The U.S. Department of the Treasury has initiated a significant, multi-phase sanctions campaign against the individuals and entities enabling vast cyber scam operations across Southeast Asia. These operations, which include forced labor camps and sophisticated technical infrastructure, are responsible for stealing over $10 billion from Americans in 2024 alone1. This article examines the technical and operational details of these sanctions, the mechanics of the scams they target, and the implications for security professionals.
The Treasury’s Office of Foreign Assets Control (OFAC) has targeted both the physical compounds where scams are run and the technical services that host them. This represents a strategic shift from solely pursuing the end perpetrators to dismantling the entire support ecosystem. The sanctions block all property of designated persons within U.S. jurisdiction and generally prohibit U.S. persons from transacting with them. Violations can result in civil or criminal penalties8.
Summary for Leadership: A Two-Pronged Sanctions Strategy
The U.S. response has evolved into a coordinated strategy targeting the scam industry’s core components. The first phase, executed in May 2025, focused on the technical enablers. The second phase, announced in September 2025, targeted the physical operators and financiers on the ground. This approach aims to disrupt the entire kill chain, from infrastructure provisioning to cash-out operations. The scale is immense, with reported losses to Americans seeing a 66% increase from the previous year1.
* **Phase 1 (Infrastructure):** Sanctions against Funnull Technology Inc., a Philippines-based company that provided critical hosting services, domain generation algorithms (DGAs), and infrastructure for hundreds of thousands of scam websites2.
* **Phase 2 (Operators):** Sanctions against 19 entities and individuals across Myanmar, Cambodia, and Laos, including armed groups, casino owners, and property developers operating scam compounds13.
The Technical Enablers: Funnull Technology Inc.
The May 2025 action against Funnull Technology Inc. and its administrator, Liu Lizhi, provides a clear case study in how criminal enterprises leverage legitimate infrastructure2. Funnull operated as a bulletproof hosting provider specifically for cyber scams. Their tactics included purchasing IP addresses in bulk and using DGAs to constantly rotate the domains hosting fraudulent platforms, making takedowns and blocklisting efforts less effective. This infrastructure was directly linked to over $200 million in U.S. victim losses, with an average loss exceeding $150,000 per individual. In a notable 2024 campaign, Funnull maliciously altered a repository of web developer code to redirect visitors from legitimate websites to its scam and gambling sites. This action was taken in close coordination with the FBI, which published a cybersecurity advisory with technical indicators of compromise (IOCs)2.
The Physical Operations: Scam Compounds and “Pig Butchering”
The September 2025 sanctions reveal the grim reality of the physical operations. The scams are largely run from compounds in Special Economic Zones or conflict areas, such as the Shwe Kokko compound in Myanmar, established by the sanctioned Yatai International Holdings Group and the Karen National Army (KNA)1. In Cambodia, former casinos in Sihanoukville have been repurposed as fraud centers1. These operations rely on human trafficking and forced labor. Individuals are lured with fake job offers, trafficked into these compounds, and then subjected to debt bondage, forced to defraud strangers online under threat of violence1.
The primary scam is known as “pig butchering,” a long-term romance or friendship scam. The term refers to the process of “fattening” a victim with trust before “butchering” them for their assets. Operators build trust with victims over time before guiding them to fake cryptocurrency investment platforms, where deposited funds are immediately stolen4. The use of cryptocurrency, particularly stablecoins, is a critical component. As noted by security expert Alice Frei, “They let scammers instantly transfer stolen funds from a victim in the U.S. to a criminal compound in Southeast Asia”5.
Sanctioned Entities and Their Roles
The OFAC designations name specific entities and detail their functions within the criminal ecosystem, providing valuable intelligence for network analysis and due diligence processes.
| Country | Entity/Individual | Role/Function | Reference |
|---|---|---|---|
| Myanmar | Saw Chit Thu (KNA leader), Tin Win, Saw Min Min Oo | Leadership of armed group controlling Shwe Kokko compound | 3 |
| Myanmar | Chit Linn Myaing Company, Chit Linn Myaing Toyota | Companies financing and supporting scam compound operations | 3 |
| Cambodia | Dong Lecheng, Xu Aimin, Chen Al Len | Operators of scam compounds, including Golden Sun Sky Casino | 3 |
| Cambodia | M D S Heng He Investment Co. Ltd., Su Liangsheng | Developer and owner of a scam compound; also owns Heng He Casino | 7 |
| Cambodia | Chen Al Len | Linked to Try Pheap, a sanctioned Cambodian billionaire advisor | 3 |
Relevance and Implications for Security Professionals
This campaign is highly relevant for threat intelligence, fraud detection, and supply chain security teams. The technical specifics, such as the use of DGAs by Funnull, provide concrete IOCs that can be integrated into network monitoring and threat-hunting platforms. The detailed listing of sanctioned entities and individuals must be incorporated into due diligence and transaction screening systems to ensure compliance and avoid severe penalties.
The operational model—using forced labor to run sophisticated social engineering campaigns—highlights a complex threat that blends cyber and physical crime. Defensive strategies must account for the persistent and well-resourced nature of these groups. Furthermore, the explicit use of cryptocurrency for instant cross-border transfers underscores the need for enhanced financial transaction monitoring and collaboration between cybersecurity and financial crime units within organizations.
Conclusion
The U.S. Treasury’s sanctions represent a concerted effort to apply economic pressure on the entire ecosystem supporting Southeast Asia’s cyber scam industry. By targeting both the technical infrastructure and the physical operators, OFAC is attempting to disrupt a criminal enterprise that causes massive financial loss and severe human suffering. For security professionals, these actions provide a wealth of actionable intelligence on the tactics, techniques, and procedures (TTPs) of a significant threat actor group. Continuous monitoring of OFAC’s Specially Designated Nationals (SDN) list and integration of these updates into security and compliance systems is essential. The public is directed to report suspected internet crime to the FBI’s Internet Crime Complaint Center (IC3)8.
