Table of Contents
Cyber scam hubs are large-scale criminal compounds, also called Cyber Scam Compounds, that industrialize cyber-enabled fraud by combining human trafficking, sophisticated social engineering, artificial intelligence, cryptocurrency, and complex money laundering networks into a single transnational enterprise. The global fight against money laundering has entered a new era: financial crime is no longer confined to illicit cash transactions, shell companies, or traditional fraud schemes.
The Asia/Pacific Group on Money Laundering (APG) estimates that these cyber scam compounds now generate tens of billions of US dollars annually while victimizing individuals in more than 100 jurisdictions worldwide. These operations are increasingly powered by cryptocurrencies, virtual asset service providers (VASPs), peer-to-peer (P2P) transfers, over-the-counter (OTC) brokers, mule accounts, shell companies, and international payment networks that enable criminal proceeds to move across borders within minutes.
The APG’s Cyber Scam Hubs and Human Trafficking Report 2026 provides one of the most comprehensive examinations of this emerging threat. Drawing on responses from 17 public-sector agencies across 17 jurisdictions, 156 private-sector entities from 14 jurisdictions, blockchain analytics companies, and virtual asset service providers, the report offers critical insights into how cyber scam hubs operate, generate illicit revenue, and launder billions of dollars through the international financial system.
For compliance professionals, the report sends an unmistakable message: traditional AML controls are no longer sufficient. Financial institutions must strengthen their capabilities across transaction monitoring, cryptocurrency investigations, beneficial ownership transparency, customer due diligence, blockchain analytics, adverse media and entity risk assessment, emerging scam typologies, and international information sharing to disrupt these rapidly evolving criminal ecosystems and better protect both the financial system and trafficking victims.
Cyber Scam Compounds Have Become Industrial-Scale Financial Crime Enterprises
Key Statistic: APG members reported that 71% of cyber scam hubs operate in urban centres. In comparison, 53% are located in border regions, often within or near special economic zones where regulatory oversight is weaker.
Cyber-enabled fraud has evolved far beyond small criminal groups operating from rented apartments or temporary call centres. Today’s scam compounds function as highly organized criminal enterprises that resemble multinational corporations in both scale and sophistication.
The APG found that these compounds are strategically concentrated across Cambodia, Myanmar, Lao PDR, Thailand, and the Philippines, with additional expansion into other regions, including Africa, South America, and parts of the Pacific. Rather than choosing locations randomly, criminal syndicates deliberately establish operations in special economic zones (SEZs), border regions, and jurisdictions where law enforcement presence is limited and regulatory oversight is comparatively weak.
These locations offer several operational advantages:
Limited regulatory scrutiny.
Easier cross-border movement of trafficked workers.
Reliable telecommunications infrastructure.
Large commercial compounds capable of housing hundreds or thousands of operators.
Opportunities to relocate operations quickly when enforcement pressure increases.
The APG survey reinforces this pattern. Among participating jurisdictions:
71% identified urban centres as the primary locations for cyber scam hubs.
53% highlighted border areas.
Significant numbers also pointed to special economic zones and remote rural locations as operational bases.
This geographic concentration is not accidental; it reflects deliberate exploitation of regulatory arbitrage.
From Casinos to Cybercrime Factories
One of the report’s most significant observations is how the COVID-19 pandemic accelerated this transformation.
As international tourism declined and border restrictions disrupted offshore gambling, many casinos and hotels across Southeast Asia became financially unviable. Organized criminal groups repurposed these facilities into cyber scam compounds, retaining existing accommodation, communications infrastructure, and physical security while replacing gambling operations with industrial-scale online fraud.
The APG notes that legislation banning Philippine Offshore Gaming Operators (POGOs) in 2025 significantly affected scam operations within the Philippines, demonstrating that targeted regulatory action can disrupt criminal business models. However, enforcement in one jurisdiction often results in displacement rather than elimination, with syndicates relocating to neighbouring countries where enforcement is weaker.
For AML professionals, this geographic mobility creates an important compliance challenge. Customer risk assessments can no longer rely solely on jurisdictional risk ratings. Institutions should also evaluate exposure to:
Special economic zones.
Border-region businesses.
High-risk commercial compounds.
Cross-border payment corridors associated with known scam operations.
Case Study: When Financial Intelligence Exposes Criminal Infrastructure
The APG highlights a major Chinese investigation demonstrating how financial intelligence can uncover the infrastructure supporting cyber-enabled fraud.
A bank initially detected suspicious transaction patterns involving multiple small-value test transfers followed by rapid high-volume transfers across numerous accounts. Subsequent financial intelligence analysis revealed that fraud proceeds were being channelled through pre-established shell companies, rapidly layered across corporate and personal accounts, fragmented into multiple downstream transactions, and eventually withdrawn as cash or transferred through underground banking systems.
Authorities ultimately dismantled nine telecom fraud money-laundering centres, arrested more than 20 suspects, and froze CNY 1.6 million (approximately USD 230,000) in criminal proceeds.
Several behavioural indicators identified during this investigation remain highly relevant for financial institutions:
Newly incorporated companies exhibiting immediate high transaction volumes.
Dormant companies are suddenly processing significant payment activity.
Small “test” transactions preceding larger transfers.
Multiple rapid transfers through batches of accounts.
Funds dispersed through successive layers before cash withdrawal.
These behaviours should be incorporated into transaction monitoring scenarios rather than treated as isolated anomalies.
AML Implications
Cyber scam compounds should not be viewed solely as fraud operations. They are vertically integrated financial crime ecosystems combining fraud generation, money laundering, human trafficking, and cryptocurrency-based value transfer within a single operational model.
Financial institutions should therefore expand enterprise-wide risk assessments to specifically evaluate exposure to businesses, payment corridors, and customer relationships connected to known cyber scam jurisdictions. Transaction monitoring scenarios should integrate indicators linked to shell companies, rapid layering, batch transfers, and newly established corporate entities exhibiting unusually high transaction activity.
Get your copy of the 20 things that make the Complete AML System.
Human Trafficking Has Become the Workforce Behind Global Cyber Fraud
Key Statistic: The APG found that 71% of surveyed jurisdictions identified fake job advertisements as the primary recruitment method used to traffic victims into cyber scam compounds.
One of the report’s most significant contributions is demonstrating that cyber scam compounds are not merely fraud operations they are also major human trafficking enterprises.
The operators behind these compounds require thousands of workers capable of maintaining continuous conversations with victims across multiple time zones, languages, and social media platforms. Rather than relying solely on voluntary recruits, organized criminal groups increasingly meet this demand through deception, coercion, and forced labour.
Victims are commonly promised lucrative overseas positions in customer support, cryptocurrency trading, digital marketing, or information technology. Recruitment takes place through professional-looking websites, Telegram channels, Facebook advertisements, WhatsApp groups, recruitment agencies, and even referrals from friends or former victims.
Once abroad, victims discover that the promised employment does not exist.
Instead, passports are confiscated, movement is restricted, salaries withheld, and individuals are forced to conduct scams under threats of physical violence or financial penalties. The APG documents numerous cases involving debt bondage, confinement, psychological abuse, and physical torture, illustrating how trafficking and financial crime have become deeply interconnected.
The APG Survey Reveals How Recruitment Is Changing
Survey responses show that fake employment opportunities overwhelmingly dominate trafficking recruitment.
Among surveyed jurisdictions:
71% identified fraudulent job advertisements as the primary recruitment mechanism.
Victims are increasingly selected for their digital literacy, multilingual capabilities, and familiarity with social media.
Recruiters specifically target young professionals seeking overseas employment opportunities.
As scams diversify and AI automates parts of victim engagement, recruitment profiles are also evolving.
Unlike traditional trafficking models centred on manual labour or sexual exploitation, these victims are trafficked specifically for forced criminality compelled to participate in investment fraud, romance scams, cryptocurrency fraud, impersonation schemes, and social engineering campaigns.
Case Study: Anatomy of a Transnational Trafficking Network
One of the report’s strongest analytical contributions comes from an examination of 15 repatriated Indian victims rescued from scam compounds in Myanmar, Cambodia, and Lao PDR.
The APG identified seven consistent patterns across these cases.
Among the most striking findings:
93% of victims were male.
Most were between 20 and 35 years old.
73% had been recruited through personal contacts, while 27% were recruited directly through digital channels.
Victims typically paid INR 50,000–70,000 in recruitment fees before travelling.
Around 80% of identified travel routes passed through Bangkok before reaching scam compounds.
Victims routinely worked 12–16 hour shifts after only a few days of training.
100% had passports confiscated and were subjected to debt bondage.
Investment and romance scams dominated the criminal activities they were forced to conduct, with mandatory daily performance quotas enforced through physical and psychological abuse.
For AML investigators, these findings provide valuable contextual intelligence. Payments linked to recruitment agencies, repeated transfers associated with overseas employment schemes, or financial activity involving known trafficking corridors may indicate exposure to broader organized criminal networks rather than isolated employment fraud.
AML Implications
Financial institutions increasingly occupy a critical position in identifying the financial footprints of human trafficking linked to cyber scam compounds.
Customer due diligence should extend beyond sanctions screening and politically exposed person (PEP) checks to include behavioural indicators associated with trafficking-related fraud. Enhanced due diligence should be considered where customers demonstrate links to high-risk recruitment businesses, unexplained overseas employment payments, or payment patterns associated with known trafficking corridors.
Equally important, compliance teams should recognise that suspicious transactions connected to scam compounds may involve victims on both sides of the transaction: individuals whose money has been stolen and trafficked workers forced to facilitate the fraud.
Get your copy of the 20 things that make the Complete AML System.
Following the Money: How Crypto, Mule Accounts, and Shell Companies Power Billion-Dollar Scam Ecosystems
Key Statistic: The APG estimates that cyber scam hubs generate tens of billions of US dollars annually. Their illicit revenue is no longer limited to fraud proceeds alone it also includes payments related to human trafficking, ransom payments made by victims’ families, fraudulent recovery scams, and an increasingly sophisticated crypto-enabled money laundering ecosystem.
Every successful cyber scam ultimately depends on one critical capability: moving illicit proceeds quickly enough that victims, banks, and law enforcement cannot recover them.
This is where modern scam compounds distinguish themselves from traditional fraud networks.
Rather than relying on simple bank transfers or cash withdrawals, organized criminal groups now operate highly sophisticated financial infrastructures capable of moving value through bank accounts, e-wallets, shell companies, underground banking systems, cryptocurrencies, virtual asset service providers (VASPs), peer-to-peer (P2P) marketplaces, and over-the-counter (OTC) brokers. By combining traditional financial institutions with decentralized virtual asset ecosystems, they create laundering networks that span multiple jurisdictions within hours.
For AML professionals, this evolution represents one of the most significant changes in financial crime over the past decade. Detecting fraud is no longer sufficient; institutions must understand how criminal organizations transform stolen funds into apparently legitimate assets across complex financial networks.
Scam Compounds Have Diversified Their Criminal Revenue Streams
Unlike conventional fraud operations that rely on a single scam model, cyber scam hubs operate diversified criminal businesses with multiple revenue streams.
The APG identifies four primary sources of illicit revenue generated by these compounds:
Large-scale online scams such as investment fraud, romance scams, impersonation scams, and business email compromise.
Payments associated with human trafficking operations.
Ransom payments made by families seeking the release of trafficked victims.
Fraudulent “recovery services” that re-victimize individuals who have already lost money to earlier scams.
This diversification significantly reduces operational risk for organized crime groups. If enforcement disrupts one fraud typology, criminal organizations can rapidly shift resources toward another while maintaining cash flow.
The APG further notes that many scam compounds now employ artificial intelligence to automate customer engagement, create multilingual communications, generate deepfake content, and increase the volume of potential victims without proportionally increasing staffing requirements. As AI reduces operating costs, the profitability of scam operations continues to increase.
From an AML perspective, this means institutions should avoid building transaction monitoring scenarios around individual scam types. Instead, monitoring should focus on shared financial behaviours, including rapid layering, cryptocurrency conversion, mule account activity, and cross-border movement of funds that remain consistent regardless of the underlying fraud.
Cryptocurrency Has Become the Preferred Layering Mechanism
One of the report’s strongest findings is the growing role of cryptocurrency throughout the laundering process.
The APG found that organized criminal groups increasingly move fraud proceeds into virtual assets because blockchain-based transactions offer speed, global reach, and opportunities to exploit regulatory differences between jurisdictions, while the pseudonymous nature of virtual currencies can also be exploited for facilitating money laundering.
Rather than retaining stolen funds in traditional bank accounts, criminal organizations commonly follow a layered laundering sequence:
Victim funds enter bank accounts or e-wallets controlled by scammers.
Funds are dispersed across multiple intermediary accounts.
Fiat currency is converted into cryptocurrency.
Virtual assets are transferred across multiple blockchain wallets.
Funds are exchanged through P2P marketplaces, OTC brokers, or foreign VASPs.
Assets are reintroduced into the financial system through different jurisdictions.
Decentralized exchanges can circumvent institutional oversight, making it easier to move illicit funds and evade detection.
The APG identifies several cryptocurrency laundering typologies that financial institutions should monitor closely:
Stablecoin conversions (particularly USDT)
Peer-to-peer cryptocurrency transfers
Unlicensed OTC crypto brokers
Crypto ATMs
Layering through multiple blockchain wallets
Cross-border transfers involving foreign virtual asset exchanges
Use of unregistered VASPs to avoid regulatory oversight
The Financial Action Task Force issued virtual-asset guidance in 2019, including guidelines for virtual asset service providers, so institutions should align monitoring and advanced blockchain analytics accordingly.
Unlike traditional layering techniques that may require days or weeks, crypto-enabled laundering often compresses the entire movement of illicit proceeds into a matter of hours.
This dramatically reduces the opportunity for banks to identify suspicious activity before funds leave their jurisdiction.
Case Study: The Philippine POGO Investigation Demonstrates Crypto's Growing Role
Few investigations illustrate this evolution better than the APG’s case study involving a Philippine Offshore Gaming Operator (POGO) associated with a politically exposed person (PEP).
Authorities discovered that trafficked workers inside the compound conducted romance scams and cryptocurrency investment fraud targeting foreign victims.
The subsequent financial investigation uncovered a sophisticated laundering network.
Victim funds initially entered domestic bank accounts and e-wallets before being layered through numerous corporate and personal accounts.
From there, criminal proceeds were converted into USDT using local and unlicensed OTC crypto brokers and peer-to-peer trading platforms.
Investigators also identified blockchain wallets linked to scam compounds operating in Cambodia and Myanmar, demonstrating how virtual assets facilitated cross-border movement while circumventing traditional banking oversight.
The financial investigation revealed several striking findings:
Financial activity involving the principal persons of interest reached billions of Philippine pesos.
Authorities identified PHP 409.7 million (approximately USD 7 million) used to acquire real estate.
Criminal proceeds were layered across multiple accounts using repeated deposits and withdrawals.
Transit bank accounts were established specifically to obscure audit trails.
Shell companies linked to real estate and luxury vehicle businesses were established.
Investigators ultimately filed 62 counts of money laundering against one politically exposed person and 35 associates, alongside human trafficking and illegal detention charges.
For AML professionals, the significance extends far beyond the headline figures.
The case demonstrates how cryptocurrency does not replace traditional money laundering, it complements it by facilitating money laundering as illicit funds move across integrated laundering channels.
At the same time, advanced blockchain analytics can trace wallet activity even when offenders try to evade detection.
Bank accounts, shell companies, property acquisitions, and virtual assets all formed part of a single integrated laundering strategy.
Get your copy of the 20 things that make the Complete AML System.
Shell Companies Continue to Hide Criminal Ownership
Key Statistic: 65% of APG member jurisdictions identified complex corporate structures and shell companies as primary money laundering mechanisms associated with cyber scam hubs. Meanwhile, 76% reported the involvement of gatekeepers, including lawyers, accountants, and trust and company service providers, in facilitating these structures.
Money laundering linked to cyber scams compounds extends well beyond cryptocurrency.
Corporate opacity remains one of the most effective tools available to organized criminal groups.
The APG found that syndicates routinely establish shell companies, nominee director arrangements, cross-border ownership structures, and layered corporate vehicles to disguise beneficial ownership while integrating criminal proceeds into legitimate economic activity.
Unlike small fraud rings, these organizations increasingly resemble multinational holding companies.
Different entities may own:
recruitment businesses,
outsourcing companies,
cryptocurrency services,
payment processing firms,
real estate developments,
luxury vehicle dealerships,
technology businesses,
while ultimately remaining under common criminal control.
The report also raises an important concern regarding professional facilitators.
Lawyers, accountants, company secretaries, and trust and company service providers may knowingly or unknowingly assist in establishing the corporate structures used to conceal beneficial ownership.
This creates an additional challenge for AML programs.
Enhanced due diligence should extend beyond customer identification to include ongoing verification of beneficial ownership, corporate purpose, related-party relationships, and unusual changes in corporate activity.
Case Study: Malaysia's USD 48 Million Investment Fraud
A Malaysian investigation demonstrates how shell companies transform fraud into apparently legitimate investment activity.
Authorities dismantled a criminal syndicate that allegedly generated MYR 200 million (approximately USD 48.4 million) through fraudulent investment schemes promoted via social media.
Rather than requesting payments directly into personal accounts, the syndicate established multiple companies using professional facilitators, allowing victims to believe they were investing in legitimate businesses or purchasing genuine shares.
The investigation ultimately resulted in criminal convictions, while asset forfeiture proceedings for associated money laundering offences remain ongoing.
The lesson for compliance teams is clear.
The presence of formal incorporation documents, registered businesses, or professional advisers should never be interpreted as evidence of legitimacy.
Criminal organizations increasingly exploit legitimate corporate structures precisely because they reduce suspicion during onboarding and ongoing monitoring.
Mule Accounts Remain the Foundation of Financial Laundering
Although cryptocurrency attracts considerable attention, the APG repeatedly emphasizes that mule accounts remain central to laundering operations.
Fraud proceeds rarely move directly from victims into cryptocurrency.
Instead, funds typically flow through multiple personal accounts, newly established companies, and temporary transit accounts before conversion into virtual assets.
This layering strategy fragments the money trail while complicating asset recovery.
The Chinese case study demonstrates this clearly.
Criminal organizations established shell companies before launching fraud campaigns.
Victim funds entered personal accounts controlled by the syndicate, moved rapidly through multiple downstream companies, and were subsequently fragmented across numerous accounts before withdrawal through underground banking channels.
Authorities identified repeated behavioural indicators, including:
high-volume transfers immediately after company incorporation,
batches of accounts used only briefly before replacement,
test transactions preceding major transfers,
unusually rapid movement of funds,
abrupt dormancy after intensive activity.
These characteristics ultimately enabled investigators to dismantle nine telecom fraud laundering centres, arrest more than 20 suspects, and freeze approximately USD 230,000 in criminal proceeds.
These behaviours should already be familiar to experienced AML investigators.
However, the APG demonstrates that, when viewed collectively rather than individually, they often indicate participation in much larger transnational criminal ecosystems.
What These Findings Mean for AML Compliance Leaders
The report fundamentally challenges the traditional distinction between fraud detection and anti-money laundering.
Many compliance officers and other financial-sector professionals report strong familiarity with digital finance and virtual currencies. 76% of financial sector professionals report high knowledge of cryptocurrencies, while 76% also acknowledge their money-laundering risks.
Cyber scam compounds generate illicit proceeds through fraud, but their operational success depends entirely on sophisticated money laundering capabilities and the movement of illicit financial flows across the global economy.
Financial institutions should therefore expand their AML programs in several important ways:
Treat cryptocurrency exposure as an enterprise-wide AML risk rather than a specialist issue.
Develop monitoring scenarios specifically targeting shell companies, mule accounts, rapid layering, and cross-border virtual asset movements.
Incorporate blockchain intelligence into suspicious activity investigations.
Strengthen beneficial ownership verification, particularly for companies operating in high-risk jurisdictions.
Enhance due diligence for customers linked to special economic zones, recruitment businesses, payment processors, and virtual asset ecosystems.
Build stronger information-sharing relationships with financial intelligence units, law enforcement agencies, and VASPs.
Get your copy of the 20 things that make the Complete AML System.
The APG’s findings make one conclusion unavoidable: money laundering associated with cyber scams compounds is no longer a downstream consequence of fraud; it is the operational infrastructure that allows organized criminal enterprises to scale globally.
From Pig Butchering to AI-Powered Fraud: Why Scam Typologies Are Evolving Faster Than Traditional AML Controls
Key Statistic: APG members reported that victims of cyber scam hubs have now been identified in more than 100 jurisdictions worldwide, demonstrating that these operations have evolved into a truly global financial crime threat rather than a regional cybercrime issue.
Money laundering investigations often begin with suspicious financial transactions. However, understanding how the criminal proceeds that are generated is equally important for designing effective AML controls.
The APG report shows that cyber scam compounds are no longer dependent on a single fraud model. Instead, they operate diversified criminal portfolios similar to legitimate multinational businesses, constantly shifting resources toward whichever scam delivers the highest returns with the lowest operational risk.
Investment fraud, romance scams, business email compromise (BEC), employment scams, phishing, impersonation fraud, technical support scams, and recovery scams all coexist within the same compounds. Victims are assigned to different scam teams based on their language skills, digital literacy, and cultural familiarity, while criminal organizations continuously test new approaches using artificial intelligence, social media analytics, and automated communication tools.
For AML teams, this diversification creates a fundamental challenge. While scam methodologies continue to evolve rapidly, the financial infrastructure supporting them, bank accounts, payment gateways, cryptocurrencies, shell companies, and money mule networks, remains remarkably consistent. Understanding this relationship is critical to detecting suspicious financial activity before criminal proceeds disappear into global laundering networks.
Investment Fraud and "Pig Butchering" Continue to Generate the Largest Criminal Proceeds
Investment fraud remains the most profitable scam model operated by cyber scam compounds.
Often referred to as “pig butchering,” these schemes rely on patience rather than speed. Criminals spend weeks or even months building trust with victims before encouraging them to invest in fraudulent trading platforms, cryptocurrency exchanges, or wealth management products promising exceptional returns with minimal risk.
Unlike traditional phishing attacks, pig butchering scams are designed as long-term financial relationships. Victims may initially receive small returns or be allowed to withdraw limited profits, reinforcing confidence in the platform before investing increasingly larger sums. Once significant funds have been transferred, communication ceases, and the investment platform disappears.
The APG notes that many of these fraudulent investment platforms increasingly incorporate cryptocurrency, allowing proceeds to be converted into virtual assets almost immediately after receipt.
For financial institutions, this means transaction monitoring should extend beyond unusually large transfers. Multiple incremental investments into newly established entities, frequent transfers to cryptocurrency exchanges, or repeated payments to offshore investment platforms may together indicate the early stages of pig butchering rather than isolated customer investment activity.
Get your copy of the 20 things that make the Complete AML System.
Case Study: Operation Firestorm Shows the Scale of International Investment Fraud
One of the report’s strongest examples comes from Operation Firestorm, an Australian-led international investigation targeting investment scam centres operating from Southeast Asia.
Following intelligence that a criminal syndicate had established a scam centre in Bangkok to target Australian investors, Thai authorities executed coordinated raids that resulted in the arrest of 13 individuals, including Australian, British, South African, and Chinese-Canadian nationals.
By the time authorities intervened:
13 Australian victims had already transferred AUD 1.9 million (approximately USD 1.2 million) in just two months.
Australian banks successfully froze approximately AUD 1.3 million (USD 850,000) before the money could be fully laundered.
Investigators discovered that the syndicate had already identified 14,868 additional Australian targets, with 1,800 individuals actively progressing through the investment pipeline when the operation was dismantled.
These figures illustrate an important reality for compliance teams.
By the time suspicious transactions begin appearing within financial institutions, victims have often already undergone weeks of sophisticated psychological manipulation. Traditional fraud detection systems focused solely on transaction values may therefore intervene far too late.
Instead, banks should combine behavioural analytics, customer interaction history, payment velocity, and destination risk indicators to identify investment fraud before substantial losses occur.
Romance Scams Have Become Sophisticated Financial Crime Operations
Romance scams are no longer isolated social engineering attacks carried out by individual fraudsters.
Within cyber scam compounds, they have become highly structured criminal operations supported by standardized scripts, multilingual teams, performance targets, and dedicated financial laundering networks.
Victims are typically approached through dating applications, Facebook, Instagram, LinkedIn, or messaging platforms. Criminals invest considerable time establishing emotional relationships before gradually introducing fabricated financial emergencies or investment opportunities.
Increasingly, romance scams transition seamlessly into cryptocurrency investment fraud.
Instead of requesting direct financial assistance, scammers encourage victims to open accounts on fake cryptocurrency trading platforms where substantial investments ultimately disappear.
This convergence between emotional manipulation and virtual asset fraud has made romance scams particularly difficult for financial institutions to detect.
Case Study: Philippine Scam Compound Links Romance Fraud with Cryptocurrency Laundering
A major Philippine investigation demonstrates how romance scams now operate alongside cryptocurrency fraud within industrial-scale scam compounds.
Authorities raided a 2.6-hectare compound suspected of functioning as both an illegal Philippine Offshore Gaming Operator (POGO) and cyber scam hub.
The operation uncovered approximately 900 workers, many believed to be trafficking victims.
Following court-authorized searches, investigators opened numerous safes containing PHP 113 million (approximately USD 1.9 million) in cash.
Financial investigations further revealed that the operation provided cryptocurrency services without appropriate authorization while facilitating online betting, romance scams, and crypto-enabled fraud.
The case demonstrates an increasingly important compliance trend.
Scam compounds rarely specialize in a single criminal activity.
Instead, investment fraud, romance scams, illegal gambling, cryptocurrency exchanges, payment services, and money laundering frequently coexist within the same criminal enterprise.
For AML professionals, this reinforces the need to investigate suspicious customers holistically rather than through isolated product-specific monitoring.
Fake Employment Offers Have Become a Gateway to Both Human Trafficking and Financial Crime
The APG identifies employment scams as serving two distinct criminal objectives.
First, they generate direct financial profits by persuading victims to pay recruitment fees.
Second, and far more significantly, they supply cyber scam compounds with trafficked workers who subsequently become instruments of organized financial crime.
Victims are commonly promised customer support, IT, cryptocurrency, or digital marketing positions with attractive salaries and minimal experience requirements.
Instead, they are transported overseas, deprived of travel documents, and forced to conduct online fraud under coercion.
Case Study: Indian Investigation Exposes the Financial Infrastructure Behind Fake Recruitment
A study revealed that an investigation by India’s Cyber Crime Police Station uncovered an international syndicate supplying bank accounts and SIM cards to handlers operating in the Philippines, underscoring India’s growing importance in regional cybercrime cooperation and digital coordination.
Authorities identified:
18 active mule accounts used to process approximately INR 29.9 million (USD 330,000) in illicit proceeds.
231 SIM cards, debit cards, passbooks, and courier documentation were seized.
Funds were rapidly transferred from victims through Indian banking channels before moving to cryptocurrency exchanges, including Binance and OKX.
Approximately 90% of transactions occur between 9:00 PM and 2:00 AM, corresponding with overseas operational hours.
For AML investigators, these temporal patterns are particularly valuable.
Transaction timing, device geolocation, VPN usage, SIM card activity, and rapid conversion into cryptocurrency together provide stronger indicators of organized criminal activity than transaction amounts alone.
Artificial Intelligence Is Accelerating the Evolution of Cyber Fraud
Perhaps the most forward-looking aspect of the APG report concerns the growing role of artificial intelligence.
The report concludes that scam compounds increasingly employ AI to:
generate multilingual conversations,
produce convincing deepfake videos,
automate victim engagement,
personalize scam scripts,
create synthetic identities,
shorten the time between initial contact and financial loss.
This represents a fundamental shift in criminal economics.
Historically, expanding scam operations required recruiting more workers.
Today, AI enables the same workforce to engage significantly more victims simultaneously while reducing operating costs.
The report also highlights the growing use of:
encrypted messaging platforms,
automated scripts,
Telegram-based marketplaces,
white-label payment platforms,
virtual International Bank Account Numbers (vIBANs),
virtual assets,
rapid settlement systems.
Together, these technologies compress the time between first contact and final cash-out from weeks to, in some cases, only a few hours.
For financial institutions, this means suspicious activity monitoring must increasingly operate in near real time.
Batch reviews conducted several days after transactions occur may no longer provide meaningful opportunities for intervention.
Cross-Border Cooperation Is Becoming the Strongest AML Control
Cyber scam compounds deliberately exploit jurisdictional boundaries.
Money may originate in Australia, pass through banks in Singapore, be converted into cryptocurrency in the Philippines, be layered through wallets linked to Cambodia, and ultimately be cashed out elsewhere.
No single financial institution or even national regulator can reconstruct the complete laundering chain independently.
Fortunately, the APG highlights several successful examples demonstrating the value of international cooperation.
Some regional work was co led by Indonesia and the United Nations Office on Drugs and Crime (UNODC).
Such united nations office collaboration supports stronger regional cooperation and more targeted intelligence sharing against cyber scam hubs.
Case Study: Recovering USD 41 Million Through Rapid International Action
A commodity company lost USD 42.3 million after falling victim to a Business Email Compromise (BEC) scam.
Instead of treating the incident as a domestic fraud investigation, Singaporean authorities rapidly coordinated with counterparts in Timor-Leste, Indonesia, INTERPOL, the Egmont Group, ARIN-AP, and mutual legal assistance networks.
The results were remarkable.
Authorities successfully
withheld approximately USD 39 million before dissipation,
recovered an additional USD 2.2 million withdrawn in cash,
froze approximately USD 120,000 transferred into Indonesian accounts,
arrested seven suspects connected to the laundering operation.
The investigation demonstrates that effective AML is increasingly dependent upon international cooperation rather than domestic controls alone.
Financial institutions should ensure suspicious transaction reports contain sufficient detail to facilitate cross-border intelligence sharing, including wallet addresses, device identifiers, payment chains, beneficiary information, and virtual asset exposure.
AML Compliance Lessons from APG's Cyber Scam Hubs Report
The APG report illustrates that the future of financial crime will be defined less by individual scam typologies and more by the convergence of technology, organized crime, human trafficking, and cryptocurrency.
Investment fraud, romance scams, employment scams, and BEC schemes should no longer be viewed as isolated fraud events. They represent entry points into highly integrated criminal ecosystems supported by sophisticated laundering infrastructure.
For financial institutions, several strategic priorities emerge:
Shift transaction monitoring from rule-based detection to behavioural analytics capable of identifying evolving scam typologies.
Integrate fraud intelligence with AML investigations rather than operating separate investigative functions.
Expand monitoring of cryptocurrency conversion points, mule account behaviour, payment timing patterns, and cross-border financial flows.
Increase collaboration with VASPs, blockchain analytics providers, financial intelligence units, and international law enforcement partners.
Regularly update enterprise-wide risk assessments to reflect AI-enabled fraud and emerging cyber scam methodologies.
The APG’s evidence makes one conclusion unavoidable: financial institutions that continue relying solely on traditional AML controls will struggle to detect the next generation of cyber-enabled financial crime.
In response to the evolving threat landscape highlighted by the APG’s Cyber Scam Hubs and Human Trafficking Report 2026, ZIGRAM offers an advanced Anti-Money Laundering (AML) system designed specifically to address the complexities of cyber scam hubs. The Complete AML System leverages AI-powered solutions, name screening with PreScreening.io, transaction monitoring with Transact Comply, and entity risk assessment with Entity Hero as a single view entity that provides end-to-end AML compliance.Â
Book your demo with us to analyze your AML infrastructure, its gaps, and what you need to be 100% compliant.
Conclusion: Cyber Scam Compounds Demand a New AML Playbook
The APG’s Cyber Scam Hubs and Human Trafficking Report 2026 presents compelling evidence that cyber scam compounds have evolved into one of the world’s most sophisticated financial crime ecosystems. Generating tens of billions of US dollars annually and targeting victims across more than 100 jurisdictions, these operations combine human trafficking, investment fraud, romance scams, business email compromise, shell companies, corruption, and cryptocurrency laundering into a single transnational business model.
For AML compliance leaders, the implications extend far beyond fraud prevention. The report demonstrates that effective financial crime compliance now requires integrating traditional AML controls with blockchain analytics, virtual asset monitoring, behavioural intelligence, beneficial ownership transparency, and cross-border information sharing. Institutions must also recognise the human dimension of these crimes: every suspicious transaction linked to a scam compound may involve trafficked individuals forced into criminality as well as victims who have been manipulated into transferring their savings.
Ultimately, following the money remains the most effective way to expose cyber scam compounds. As these criminal organizations continue to exploit emerging technologies and decentralized financial systems, AML programs must evolve with equal speed. Institutions that combine data-driven risk assessment, advanced transaction monitoring, cryptocurrency intelligence, and international cooperation will be best positioned to safeguard the integrity of the global financial system and help deprive transnational organized crime of its most valuable asset, its illicit profits.
Get your copy of the 20 things that make the Complete AML System.