Cybercrime Syndicates in Southeast Asia

Preventative Measures for Addressing Cybercrime Syndicates

There are at least four steps that Southeast Asian countries can take to prevent cybercrime syndicates from recruiting for and executing their fraud schemes: (1) work with private companies to scrutinize online hiring channels; (2) increase regulation of online gambling; (3) establish cryptocurrency regulatory frameworks; and (4) clamp down on illegal telecommunications along borders and near SEZs.

Increase Scrutiny of Online Job Postings

Affected nations must introduce greater security in online hiring processes. Nations with a large population of young, computer-literate individuals are especially at risk to these criminal groups (many nations within ASEAN fit this criterium). It is in the best interest of these high-risk countries to promote awareness of fraudulent, too-good-to-be-true job postings. These countries can work with companies, especially Meta, WeChat, and Telegram, to identify and shut down potential recruiters online.

One technical solution is to require verification for job postings on these platforms so that syndicates cannot mislead netizens into believing their company is legitimate. Telegram has already shut down the White Shark Channel in response to inquiry by investigative journalism organization ProPublica. Similar online trafficking groups must be investigated and shut down. Additionally, companies could implement an algorithm to detect and warn of the use of translation technologies in messaging threads. This could prevent recruitment, as well as give fraud victims reason to suspect impersonators.

Better Regulate Online Gambling

Southeast Asian countries should codify stricter control over cyber gambling. Of the ASEAN nations affected by cyber scamming, the Philippines is the only nation that permits legal gambling. Gambling operations are often the first step before more harmful cryptocurrency frauds. Philippine Amusement and Gaming Corporation (PAGCOR), the organization regulating gambling in the Philippines, has been successful in investigating and cancelling the licenses of several organizations perpetrating fraud and trafficking. PAGCOR has also shut down over 80% of the Philippine’s 5,000 illegal gambling websites as a part of a larger campaign to target illegal gambling. Although the issue is highly complex, organizations hoping to prevent syndicated cyber fraud should target gambling organizations and ensure that any illegal operations are subject to government regulation.

Establish Regulatory Frameworks for Cryptocurrency

Considering the centrality of cryptocurrency to cybercrime, Southeast Asian countries should do more to regulate its use. Currently Thailand and Singapore are the only countries in ASEAN which have regulatory frameworks in place. Cambodia, Laos, and Myanmar have an especially unclear regulatory stance towards cryptocurrency. Tether is the coin of choice for cyberfraud organizations as it is pegged to the U.S. dollar. Tether has proven that it is open to governmental cooperation, as evidenced by its announcements that it will work closely with the U.S. F.B.I., Secret Service, and Department of Justice. Tether recently went as far as voluntarily freezing of $225 million connected with a Southeast Asian pig-butchering organization in partnership with the US Department of Justice. Southeast Asian governments should follow the U.S. model and  take similar steps to regulate cryptocurrencies like Tether.

Clamp Down on Illegal Telecommunications Infrastructure

As a final preventive measure, countries should exert tighter control over the telecommunication infrastructure along sensitive border zones. The Thai police have been especially active in this area, repositioning 23 cellular towers; removing four illegal antennae on the Cambodian border and six on the border of Myanmar; and cracking down on the sale of SIM cards to cyberfraud organizations. States sharing borders with the crime syndicates should enforce the proper maintenance of telecommunications systems in a similar manner to protect their citizens from fraud.

Punitive Measures for Addressing Cybercrime Syndicates

Beyond preventative measures and legal frameworks, Southeast Asian countries should seek additional punitive measures to enforce existing law and impose costs on cybercrime syndicates. Legal frameworks are necessary both to bring awareness to the harms of cybercrime and to deter the groups that perpetrate them. But organizational power is necessary to execute the law. In other words, countries in the region need both cybercrime laws and the ability to enforce them. This point is especially pertinent in three Southeast Asian countries wracked by corruption: Laos, Cambodia, and Myanmar.

Cybercrime Laws

Out of the trio of Laos, Cambodia, and Myanmar, Laos is the only country with a law explicitly targeting cybercrime. Enacted in July 2015, it is known as the Law on Prevention and Combating Cyber Crime. The statute defines cybercrimes broadly. While that definition does not explicitly address the crimes of the cyberfraud syndicates, it reasonably reads to incorporate them. Although the Decision on Penalties in Cyber Crime specifies what fraudulent activities are punishable in article six, they are only punishable when the crime is directed at policing organizationa and related staff, which severely limts the law in protecting Laotians. 

But despite its shortcomings, Laos’s legal framework is further developed than those of both Cambodia and Myanmar. Cambodia has no enacted law targeting cybercrime, but rather a proposed Cybersecurity Draft Law that has been in discussion since 2016.  That draft law has faced large public backlash: Critics argue that its provisions would likely achieve the opposite of its intended effect. Rather than empowering citizens’ cybersecurity, critics argue that it gives power to national cybersecurity organizations without independent oversight, restricts the ability of individuals and firms to monitor their own cybersecurity, and promotes disproportionate punishments for violations. Myanmar is similarly situated to Cambodia: The government’s only draft cybersecurity law was denounced by the Human Rights Watch as an invasion of privacy since it gives excessive power to the ruling junta.

The cybercrime laws in these three nations are generally underdeveloped. There is a strong focus on protecting state organizations, rather than guaranteeing personal privacy and security. But ensuring personal privacy and security is an essential function of any cybersecurity law. These laws should therefore be restructured to provide more targeted punishments and disconnect expansive state-centric agendas from controlling data privacy. This latter fault is apparent in the proposed cybersecurity laws in Cambodia and Malaysia.

Cybercrime Law Enforcement

All Southeast Asian nations possess national policing organizations, but the abovementioned three have not established clear and effective organizational structures dedicated to cybercrime. The Laos National Police does not have a website, and likely has no cyber division. The Myanmar Police Force’s Department of Transnational Crime established a section for cybercrime, but it is unclear if there is any effective jurisdiction over cybercrime. Cambodia’s National Police has a Technology Crime Unit, about which very little is known.

Additionally, transparency in the operations of cybercrime police forces will open international training opportunities as well as promote the development of such organizations internally.

International Measures for Addressing Cybercrime Syndicates

Due to the nature of the threat, international cooperation is crucial for both developing national capacities and for utilizing international capacities to punish cybercrime. Cyber-scam operations are not limited to Cambodia, Laos, and Myanmar. A recent Malaysian crackdown run as a joint operation by the Malaysian and Taiwanese police emphasizes the importance of international cooperation for the matter. Further, fraudulent organizations are also not limited to Southeast Asia itself, which further emphasizes the importance of cooperation and intelligence sharing.

The People’s Republic of China has shown itself an especially willing partner in addressing cybercrime as PRC nationals are frequent scam targets. Chinese pressure on Myanmar’s fraudulent organizations has led to multiple Chinese-led raids with the Myanmar police. It has also spurred arrest warrants for prominent leaders in the autonomous regions in Myanmar who are alleged to support scam centers. Chinese raids have managed to transfer at least 2,317 scam suspects to China as of October 2023. China hopes to secure its borders, protect the finances of Chinese citizens, prosecute Chinese gang members who own the fraud organizations, and take an opportunity to assert its positive physical presence in the region. This final goal is especially apparent in Myanmar. Chinese targeting has pushed syndicates to expand the scope of their fraudulent action, which is why American citizens are now at greater risk.

Aside from China, INTERPOL has played a modest but effective role. Through Operation Storm Makers II, the organization has been effective in preventing fraudulent recruitment at the global level, while also working with regional police forces to combat cyber fraud trafficking organizations.

As for norms building, ASEAN produced a Declaration on Combatting Trafficking in Persons Caused By The Abuse of Technology in May 2023. The declaration provides for strengthening cooperation, developing legal frameworks, increasing border control, and further safeguarding human rights. But while all ten leaders of the ASEAN nations agreed to the declaration, there is no regulatory mechanism behind it, which limits its effectiveness. 

Through the United Nations Office on Drugs and Crime, ASEAN and the People’s Republic of China met to develop a strategy for addressing the issue. The roadmap addresses legal regulatory frameworks of concerned cyber industries and public-private partnerships to monitor fraudulent posts. It could also provide for the strengthening of regulatory bodies, not just legal frameworks. 

Although China is more directly affected, the U.S. should get further involved. This issue is not going away and will increasingly affect the financial wellbeing of US citizens as it grows beyond ASEAN. Additionally, although American police may not have boots on the ground in the same manner as Chinese police, it would be a mistake to be absent from training exercises with relevant cyber police forces. Such international police cooperation will help American agencies address those affected by fraud scams at home as well as advance American legal values in the region.

In order for international cooperation to be effective, it must be unrelenting and consistent. For example, international pressure and media scrutiny led to crackdowns in Cambodia, which at least temporarily interfered with the operation of scam centers in Sihanoukville. However, these operations then just expanded to other places such as Shwe Kokko in Myanmar.

Conclusion

Affected nations should pursue preventative, punitive, and international efforts to address cybercrime syndicates in Southeast Asia. This issue is of increasing global concern as these syndicates begin expanding beyond Asia. Without proper attention to developing methods to fight syndicated cyber fraud, the problem will grow. Preventative measures against recruitment and pig-butchering operations, proper legal frameworks and institutions, and international cooperation are all necessary.