Starlink, AI tools, and U.S. pipes power Myanmar scams

Starlink and – A leaked record trail and network data tied to Myanmar’s scam compounds show American technology stitched into fraud at industrial scale—ranging from ChatGPT and Gemini-based scam software to U.S.-routed internet traffic and Starlink terminals. The findings il

By day, the work looked like a job in customer “acquisition.” At night, it was something else entirely.

Safeer Mohammed Koorimannil described being trafficked to a scam center in Myanmar where he impersonated a 28-year-old Singaporean woman named Ella. During a typical shift. he said he chatted with more than 100 people across dozens of profiles at the same time while supervisors walked among the desks with electric batons. His target list was enormous: in just one month. he said he went after some 50. 000 victims from at least 17 countries. information drawn from records he smuggled out to The Associated Press.

He also described using AI-powered tools to move quickly and convincingly. “Everyone is a robot there,” he told AP from his home in southern India in his native Malayalam language.

The investigation documented something that has been easy to miss when the public debate focuses only on the social media posts victims see. The infrastructure exploited to commit fraud starts much farther upstream—deep in the digital supply chain that connects scammers to victims.

The report found no evidence that the American companies whose tools and services were used were doing anything illegal themselves. But it documented how those companies’ technology and connectivity were abused at scam compounds in Myanmar in ways their own terms of service often prohibit. The core question the findings leave hanging is the same one cybersecurity experts and investigators keep returning to: if enabling scams has low friction and low cost. who is left to stop it?.

At the center of the scam economy’s “industrialization and globalization” is a set of American-built technologies—AI models, hosting and network services, and satellite internet—that can scale fraud faster than law enforcement or platform moderation can keep up.

American-made AI models—chiefly ChatGPT and Gemini—were used to build specialized software that scammers used to work across dozens of languages. surveil workers. and target victims around the world. C4ADS, a Washington-based nonprofit focused on global security, helped the investigation identify misuse of AI at scam centers. Scammers who purchased these tools took in tens of millions of dollars. blockchain analysis by TRM Labs at AP’s request found.

Those tools were not used in isolation. A sophisticated, global internet infrastructure supported the scam-compound economy. Services used by scam compounds in Myanmar included Cogent Communications, AT&T, DigitalOcean, and Oracle, among others. In an AP analysis of more than 200. 000 device connections over a year at four scam compounds in Myanmar linked to sanctioned entities. one in five signals from devices at those compounds was carried by a U.S.-registered company. according to data provided to AP by International Justice Mission. an anti-trafficking nonprofit.

Even satellite connectivity played a key role.

Elon Musk’s Starlink was the number one internet service provider in Myanmar. including to scam centers. the investigation found using device data. public records. and interviews. That came despite public pressure from Congress and announcements. in October and June. that Starlink had cut service to thousands of units around scam centers.

The report also described how quickly scam infrastructure can rebuild.

At least 25 new scam compounds were built deep inside Myanmar since a high-profile crackdown along the Thai border last fall. new satellite imagery showed. Scammers from at least 13 of these outposts used Starlink IP addresses to get online between early March and the end of May. an AP analysis of device and satellite data from International Justice Mission found.

The investigation drew on tens of thousands of leaked scam center files. videos. and photos; analysis with C4ADS of misuse of AI at scam centers; examination of more than 200. 000 connections made by devices over a year at four scam compounds in Myanmar linked to U.S.-sanctioned entities; and interviews with 58 scam victims and three dozen current and former scammers from 19 countries.

For many victims, the consequences were immediate and personal.

Chris Colocousis. a divorced man in his 60s. said a Facebook message brought him into a fraud he now believes relied on American technology he didn’t understand. The woman he knew as “Eliza” used a New York phone number and said she worked at a well-known financial firm in Atlanta. Colocousis said she proposed a video call and that she looked like the blond woman from her photos—“too real not to be real.” Under her guidance. he said he invested $400. 000 that he now believes is gone.

“You just feel like your whole world fell apart,” Colocousis said. “I’m thinking about all this time that I invested into reaching a point where I could retire at a certain age—and it’s just gone.”

He said he has no idea whether “Eliza” was real, where she is, or even whether the person he spoke with was “a she.”

The human impact is one side of the story; the mechanics of how fraud scales are the other.

Cybersecurity experts told AP that internet service providers, AI companies, and Starlink could do more to prevent abuse—but the report said they lack the legal, regulatory, and business incentives to do so at a pace that matches fraudsters’ expansion.

Sascha Meinrath. the Palmer chair in telecommunications at Penn State University. put it bluntly: “If there’s no disincentive to continuing this. if there’s no cost to actually facilitating scamming. then why would I spend a dollar to prevent scamming?. This is the problem. It’s identifiable, it’s addressable—at least somewhat—but it costs something. And right now the cost of facilitating scamming is zero.”.

Outside the United States, the cost pressure is beginning to rise. The report said the United Kingdom, the European Union, Australia, and Singapore have introduced new regulations requiring companies to do more to prevent scams or face financial penalties.

In Washington, lawmakers and government officials have asked American tech companies to cooperate to cut scammers off from U.S. infrastructure, but on a voluntary basis.

One step aimed at disrupting networks came from inside the U.S. legal system. In November, District of Columbia U.S. Attorney Jeanine Pirro created the Scam Center Strike Force to target scam compounds. In a four-day exercise in May. the Strike Force worked with Meta. SpaceX. Google. and others to disrupt more than 1.4 million social media and email accounts. interrupt malicious IP address traffic. seize satellite internet terminals. and decommission servers and hosting infrastructure linked to Southeast Asian scam networks. Pirro said in an email to AP: “We will not allow criminal organizations to weaponize our own infrastructure against us or devastate the life savings of hardworking families. Our message is clear: we will find you, we will stop you, and we will protect the American people.”.

OpenAI and Google said they have programs to disrupt abuse. Starlink did not respond to detailed requests for comment.

In the investigation’s company responses. OpenAI said that based on information AP shared. it banned three accounts using its models to support online scams. Oracle said it was “diligently working with law enforcement” on the material shared by AP. UpCloud. a Finnish cloud services provider with servers in the U.S. said AP’s query prompted an internal review and refinement of its risk assessment processes.

Internet service providers emphasized a limitation they say constrains what they can detect. They said they can’t see the content their networks carry or what end users do online because of privacy by design. and they said they respond to valid abuse reports and cooperate with law enforcement. The report said none disclosed specific customer information. citing privacy rules. though several said they took action in response to AP’s reporting.

The debate over “utility” is now colliding with the reality of scams.

OpenAI CEO Sam Altman has likened artificial intelligence to a utility, like electricity or water. Matthew Moynahan, CEO of GetReal Security, argued for a similar responsibility model for digital infrastructure. “This has to be like clean water,” Moynahan said. “Anything coming out of the tap for an end user. whether that tap is a PC. a browser somewhere. or your mobile phone. dirty water shouldn’t get to you. This is what this is.”.

The investigation suggests the same question is now being applied—whether anyone is ready for it—across AI tools and connectivity.

As scam software becomes more automated. cybersecurity experts fear that fraud could soon run without the human layer that once slowed criminals down. Ari Redbord. global head of policy at TRM Labs. said. “We’re moving towards a world where maybe you don’t need human scammers anymore. All you need is hundreds. thousands. millions of agentic agents who don’t need to sleep. don’t need to eat. who are 24/7 doing this.”.

Koorimannil said his own role required little more than cutting and pasting responses his scam bosses generated. He and his best friend answered an ad online for jobs encouraging tourism to Thailand, he said. Instead of a vacation, a waiting black car took them from the airport in Bangkok to the border with Myanmar. He said armed men escorted them across the Moei River to Tai Chang, a scam compound the U.S. government sanctioned last year.

He described hiding a screenshot from his computer that AP and C4ADS used to identify the software behind his productivity: Kongtian Intelligent Customer Acquisition. or KT. AP also identified similar software called Global Social Traffic Navigation. or 007TG. described by a former scammer as a “one-stop shop” for running scams at industrial scale.

KT and 007TG were part of a gray market for tech with legitimate and illegitimate uses. Blockchain analysis. a review of Telegram channels frequented by scammers. and interviews with scammers from three countries all described KT and 007TG as being created by for-profit businesses using AI models from leading global companies and sold to scammers. which then generated tens of millions of dollars in illicit profits.

ChatGPT played a prominent role, along with Google’s Gemini. The report said the software also incorporated other AI models, including from Europe and China. KT and 007TG used ChatGPT and Gemini to generate automated replies. power a role-play chatbot for convincing characters. and embed real-time translation in over 100 languages. C4ADS found that KT and 007TG software tracked workers’ performance.

Koorimannil said he was beaten for being bad at scamming people. Photographs showed his body red and swollen with lashes. He told AP: “When they came near my computer, my hands would shake and sweat.”

At night, he said he and his best friend curled in the same narrow bunk, too frightened to sleep alone.

Eventually, Koorimannil said he negotiated his release through a broker he found via a connection in Bahrain. He said he and his friend paid 500,000 Indian rupees, or $5,300, for their freedom to ransom payments for 21 Indians from their compound.

Even if the criminals appear to be using language and emotion, the machinery can still be traced.

TRM Labs used blockchain analysis to examine crypto payment patterns associated with 007TG. The report said a single crypto wallet used by 007TG received $860. 000 in payments between April 2024 and December 2025. including transfers from at least four cryptocurrency wallets associated with known scam networks. The investigation said those scammers then raked in at least $75 million.

A key complication for detection is that scammers can use ChatGPT the same way millions of other people use it: translating. writing messages. creating content. and doing basic research. Romance scams. the report said. can be difficult to distinguish from genuine users seeking help with a divorce because of the intimacy and manipulative language.

OpenAI said it can still detect scams with 95% accuracy and take down 100,000 scam accounts each month. The company said it has also disrupted service to scam networks operating from Cambodia, Myanmar, and Nigeria.

It also said that while scammers exploit the model, many users use ChatGPT to identify and avoid scams—up to three times more often than scammers abuse the model, in the company’s estimate. OpenAI also said it collaborated with the Global Anti-Scam Alliance to launch scam.org.

Google did not respond to specific questions, but said it is “committed to developing AI responsibly” and engineers models with safety guardrails to filter out content that promotes scams.

007TG went dark in December but later claimed it was back up and running. Neither KT nor 007TG responded to requests for comment.

Another thread in the investigation centered on internet service providers—often out of sight in public scrutiny.

The report said one of the reasons U.S. infrastructure matters is that scam networks routed connections through American services to hide where they were really located before reaching major platforms. chiefly Meta. which owns Facebook. Instagram. and WhatsApp. A network monitoring firm in San Francisco. Kentik. mapped internet traffic from a sample of data shared by AP and described how that laundering makes it easier for scammers to slip past platform safety checks.

Meta said deliberate evasion is why collaboration with law enforcement and across industry is key to disrupting bad actors at scale. A Meta spokesperson said in a statement: “Scammers are determined criminals who use increasingly sophisticated tactics to defraud people and evade detection on our platforms and across the internet.” The report said Meta has disrupted millions of accounts tied to scam centers across Southeast Asia and the United Arab Emirates by analyzing behavioral patterns.

Doug Madory, director of internet analysis at Kentik, said: “You can successfully launder connections to your heart’s content.”

One method is to lease IP addresses. Riley Kilmer, co-founder of Spur Intelligence Corporation, said the revenue outweighs the risk: “Right now the revenue outweighs the risk. And if you could shift that balance, the ISPs would have to act.”

John Breyault of the nonprofit National Consumers League described ISPs as sitting at a critical link in the chain. “The ISPs are in a particularly critical place in this chain,” he said.

The report described how U.S. internet service providers played an outsized role in carrying scam center traffic from Myanmar.

AP analyzed a sample of 202. 013 connections made by devices at four scam compounds in Myanmar: KK Park. Tai Chang. Deko Park. and a newer site near Hpakalu. The report said one in five connections was routed through U.S. internet service providers, and no other nonregional country came close. Names in the dataset included Cogent Communications, Oracle, AT&T, and DigitalOcean.

The report also noted that companies outside the United States—including UpCloud, the Finnish cloud provider, and GlobalTeleHost, a Canadian hosting and internet infrastructure company—used servers in the U.S. to host high-risk traffic.

How providers respond to those risks varied.

For Cogent Communications. AP said connections were present from KK Park and Tai Chang. and Scamalytics data showed nearly 40% of Cogent’s allocated IP addresses appeared on publicly available blacklists of potential abuse. Scamalytics rated 99.6% of those IP addresses as potentially risky. Cogent said it relies on third parties to report fraud and investigates every verified complaint. but it can’t see user traffic directly.

AT&T addresses allocated to AT&T were used at three compounds between February 2025 and January 2026. the report said. AT&T said it is cracking down by making traffic more transparent. including in September when it began enforcing rules that require business customers to route traffic under their own network identity rather than AT&T’s.

DigitalOcean, a Colorado-based provider, was named as having at least 41 IP addresses used from KK Park and Hpakalu. Scamalytics rated nearly all as potentially risky. DigitalOcean said it reviewed AP’s data and declined to disclose the outcome. saying it doesn’t control how customer applications are used and works closely with them to fight abuse.

UpCloud had a single IP address, linked to a server in New York City, rated very high risk by Scamalytics. The report said it connected at least 382 times between February and April 2025 with devices inside KK Park. UpCloud said AP’s data “triggered a thorough internal review” and may have involved a VPN hosted on its platform. UpCloud said it cannot access customer systems and declined to provide further details citing European data protection laws. adding that it monitors for illegal activity as mandated by EU law but does not rely on Scamalytics risk ratings because its risk assessments are not detailed enough.

GlobalTeleHost, the Canadian firm, was allocated IP addresses used at KK Park and Tai Chang. The report said two-thirds appeared on public blacklists as potentially abusive, and Scamalytics rated 99.9% as potentially risky. GlobalTeleHost said it doesn’t serve end users directly and doesn’t control customer applications, traffic, or internal review processes. It said the IPs shared by AP were assigned to commercial VPN providers and passed AP’s findings to those customers. but some said their records were not detailed enough to identify specific users. It said it acts on “verified abuse complaints and lawful requests from authorities.”.

Starlink’s ups and downs through crackdowns show the same tension: enforcement can disrupt, but it doesn’t necessarily remove the incentives that fuel the business.

The report said Starlink is also used by other groups in Myanmar, citing Amnesty International and others, but that scammers make up a disproportionate share of its user base based on APNIC data.

Myanmar has become home to industrial-scale scam compounds, according to the United Nations, which said dozens of countries’ victims have been drawn in and that nearly 300,000 people were affected, often against their will.

One compound is Deko Park near the Thai border. The report said Starlink appeared among the top internet providers in a sample of devices at Deko Park from Dec. 10, 2025, to Jan. 6, 2026, just after two regional telecom companies. An Ethiopian engineer named Ebisa. who told AP he used Starlink at Deko Park from December 2024 through December 2025 before escaping. said he was forced to collect WhatsApp numbers of rich. vulnerable men and that he was punished—beaten. shocked. detained. and forced to exercise—for failing to meet impossible performance goals.

Ebisa said he was blinded in one eye after trying to evade a beating and being attacked. He told AP he wants to fix his eye before going home because his mother’s health is fragile. In December, speaking from a shelter for human trafficking victims in Thailand, Ebisa said: “It was hard to survive. Finally, God helped us out from that hell.”.

He said, “It’s very shameful. If God helps me, if I get medication, maybe I can get back my eye.”

On Monday from his home in Ethiopia, Ebisa said doctors told him they could not save his eye: “It’s been a tough reality to face. They told me that it’s too late to bring back my sight.”

The report also described a Nigerian who was tricked into working at Deko Park. Obinna Okeadu. who never made it home. according to three co-workers. a human rights activist. and reports from his family. The report said that on the afternoon of Oct. 28, 2025, Okeadu and his roommate, Ogbonnaya Tochukwu Agwu—known as Valentine—were called out for punishment after an unsuccessful overnight shift.

After the beating, Valentine told AP that Okeadu trembled uncontrollably, slid to the ground, and made sharp, anguished sounds. Valentine said, “It’s OK, we’re here,” a friend told him softly. Valentine told AP Okeadu then cried out: “I’m going to die like this,” according to Valentine.

The report said Valentine believed Okeadu was taken away, presumably to a hospital. It said Okeadu’s computer disappeared the next day and his name was deleted from work chats. Valentine never saw him again.

Thailand temporarily cut off internet connectivity. electricity. and gas supplies to scam compounds just over its border in early 2025. the report said. and Starlink became a way around the blockade. Satellite imagery showed satellite dishes proliferating on scam compound rooftops, and APNIC data showed Starlink usage in Myanmar surged.

In April 2025. as the United States prepared sanctions against foreign scam networks in Southeast Asia. SpaceX reassigned IP addresses from Tanzania to create a dedicated block for Myanmar. the report said; experts told AP such a step is usually taken due to demand or market entry preparation. though it isn’t clear why it happened.

By June 2025. the report said Starlink was the number one internet service provider in Myanmar with a 14% share of the market despite its relatively high cost. In October. during another crackdown. Starlink said it cut services to more than 2. 500 units near scam compounds; its market share fell from 15% to 6.5%. according to APNIC data. The report said that in December Starlink use surged back and by February it regained its top position with nearly a 20% market share.

SpaceX’s October service cuts showed that the company can sever scam centers from its satellites when it wants to, the report said—yet the criminal networks still returned.

Starlink’s own coverage map says it does not sell services in Myanmar. AP asked Myanmar’s ruling military government whether Starlink was legally authorized to work in the country but received no response. Starlink declined to respond to detailed requests for comment.

Still. the report said Lauren Dreyer. vice president of Starlink business operations at SpaceX. said Starlink has “zero tolerance” for abuse. Dreyer said in a June statement about work with the Scam Center Strike Force: “We proactively detect and disable terminals involved in illegal activity. Through collaboration with law enforcement and technology companies. we advance global anti-scam efforts and ensure Starlink remains a force for good.”.

The report said service cuts did not stop scammers, including at the high-profile KK Park compound.

In October. Myanmar’s military government began demolishing the compound and broadcast images of dozens of seized Starlink terminals. the report said. But when scammers scattered, they took their technology with them. By January. the report said at least seven devices used at KK Park had migrated about 30 kilometers to the northwest near Hpakalu. according to International Justice Mission tracking devices using ad tech data.

Eric Heintz. a global analyst at IJM. said: “These new compounds are showing up in the middle of nowhere and they’re walled multibuilding complexes with a bunch of these terminals on the roof. You should be able to shut them down. and there should be a paper trail for who’s paying the subscriptions for them.”.

The report said Heintz identified at least 25 new sites that appeared or grew significantly since last fall’s crackdown. Satellite imagery verified by AP showed empty fields transformed into industrial-scale office parks in a few months, along with new roads cut through thick trees.

White satellite dishes dot rooftops at some of these locations, the report said, and geolocated device data showed scammers from at least 13 sites logging on just as they did before, with Starlink.

Inside the numbers and the technology—AI replies, leased infrastructure, satellite dishes—there is a repeating business logic: speed plus connectivity, with few costs for the providers when enforcement relies on voluntary action or after-the-fact responses.

For victims like Colocousis and for workers like Koorimannil, the end result isn’t abstract. It’s retirement savings evaporating, bodies bruised and swollen with lashes, eyes permanently damaged, and families left with the kind of grief no crackdown can reverse.

The investigation closes with the acknowledgment that the story is still developing—and that the system that enables the scam-economy is complex enough to resist simple fixes. But the facts it lays out are harder to ignore: American technology is present all along the chain. and it is being abused at a scale that looks increasingly like an industry.

Myanmar scam centers Starlink in Myanmar Elon Musk SpaceX AI scams ChatGPT Gemini misuse Kongtian Intelligent Customer Acquisition 007TG internet service providers Cogent Communications AT&T DigitalOcean Oracle UpCloud GlobalTeleHost TRM Labs blockchain analysis C4ADS International Justice Mission U.S. infrastructure FTC scam losses