed to register its business with the CPPA. The Record has further coverage . 
2. Cross-platform Passkeys get easier: Ars Technica describes how to use Google Password Manager (GPM) to enable cross-platform syncing if you use Chrome on iOS. This helps to address the issue of passkeys created on Windows unable to be synched to Apple's ecosystem and vice versa. Ars reports that GPM even works with standalone iOS apps including eBay and LinkedIn. 
3. Hacker 'Desorden' arrested in Thailand: A Singaporean hacker, known  as Desorden, ALTDOS, GHOSTR and 0mid16B, has been arrested in Thailand. He is alleged to be responsible for the hacking of more than 50 firms internationally. DataBreaches.Net has more coverage .    

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Toni de la Fuente, founder and CEO of cloud security firm Prowler. Toni talks about his company's latest effort, the Open Cloud Security Movement, an initiative to get more cloud security vendors to open-source their core projects.

In this sponsored product demo, Prowler founder and CEO Toni de la Fuente walks Risky Business host Patrick Gray through the company's open-source cloud security platform. Toni demonstrates how Prowler can identify and remediate security issues across AWS, Azure, GCP, and Kubernetes. There's a pointy-clicky GUI interface and a CLI, and both come in handy in different ways. The Prowler platform is completely free and open source, but there is a hosted version you can pay for if you don't want to run it yourself.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq take a deep dive into incident response reports from Chinese cybersecurity firms that attribute the hack of one of the country's top seven defense universities to the US National Security Agency.

Or watch it on YouTube!

From Risky Biz News :

nRootTag turns any Bluetooth device into an AirTag: A team of academics has found a way to remotely turn any Bluetooth-capable device into an AirTag tracker.

The technique is named nRootTag and abuses how Apple's FindMy network indexes AirTags and searches for tracked or lost devices.

In normal circumstances, when a user pairs an AirTag to their account, Apple takes the AirTag's Bluetooth signal and generates a cryptographic private-public key pair. When the user wants to find the AirTag's location, the FindMy network queries for the public key associated with that Bluetooth signal and then notifies the owner of its location.

The nRootTag technique works by using cloud computing power to infer what would be the private key of any public Bluetooth signal.

This allows attackers to take any device's Bluetooth signal, compute a possible private key, feed it to Apple's FindMy servers, and then get back that device's location.

[ more on Risky Business News ]

Cellebrite bans bad boy Serbia: Israeli hacking tools maker Cellebrite has banned the Serbian government from using its products, citing misuse of its technology.

The company's decision comes after an Amnesty International report last December accused Serbian law enforcement of using Cellebrite tools to unlock phones and install spyware on the devices of anti-government dissidents and journalists.

Amnesty says this usually happened while victims were being interrogated by police. Their phones were taken away and then returned to them with spyware installed.

[ more on Risky Business News ]