On May 18, 2026, the U.S. Department of Justice (DoJ) initiated "Disruption Week," a coordinated multi-sector operation targeting transnational cryptocurrency fraud networks in Southeast Asia. The operation dismantled the operational infrastructure of "pig butchering" schemes by synchronizing the disabling of 1.4 million fraudulent accounts across Meta, Microsoft, and Starlink, while simultaneously freezing $3.8 million in assets via Coinbase. By targeting the intersection of communication, internet connectivity, productivity suites, and financial off-ramps, the operation shifted from individual arrests to systemic infrastructure neutralization, effectively severing the command-and-control (C2) and monetization capabilities of these fraud syndicates.
-
Incident Overview: Operation Disruption Week
- Multi-agency effort led by the DoJ focusing on industrialized scam compounds in Southeast Asia.
- Shifted strategic focus from pursuing individual bad actors to the systemic dismantling of required digital infrastructure.
- Targeted the entire fraud lifecycle, from initial victim contact to final asset liquidation.
-
Attack Vector/Campaign Mechanics
- Employed "pig butchering" (Sha Zhu Pan) tactics, using psychological manipulation to lure U.S. citizens into fraudulent crypto investments.
- Utilized fraudulent Meta social media profiles and Microsoft email suites for scalable victim outreach and engagement.
- Deployed Starlink satellite terminals to bypass local infrastructure and maintain resilient connectivity within remote scam compounds.
-
Threat Group Profile/Scale of Impact
- Transnational organized crime syndicates operating high-capacity fraud centers in Southeast Asia.
- Resulted in the immediate disabling of 1.4 million accounts used for social engineering and operational management.
- Successfully froze $3.8 million in cryptocurrency assets, disrupting the financial incentive for the operators.
-
Indicators of Compromise (IoCs)/Defensive Actions
- Identification and blacklisting of Starlink account IDs specifically linked to known scam hub coordinates.
- Mapping of crypto wallet addresses used for consolidating stolen funds before off-ramping.
- Analysis of specific email domains and social media handle patterns used to target U.S.-based demographics.
-
Conclusion: Strategic Implications
- Establishes a new blueprint for "holistic disruption" by integrating private sector SaaS and ISP providers into law enforcement actions.
- Highlights the vulnerability of transnational fraud networks when their reliance on centralized digital tools (SatCom and Cloud) is exploited.
- Underscores the critical role of cryptocurrency exchanges in providing the final "choke point" for asset recovery.
Related posts
- crypto.news — Coinbase freezes $3M as DOJ hits Southeast Asia scam networks
- feeds.feedburner.com — DoJ Disrupts Southeast Asia Crypto Fraud Networks, Freezes $3.8 Million in Assets
- En
- Beincrypto
- Tradingview
- Socdefenders
- Securityboulevard
- Bangkokpost
- Justice
- Techradar
- Zerohedge
- Show
- Podcasts
- Basenor
- Europol Newsroom — Europol's Project A.S.S.E.T. identifies millions in criminal assets
- Thecybersignal
- Sarajevotimes
- Albaniandailynews
- Hstoday
- Eucrim
- The420
- Dig
- Palo Alto Networks Unit 42 — When “Hi, This Is IT” Comes Through Microsoft Teams
- techjacksolutions.com — Teams Federation Phishing: APT29 and UNC6692 Exploit Default Permissive Settings for MFA Manipulation and Initial Access
- Hackread
- Therecord
- Fieldeffect
- Microsoft
- Rocket
- Thehackernews
- Helpnetsecurity
- Securityweek
- Socprime