An investigation by the Associated Press and Frontline has exposed a troubling reality: American technology and the companies behind it are serving as critical enablers for the world's scam industry, facilitating what amounts to a globalised, industrialised fraud operation. The findings paint a picture far more complex than the social media platforms typically blamed for scams, pointing instead to a deeper layer of infrastructure that scammers have learned to exploit with relative impunity.

The investigation's most significant revelation concerns the infrastructure layer that operates behind the scenes. While public debate has centred on Facebook, WhatsApp, and other social platforms where victims encounter fraudsters, the real machinery driving scams extends far deeper into the digital supply chain. Satellite internet providers, artificial intelligence companies, cloud infrastructure operators, and internet backbone providers all play critical roles that are poorly understood by regulators and the public alike. This upstream infrastructure is where the fundamental work of scaling scams actually occurs, yet it remains largely invisible to oversight mechanisms.

Watchdog groups and cybersecurity experts who reviewed the findings highlight a structural problem: technology companies possess the technical capacity to meaningfully disrupt scam operations but lack sufficient legal, regulatory, and financial incentives to do so. The Federal Trade Commission estimates that scams cost Americans nearly US$200 billion in 2024 alone, yet this enormous cost falls primarily on individual victims and law enforcement agencies rather than on the technology companies facilitating the activity. Without direct consequences, these companies see little business rationale for investing in preventive measures.

The investigation identified two integrated software suites being used by scammers operating from compounds in Southeast Asia, with OpenAI's ChatGPT playing the most prominent role alongside Google's Gemini and other AI models. These tools enable scammers to operate across dozens of languages simultaneously, generate convincing automated responses to victims, create fictitious personas with authentic-seeming backstories, and track the performance of their teams. Blockchain analysis suggests that scammers purchasing access to these software systems have collectively extracted tens of millions of dollars from victims, yet neither OpenAI nor Google appear to have systematically prevented such usage before the AP's investigation prompted action.

When confronted with the investigation's findings, both AI companies emphasized their existing anti-fraud programmes. OpenAI disclosed that it had banned three accounts used to support online scams based on information the AP provided—a reactive measure rather than proactive detection. Google similarly stated it has robust systems in place, though neither company provided evidence of systematic monitoring or prevention of the specific scam operations the investigation documented. This reactive posture reflects a broader pattern across the technology industry: companies respond when publicly exposed but lack incentive structures that would drive continuous, systematic prevention.

The investigation's analysis of internet infrastructure reveals a particularly striking concentration of American involvement. Examining over 200,000 device connections from four scam compounds linked to sanctioned Myanmar entities, researchers found that one in five signals originated from US-registered companies. Cogent Communications, Oracle, AT&T, and DigitalOcean all appeared prominently in the data, alongside non-American firms like Finland's UpCloud and Canada's GlobalTeleHost that maintain US-based servers. This concentration suggests that scammers have deliberately chosen to route their traffic through American infrastructure, whether due to its reliability, capacity, or perceived difficulty in enforcement.

These companies present a consistent defence: their technical architecture prevents them from observing content flowing across their networks, a privacy-by-design approach that simultaneously shields users and limits their ability to detect abuse. All stated they respond promptly to law enforcement requests and valid abuse reports, with Oracle claiming diligent cooperation with authorities and UpCloud indicating it has refined its risk assessment processes following the AP's inquiries. However, this reactive compliance model does nothing to address the fundamental problem that scammers can establish infrastructure relationships long before any specific abuse is reported or detected.

Starlink, Elon Musk's satellite internet service, presents a particularly revealing case study. Despite Congressional attention and a much-publicised 2025 crackdown in which the company claimed to have disconnected 2,500 kits near scam compounds, satellite imagery and device data show that scammers have continued operating and even expanded their presence in Myanmar. At least 25 new scam sites have been established since the publicised shutdown, with at least thirteen of them using Starlink to maintain connectivity. The data examined by the International Justice Mission covers only a sample of activity, meaning the actual scope of continued Starlink use by scammers may be substantially larger.

This persistent activity despite enforcement actions highlights a cat-and-mouse dynamic that characterises the current approach to combating scams through technology infrastructure. When Starlink (or any other provider) disconnects known scam locations, operators simply relocate to new facilities with fresh equipment. Without simultaneous action on the financial incentives driving scam operations, or intelligence capabilities that can predict and prevent re-establishment of operations, infrastructure restrictions alone prove insufficient. Starlink declined to answer detailed questions but has publicly reiterated its commitment to law enforcement cooperation and ensuring the service serves beneficial purposes, language that rings increasingly hollow as evidence accumulates of continued abuse.

The underlying economic logic of the problem is articulated clearly by Sascha Meinrath, the Palmer Chair in Telecommunications at Penn State University: if there is no cost to facilitating scamming, there is no business incentive to prevent it. Companies can identify the problem, address it at least partially, but doing so requires investment. In the current regulatory environment—at least in the United States—that investment remains optional rather than mandatory, making it economically rational for companies to spend nothing on prevention and only respond when publicly exposed or legally compelled. This creates a system where the path of least resistance is to enable scamming, however unintentionally.

Regulatory momentum is building outside the United States in ways that may eventually pressure American companies to change their practices. The United Kingdom, European Union, Australia, and Singapore have all introduced or are implementing regulations requiring technology companies to take active steps against scams or face financial penalties. These jurisdictions have recognized that voluntary cooperation and reactive enforcement are insufficient. American policymakers and officials, by contrast, continue to appeal for voluntary cooperation while relying on the Department of Justice's newly established Scam Center Strike Force to forge industry partnerships on an ad-hoc basis. US Attorney Jeanine Pirro, who leads the Strike Force, has acknowledged the tragic paradox: criminals exploit American infrastructure to commit crimes, yet industry must be persuaded rather than mandated to prevent such abuse.

For Malaysian readers and Southeast Asian technology users, this investigation carries particular significance. Southeast Asia serves as a major hub for scam operations targeting victims globally, including within the region itself. The revelation that American technology infrastructure, from satellite internet to cloud providers to AI platforms, is being systematically exploited to organize and execute these operations demonstrates that the problem is not merely a matter of individual bad actors or isolated criminal groups. Rather, it reflects systemic vulnerabilities in how global technology infrastructure is governed, monitored, and held accountable. Until American regulators establish clear mandatory requirements for technology companies to prevent abuse—moving beyond voluntary cooperation to enforceable standards with real consequences—the infrastructure enabling scams will remain readily available to criminals operating throughout Southeast Asia and beyond.