Inzamam Nizam Jul 06, 2026

Gulf Executives Face Rising CEO Fraud and Deepfake Impersonation Threats

Key Takeaways

  • 276+ suspects arrested and 9 scam centers shut down in a joint Dubai Police, FBI, and Chinese Ministry of Public Security operation targeting cryptocurrency investment fraud.
  • Four individuals: Thet Min Nyi, Wiliang Awang, Andreas Chandra, and Lisa Mariam, plus two fugitives, face U.S. federal fraud and money-laundering charges.
  • The FBI's Operation Level Up has notified almost 9,000 victims and saved an estimated $562 million as of April 2026.
  • Two Chinese nationals were separately charged over the Shunda scam compound in Myanmar, which used trafficked, coerced labour.
  • The U.S. Treasury sanctioned Cambodian Senator Kok An and businessman Rithy Raksmei; the State Department offered a $10 million reward tied to the Tai Chang scam centre.
  • More than $701 million in cryptocurrency has been restrained by a U.S. Scam Center Strike Force, and Operation Atlantic separately froze roughly $12 million from an 'approval phishing' scheme.
  • A newly identified Android banking trojan, linked to a Cambodian K99 Group compound, has been active since at least 2023 and registers about 35 new scam domains a month.

What Happened

Dubai Police, in collaboration with the U.S. FBI and China's Ministry of Public Security, dismantled nine scam centers and arrested at least 276 suspects involved in fake cryptocurrency investment scams targeting Americans. Thai authorities also helped arrest suspects from Burma and Indonesia.

Four defendants: Thet Min Nyi (27), Wiliang Awang (23), Andreas Chandra (29), and Lisa Mariam (29), along with two fugitive co-conspirators, have been charged in the U.S. with fraud and money laundering. Prosecutors allege they operated scam centers through Ko Thet Company, Sanduo Group, and Giant Company, with Thet Min Nyi identified as a manager and recruiter for Ko Thet Company.

The group allegedly used "pig butchering" tactics, building trust through fake relationships before persuading victims to invest in fraudulent cryptocurrency platforms. Authorities also linked the operation to human trafficking, with workers allegedly forced to carry out the scams. The U.S. Department of Justice said Operation Level Up has warned nearly 9,000 people and prevented an estimated $562 million in losses as of April 2026.

Three Fronts of the Global Enforcement Push

1. Indictments and Arrests

Days before the Dubai-led crackdown, the U.S. Department of Justice charged Jiang Wen Jie (Jiang Nan) and Huang Xingshan (Ah Zhe/Huang Xing Saan) for operating the Shunda scam compound in Min Let Pan, Myanmar. Huang allegedly managed the operation and personally abused trafficked workers, while Jiang led teams targeting U.S. victims. Both were arrested by Thai authorities in early 2026 while travelling from Cambodia to Burma and were reportedly planning another scam compound in Cambodia after Burmese authorities shut down the Shunda site in November 2025.

2. Sanctions, Rewards, and Legislation

The U.S. Treasury sanctioned Cambodian Senator Kok An, businessman Rithy Raksmei, and the K99 Group for operating scam centers from casinos and converted office parks. Kok An reportedly fled Thailand after an arrest warrant was issued for him and his children. The U.S. State Department also announced rewards of up to $10 million for information leading to the recovery of funds linked to Burma's Tai Chang scam center. Meanwhile, Cambodia passed its first law targeting scam centers, introducing prison terms of 5–10 years and fines of up to $250,000.

3. Infrastructure and Malware Takedowns

Authorities seized a Telegram recruitment channel with 6,500+ followers, 503 fake investment websites, and restrained more than $701 million in cryptocurrency linked to scam networks. In a separate operation, Operation Atlantic froze $12 million tied to approval-phishing attacks that affected over 20,000 victims across 30 countries, while more than 120 phishing domains were confiscated. Researchers also uncovered an Android banking trojan linked to the K99 Group, which used fake banking and government apps to steal credentials, monitor devices in real time, and drain victims' accounts.

The Response Gap

Despite the scale of this crackdown, the numbers point to a threat that is still outpacing enforcement. The malware operation tied to the K99 compound is registering around 35 new scam domains every month, with 400 targeted lure domains created in 2025 alone, and its reach is actively expanding beyond Southeast Asia into Africa and Latin America, as well as into new lures such as airlines and e-commerce platforms. The human trafficking dimension also remains largely unresolved: workers inside compounds like Shunda were reportedly held against their will and forced to commit fraud under threat of violence, and new compounds continue to be planned even after existing ones are seized. 

These developments also highlight what is cybersecurity in practice, not just protecting systems from malware, but understanding and defending against complex cyber-enabled crimes that combine social engineering, financial fraud, and organised criminal networks. Meanwhile, the money recovered, roughly $12 million in Operation Atlantic and $701 million restrained by the Strike Force, is set against tens of thousands of identified victims across 30 countries and an ecosystem researchers describe as agile, experimental, and commercially driven, one that continuously repurposes and rebrands its tools and infrastructure. 

What Digital Asset Firms and Professionals Should Do

  • Treat unsolicited investment tips from online or romantic contacts as a red flag, particularly requests to move funds through unfamiliar crypto platforms.
  •  Only install banking or government-related apps through official app stores, not links received via SMS or email, a core delivery method for the Android banking trojan described above.
  • Digital asset firms and industry organisations that meet Treasury criteria can now register for the OCCIP information-sharing initiative to receive timely, actionable cybersecurity intelligence at no extra cost.
  • Report suspected pig-butchering or investment fraud promptly; the FBI's Operation Level Up has shown that early identification can meaningfully reduce victim losses.
  • Security and compliance teams should watch for lookalike domains impersonating banks, pension funds, social security bodies, and utility or telecom providers, since these remain the primary lures used by the trojan operators.

Expert View

“Fraudsters who target Americans from overseas cannot operate with impunity...In contemporary society, fraud is borderless, and law enforcement activity to combat it and eliminate it is as well.”

— A. Tysen Duva, Assistant Attorney General, U.S. Department of Justice Criminal Division

"Every major cyberattack reinforces the same lesson: prevention starts with education. Investing in cybersecurity training empowers individuals and businesses to stay one step ahead of increasingly sophisticated threats."

— Inzamam Nizam, Cyber Security & Security Engineer, Edoxi Training Institute 

What This Means for Professionals

For executives and finance teams, the lesson goes beyond crypto scams: the same tactics behind pig-butchering fraud—trust-building, spoofed channels, and convincing fake platforms are increasingly being used in CEO fraud and deepfake impersonation attacks. As attack tools become easier to access, organisations need stronger verification practices, including confirming payment requests through a second channel and scrutinizing urgent or emotionally charged instructions. 

Building these capabilities requires continuous upskilling, and professionals can benefit from specialised training such as Edoxi's Cyber Security Course, Certified Ethical Hacking (CEH) Course, CompTIA Security+ Course, and Certified Information Systems Security Professional (CISSP) Course, which equip learners with practical skills to identify emerging threats, strengthen organisational defences, and implement robust security practices. 

Cyber Security & Security Engineer

Inzamam Nizam is a Cyber Security & Security Engineer with over six years of experience in offensive cybersecurity, vulnerability research, and application security. His expertise includes mobile (iOS/Android), web, and network penetration testing, secure code review, red teaming, exploit development, and secure architecture assessments. Recognised in the SynAck Hall of Fame for discovering critical security vulnerabilities, he is passionate about helping organisations strengthen their security posture through practical, research-driven approaches.

Throughout his career, Inzamam has led security assessments, adversary emulation exercises, and secure development initiatives across diverse industries, including banking and enterprise environments. He has contributed to innovative cybersecurity projects such as SPELL-BOUND, an open-source adversary emulation framework, GHOSTWARE AI, an AI-powered security assessment platform, and KAEDAE, a behaviour-based keylogger detection solution. Through his writing, he shares practical insights, emerging attack techniques, and defensive strategies to help security professionals stay ahead of the evolving threat landscape.

Tags
Technology
Education